Blog Post

Microsoft Defender for Cloud Blog
5 MIN READ

Microsoft Defender for Endpoint for Linux and Microsoft Defender for Servers

Tom_Janetscheck's avatar
Jan 24, 2023

When it comes to protecting servers in hybrid and multicloud environments, Microsoft Defender for Servers as part of Microsoft Defender for Cloud is the solution you might be looking for. However, with all the features, dependencies, and complexity, it might become challenging to always make the right decision when planning, integrating, and deploying Defender for Servers across your environment. With this blog, we are focusing on deployment and integration of Microsoft Defender for Endpoint with Microsoft Defender for Servers on Linux machines.

Microsoft Defender for Servers is available in two different plans, both of which include integration and automated deployment of Microsoft Defender for Endpoint for both, Windows and Linux machines.

 

Defender for Servers plan comparison

To learn more, see this table about supported features for VMs and servers in Defender for Cloud. Also, to learn more about Defender for Servers plan features, see this documentation.

 

How to enable Defender for Endpoint integration for Linux machines

Microsoft Defender for Endpoint for Linux integration has been introduced to Defender for Servers back in summer 2021. At this time, Defender for Endpoint integration for Windows servers has been part of the product for quite a while already, and when introducing Linux support, we added an opt-in method for existing customers to decide at which point in time they would like to enable integration and deployment for their Linux machines. Since then, Defender for Endpoint integration will be enabled for Windows and Linux by default on any new subscription when Defender for Servers is enabled for the first time. However, in case the following three dependencies are true, Defender for Endpoint for Linux integration is not automatically enabled:

  • Your subscription was created earlier than August 2021
  • In August 2021, your subscription was configured to have Defender for Endpoint integration enabled
  • In August 2021, your subscription had Defender for Servers enabled

In this scenario, you will see the opt-in capability in your subscription’s Settings & monitoring blade within Defender for Cloud:

Enable Defender for Endpoint integration for Linux machines

In the figure above, you see there is a second button to enable Defender for Endpoint’s unified solution for Windows Server 2012 R2 and 2016 machines. To learn more about this option, please see this article.

 

We know that in large environments, it might be challenging to find all the subscriptions that don’t have enabled Linux integration with Defender for Endpoint, yet. This is why we are offering several at-scale capabilities to enable the integration in your environment.

 

Enabling Defender for Endpoint integration for Linux on multiple subscriptions

In Defender for Cloud’s Overview blade, we are introducing a new Insights campaign that gives you visibility into subscriptions that do not have Defender for Endpoint integration enabled for Linux machines.

New insights campaign in Microsoft Defender for Cloud's Overview dashboard

You can use this new campaign to directly enable integration for Linux machines from this Overview blade by clicking the Take Action link.

Enable Defender for Endpoint integration for Linux machines at scale

It will then show you all subscriptions that don’t have integration for Linux machines enabled, including the amount of affected Linux machines in each subscription. You can then select some or all of them and enable the integration at scale. Once done, you can track the deployment progress by clicking the Track Deployment link.

Track the Defender for Endpoint deployment across your environment

This link will redirect you to a custom workbook that we have published on Github and which you can deploy to your environment.

Defender for Endpoint provisioning status

The workbook will show you the current deployment status of Defender for Endpoint extensions to your Azure VMs and Azure Arc machines, and if the installation and onboarding was successful, or if it failed.

 

Enable integration via PowerShell

A second option we are providing is a PowerShell script that will enable integration for Linux machines on all of your subscriptions. The script will check if Defender for Endpoint integration is enabled at all, and if not, enable it for both, Windows and Linux machines. In case it already is enabled for Windows, Linux integration will be enabled in addition.

