Skip to main content

Onboarding Linux devices to Microsoft Defender

Samuel Saddouq avatar
Written by Samuel Saddouq
Updated over a month ago

1) Check prerequisites (once)

  • License: MDE for Servers (Defender for Servers P1/P2, or Defender for Endpoint for servers). (Microsoft Learn)

  • Supported distros/kernels: RHEL 7.2+/8/9, Ubuntu 18.04/20.04/22.04/24.04 LTS, Debian 10–12, SLES 12/15, Oracle Linux 7–9, Amazon Linux 2/2023, Rocky/Alma, etc. Kernel ≥ 3.10.0-327. (Microsoft Learn)

  • System: systemd, ~1 GB RAM / 2 GB disk, sudo/root. (Microsoft Learn)

2) Make sure networking will work

  • Allow required MDE service URLs (Microsoft publishes a spreadsheet of exact endpoints; allow outbound 443). (Microsoft Learn)

  • Proxy rules: Only transparent or static proxies are supported; no PAC/WPAD or SSL inspection. If using a static proxy, you can set it post-install. (Microsoft Learn)

3) Download your tenant’s onboarding package

In Microsoft Defender portal go to:
Settings → Endpoints → Device management → Onboarding → Linux ServerLocal ScriptDownload onboarding package (WindowsDefenderATPOnboardingPackage.zip). Extract the file MicrosoftDefenderATPOnboardingLinuxServer.py. (Microsoft Learn)

4) Install the MDE agent (choose A or B)

A) Quick “one-liner” install (recommended)

  1. Download Microsoft’s installer script and make it executable, then install & onboard in one go:

# in the same folder as MicrosoftDefenderATPOnboardingLinuxServer.py curl -L -o mde_installer.sh https://raw.githubusercontent.com/microsoft/mdatp-xplat/master/linux/installation/mde_installer.sh chmod +x mde_installer.sh sudo ./mde_installer.sh --install --channel prod \ --onboard ./MicrosoftDefenderATPOnboardingLinuxServer.py --min_req # Optional: add proxy flags --https-proxy https://proxy:port

(You can also --upgrade, --remove, or set tags with -t NAME VALUE later.) (Microsoft Learn)

B) Manual package install (add Microsoft repo → install mdatp)

Pick your distro:

RHEL / Oracle / Rocky / Alma / Amazon Linux 2

sudo yum-config-manager --add-repo https://packages.microsoft.com/config/rhel/8/prod.repo sudo rpm --import https://packages.microsoft.com/keys/microsoft.asc sudo yum install mdatp

(Microsoft Learn)

SLES 12/15

sudo zypper addrepo -c -f -n microsoft-prod \ https://packages.microsoft.com/config/sles/15/prod.repo sudo rpm --import https://packages.microsoft.com/keys/microsoft.asc sudo zypper refresh sudo zypper install mdatp

(Microsoft Learn)

Ubuntu / Debian

sudo apt update && sudo apt install -y curl gpg curl -L -o microsoft.list https://packages.microsoft.com/config/ubuntu/22.04/prod.list # pick URL for your distro/version sudo mv ./microsoft.list /etc/apt/sources.list.d/microsoft-prod.list curl -sSL https://packages.microsoft.com/keys/microsoft.asc | sudo gpg --dearmor -o /usr/share/keyrings/microsoft.gpg sudo apt update sudo apt install -y mdatp

(Microsoft Learn)

5) Onboard the device (ties it to your tenant)

Copy MicrosoftDefenderATPOnboardingLinuxServer.py to the server and run:

# use python3 on modern distros (RHEL 8+/Ubuntu 20.04+) sudo python3 MicrosoftDefenderATPOnboardingLinuxServer.py

Confirm it picked up your org:

mdatp health --field org_id

A non-empty value means it’s associated. (Microsoft Learn)

6) Verify health & connectivity

mdatp health --field healthy mdatp health --field definitions_status mdatp connectivity test

“healthy = true” and successful connectivity checks mean you’re good. (Microsoft Learn)

7) Run a safe detection test (EICAR)

mdatp health --field real_time_protection_enabled # expect true curl -o /tmp/eicar.com.txt https://secure.eicar.org/eicar.com.txt mdatp threat list

You should see the file quarantined and a detection in the Defender portal within a few minutes. (Device may take ~5–20 minutes to appear in inventory after first onboarding.) (Microsoft Learn)

Common things

  • Agent installs but shows “unlicensed”: You skipped the onboarding script—run the Python onboarding step. (Microsoft Learn)

  • Behind a proxy: Use static or transparent proxy only; set HTTPS_PROXY post-install if needed. (Microsoft Learn)

  • Auditd vs eBPF: Newer versions use eBPF; old auditd dependencies are deprecated—plan upgrades accordingly. (Microsoft Learn)

References

Deploy Microsoft Defender for Endpoint on Linux manually - Microsoft Defender for Endpoint | Microsoft Learn

Did this answer your question?