Updated on 29-June-2021
Earlier this year, Microsoft Defender for Endpoint for Linux was announced generally available.
Now, Azure Defender is about to augment its existing integration with Microsoft Defender for Endpoint and support the Linux version as well - so your Linux servers can be natively protected against advanced threats.
During public preview (targeted for July), existing Microsoft Defender for Cloud customers already using Microsoft Defender for Endpoint integration will be able to choose when to include Linux servers as part of the integration. This will allow you to either include Linux servers immediately or at a later time - according to preference.
New customers will have Linux machines already included as part of the default Microsoft Defender for Endpoint integration setting.
Frequently asked questions:
Does my existing Microsoft Defender for Cloud license cover Microsoft Defender for Endpoint for Linux?
Yes, as with Windows servers - Microsoft Defender for Endpoint for Linux license is included with Microsoft Defender for servers.
What Linux distributions does Microsoft Defender for Endpoint support?
You can see here the list of supported distributions and system requirements.
Are my non-Azure machines supported?
Yes, non-Azure servers are supported through Azure Arc agent.
In addition, Azure Arc agent is also included in the Microsoft Defender for Cloud license.
Can I manage the automatic deployment?
You can enable/disable the integration between Microsoft Defender for Cloud and Microsoft Defender for Endpoint in the settings – which will activate/deactivate the automatic deployment across all operating systems. When turning this setting off - it will not affect servers that were previously deployed with Microsoft Defender for Endpoint.
In addition, existing Microsoft Defender for Cloud customers will have the option to choose when to include Linux servers.
At what configuration does Microsoft Defender for Cloud install Microsoft Defender for Endpoint on Linux servers?
During the initial rollout – Microsoft Defender for Cloud will deploy Microsoft Defender for Endpoint in passive mode, which will generate alerts but operate in a non-intrusive manner. This initial configuration is safer in case you may have a third-party endpoint protection product deployed on your servers. At your convenience, you can switch Microsoft Defender for Endpoint to active mode.
What happens if my Linux machines already have Microsoft Defender for Endpoint installed?
Microsoft Defender for Cloud will detect a previous installation of Microsoft Defender for Endpoint and configure it to integrated-mode.
When this is released, how can I check if Microsoft Defender for Endpoint is deployed on my Linux servers?
You can run the following shell command on your servers:
mdatp health
If Microsoft Defender for Endpoint is installed - you should be getting its health status:
In addition, in Azure portal you will see a new Azure extension on your machines called MDE.Linux:
Can I send a test alert to Microsoft Defender for Cloud?
After Microsoft Defender for Endpoint is installed on your machine - download the test alert tool, unpack the zip file and execute this shell script:
./mde_linux_edr_diy
Within a few minutes, you should be able to see a new alert in Microsoft Defender for Cloud:
Thank You!
Microsoft Defender for Cloud team.