 

 

write-host '#####################################################################################################' -ForegroundColor green
write-host '#                                                                                                   #' -ForegroundColor green
write-host '#   This script will enable MDE integration for Linux machines with Microsoft Defender for Cloud.   #' -ForegroundColor green
write-host '#   Please enter your Tenant ID. The script will then configure all subscriptions in this tenant.   #' -ForegroundColor green
write-host '#                                                                                                   #' -ForegroundColor green
write-host '#   You will be asked if you want to enable MDE integration on all subscriptions, or only those     #' -ForegroundColor green
write-host '#   that already have MDE integration for Windows machines enabled.                                 #' -ForegroundColor green
write-host '#                                                                                                   #' -ForegroundColor green
write-host '#####################################################################################################' -ForegroundColor green
write-host ''
$tenantId = Read-Host "Enter your Tenant ID"
$enableMDE = Read-Host "Do you want to enable MDE integration on all subscriptions (y/n)?"
while ("y","n" -notcontains $enableMDE) {
    $enableMDE = Read-Host "Do you want to enable MDE integration on all subscriptions? Please only enter (y/n)."
}
$subscriptions = Get-AzSubscription -TenantId $tenantId
Foreach ($subscription in $subscriptions){
    $context = Set-AzContext -Subscription $subscription.id
    Write-host -nonewline "Testing subscription "
    Write-host -nonewline $context.subscription.Name -ForegroundColor Green
    Write-host -nonewline " with subscription ID "
    Write-host -nonewline $context.subscription.Id -ForegroundColor Green
    Write-host "."
    $test0 = Get-AzSecuritySetting -SettingName WDATP
    If ($test0.enabled) {
        $test1 = Get-AzSecuritySetting -SettingName WDATP_EXCLUDE_LINUX_PUBLIC_PREVIEW
        If ($test1.enabled){
            Set-AzSecuritySetting -SettingName WDATP_EXCLUDE_LINUX_PUBLIC_PREVIEW `
            -SettingKind DataExportSettings `
            -Enabled $false > $null
            Write-Host "Enabled MDE integration for Linux machines on subscription" $context.subscription.id
        }
    }
    elseif ($enableMDE -eq "y"){
        Set-AzSecuritySetting -SettingName WDATP `
        -SettingKind DataExportSettings `
        -Enabled $true > $null
        Write-Host "Enabled MDE integration for all machines on subscription" $context.subscription.id
    }
    else {
        continue
    }
}

 

 

We have also published the PowerShell script in the Defender for Cloud Github repository.

 

Enable integration via REST API

When enabling Defender for Endpoint integration for Linux machines using the Defender for Cloud UI, clicking the button, or using the insights campaign will leverage a REST API call against your subscription(s). You can also use this API call in your own automations, ARM templates, or Azure Policy definitions.

To enable Defender for Endpoint integration for Linux machines on a subscription, use the following API call against the microsoft.security/settings REST API provider:

 

Parameter Value
REST Method PUT
API URI
https://management.azure.com/subscriptions/<subscriptionId>/providers/Microsoft.Security/settings/WDATP_EXCLUDE_LINUX_PUBLIC_PREVIEW?api-version=2022-05-01
API Version

2022-05-01

JSON Body
{
    "name": "WDATP_EXCLUDE_LINUX_PUBLIC_PREVIEW",
    "type": "Microsoft.Security/settings",
    "kind": "DataExportSettings",
    "properties": {
        "enabled": false
    }
}

 

Conclusion

While Defender for Endpoint integration is automatically enabled on new subscriptions, or when enabling Defender for Servers for the first time, you might have subscriptions in your environment that still don’t have the latest integration features enabled. For these subscriptions, you will now get the visibility in Defender for Cloud’s Overview dashboard and can use a variety of automation capabilities to enable Defender for Endpoint integration for Linux machines at scale.

 

Acknowledgements

Specials thanks to Gal Fenigshtein for the strong collaboration on this topic and for reviewing this blog.

Updated Jan 26, 2023
Version 2.0
  • jsebast's avatar
    jsebast
    Copper Contributor

    It's all great when it works.  What if something goes wrong?  I've tried the above steps and the workbook just shows some machines Failed.  If you click on that failed list, you get the machine list which I guess is good but if you click on one of the machines listed, it just drops you to the machine blade.  What went wrong is nowhere in sight.

  • joetorres's avatar
    joetorres
    Copper Contributor
    What is the RHEL SKU# for ordering MDE or MDATP? trying to provide IT Software Asset team with a Redhat SKU number for MDE but can't find anything on this