Microsoft Defender for Endpoint for Linux is coming soon to Azure Defender

Published Jun 03 2021 09:56 AM 12.4K Views

Updated on 29-June-2021


Earlier this year, Microsoft Defender for Endpoint for Linux was announced generally available.

Now, Azure Defender is about to augment its existing integration with Microsoft Defender for Endpoint and support the Linux version as well - so your Linux servers can be natively protected against advanced threats.


During public preview (targeted for July), existing Azure Defender customers already using Microsoft Defender for Endpoint integration will be able to choose when to include Linux servers as part of the integration. This will allow you to either include Linux servers immediately or at a later time - according to preference.

New customers will have Linux machines already included as part of the default Microsoft Defender for Endpoint integration setting.




Frequently asked questions:

Does my existing Azure Defender license cover Microsoft Defender for Endpoint for Linux?
Yes, as with Windows servers - Microsoft Defender for Endpoint for Linux license is included with Azure Defender for servers.


What Linux distributions does Microsoft Defender for Endpoint support
You can see here the list of supported distributions and system requirements.


Are my non-Azure machines supported
Yes, non-Azure servers are supported through Azure Arc agent.

In addition, Azure Arc agent is also included in Azure Defender license. 


Can I manage the automatic deployment?
You can enable/disable the integration between Azure Security Center and Microsoft Defender for Endpoint in the settings – which will activate/deactivate the automatic deployment across all operating systems. When turning this setting off - it will not affect servers that were previously deployed with Microsoft Defender for Endpoint.

In addition, existing Azure Defender customers will have the option to choose when to include Linux servers.


At what configuration does Azure Security Center install Microsoft Defender for Endpoint on Linux servers?

During the initial rollout – Azure Security Center will deploy Microsoft Defender for Endpoint in passive mode, which will generate alerts but operate in a non-intrusive manner. This initial configuration is safer in case you may have a third-party endpoint protection product deployed on your servers. At your convenience, you can switch Microsoft Defender for Endpoint to active mode.


What happens if my Linux machines already have Microsoft Defender for Endpoint installed?

Azure Security Center will detect a previous installation of Microsoft Defender for Endpoint and configure it to integrated-mode. 


When this is released, how can I check if Microsoft Defender for Endpoint is deployed on my Linux servers?
You can run the following shell command on your servers:

mdatp health

If Microsoft Defender for Endpoint is installed - you should be getting its health status:



In addition, in Azure portal you will see a new Azure extension on your machines called MDE.Linux:



Can I send a test alert to Azure Security Center?

After Microsoft Defender for Endpoint is installed on your machine - download the test alert tool, unpack the zip file and execute this shell script:


Within a few minutes, you should be able to see a new alert in Azure Security Center:





Thank You!

Azure Security Center team.

1 Comment
Senior Member

This is a much awaited addition.

Just a few questions. 
 When will this be rolled out in July? 
also hope this roll out will be transparent and there will not be any kind of disturbances and customers have the control to move the EDR to active based at their will. 

Version history
Last update:
‎Jun 29 2021 09:25 AM
Updated by: