Forum Discussion

mathiewh11's avatar
mathiewh11
Copper Contributor
Mar 27, 2025

Full Automation Capabilities in Linux OS

Hello eveyone,

We have configured Defender to detect viruses, and our goal is that if one of our assets downloads or encounters a virus, it is automatically hidden or removed.

Based on the documentation regarding the automation levels in Automated Investigation and Remediation capabilities, we have set it to "Full - remediate threats automatically."

While this works correctly on Windows devices, we have noticed that on Linux devices, the defender still detect the virus but it was not prevented. 

I was wondering if anyone has encountered this issue and, if so, how it was resolved?

Additionally, as I am new to the Defender platform, I wanted to ask if could this issue potentially be resolved through specific Linux policies or functionalities?

Best regards

Mathiew

automation
investigation
microsoft defender for endpoint
remediation

1 Reply

  • Lucaraheller's avatar
    Lucaraheller
    MCT
    Apr 16, 2026

    Hi Mathiew,

    What you are seeing is normally expected behavior. Microsoft Defender for Endpoint on Linux does not currently have the same automated remediation parity as Windows devices.

    The setting Full - remediate threats automatically applies to Automated Investigation and Remediation capabilities, but the available remediation actions depend on the operating system. Windows has the most complete response and remediation support, while Linux has a more limited set of actions.

    On Linux, Defender can still provide strong protection such as:

    • Malware detection
      • Real-time protection
      • Quarantine in supported scenarios
      • EDR alerts and telemetry
      • Device isolation (supported environments)
      • Manual and automated response workflows

    So in many cases, a file may be detected and alerted on, but not handled in exactly the same way as on Windows.

    Recommended checks on Linux devices

    Please verify the following on the affected servers:

    1. Real-time protection is enabled

    Run:

    mdatp health

    Confirm that real_time_protection_enabled is true.

    2. Defender is active and healthy

    Also confirm:

    • licensed = true
      • healthy = true

    3. Microsoft Defender is the active AV engine

    If another antivirus product is installed, Defender may operate with reduced enforcement depending on the setup.

    4. Supported Linux distribution

    Some capabilities vary depending on distro and version.

    5. Test with EICAR

    Use the EICAR test file to validate whether the file is blocked or quarantined locally.

    If EICAR is detected but not quarantined, the issue is often related to local configuration or policy.

    Important note

    The portal automation level does not always mean every remediation action available on Windows will also happen on Linux. It means Defender uses the supported automated actions available for that platform.

    Best practice for Linux environments

    Many organizations use this model:

    • Defender for detection and alerting
      • Real-time protection enabled
      • Device isolation when needed
      • Custom remediation scripts
      • SIEM / SOAR workflows
      • Manual review for critical servers

    Short answer

    This is usually not a problem with your configuration. It is more often related to differences between Windows and Linux platform capabilities.

    Hope this helps.