Forum Discussion

Lucaraheller's avatar
Lucaraheller
MCT
Apr 16, 2026

Hi Mathiew,

What you are seeing is normally expected behavior. Microsoft Defender for Endpoint on Linux does not currently have the same automated remediation parity as Windows devices.

The setting Full - remediate threats automatically applies to Automated Investigation and Remediation capabilities, but the available remediation actions depend on the operating system. Windows has the most complete response and remediation support, while Linux has a more limited set of actions.

On Linux, Defender can still provide strong protection such as:

  • Malware detection
    • Real-time protection
    • Quarantine in supported scenarios
    • EDR alerts and telemetry
    • Device isolation (supported environments)
    • Manual and automated response workflows

So in many cases, a file may be detected and alerted on, but not handled in exactly the same way as on Windows.

Recommended checks on Linux devices

Please verify the following on the affected servers:

1. Real-time protection is enabled

Run:

mdatp health

Confirm that real_time_protection_enabled is true.

2. Defender is active and healthy

Also confirm:

  • licensed = true
    • healthy = true

3. Microsoft Defender is the active AV engine

If another antivirus product is installed, Defender may operate with reduced enforcement depending on the setup.

4. Supported Linux distribution

Some capabilities vary depending on distro and version.

5. Test with EICAR

Use the EICAR test file to validate whether the file is blocked or quarantined locally.

If EICAR is detected but not quarantined, the issue is often related to local configuration or policy.

Important note

The portal automation level does not always mean every remediation action available on Windows will also happen on Linux. It means Defender uses the supported automated actions available for that platform.

Best practice for Linux environments

Many organizations use this model:

  • Defender for detection and alerting
    • Real-time protection enabled
    • Device isolation when needed
    • Custom remediation scripts
    • SIEM / SOAR workflows
    • Manual review for critical servers

Short answer

This is usually not a problem with your configuration. It is more often related to differences between Windows and Linux platform capabilities.

Hope this helps.