Skip to content

Scripted Onboarding Linux Server to Microsoft Defender for Endpoint


Microsoft Defender for Endpoint is a security solution that provides real-time protection against malware  and other threats on the supported operating system. The onboarding process involves installing the Microsoft Defender for Endpoint for Linux extension on your device, which can be done through the command line or through the Microsoft Endpoint Manager. Once the extension is installed, you will need to configure the settings to suit your needs and then activate the service. Once activated, the service will begin scanning your device for threats and providing real-time protection.

System Requirement

Software Requirement

You can refer the link for the updated list of Supported Linux server distributions and Kernel Version. 

Hardware Requirements

  1. Disk space: 2 GB
  2. Cores: 2 minimum, 4 preferred
  3. Memory: 1 GB minimum, 4 preferred
  4. Audit framework (auditd) must be enabled.

The solution currently provides real-time protection for the following file system types:

    • btrfs
    • ecryptfs
    • ext2
    • ext3
    • ext4
    • fuse
    • fuseblk
    • jfs
    • nfs
    • overlay
    • ramfs
    • reiserfs
    • tmpfs
    • udf
    • vfat
    • xfs

Configure the Linux software repository

Defender for Endpoint on Linux can be deployed from one of the following channels (denoted below as [channel]): insiders-fastinsiders-slow, or prod. The choice of the channel determines the type and frequency of updates that are offered to your device. Devices in insiders-fast are the first ones to receive updates and new features, followed later by insiders-slow and lastly by prod.

Onboarding Linux Server

You can onboard Linux Server either manually running each command for the respective distribution or you can onboard the Linux server either using Script, Puppet, Ansible, Saltstack.

In this post, I will be covering how to can onboard a linux server using Script. You can use an automated installer bash script provided in our public GitHub repository. The script identifies the distribution and version, simplifies the selection of the right repository, sets up the device to pull the latest package, and combines the product installation and onboarding steps.

Before executing the GitHub Repository script you need to download the onboarding package form Microsoft Defender Portal.

Upload the script to Linux server and unzip.

  1. Download the script from the GitHub Repository and save that on the Linux Server
  2. Use Chmod +x <> to make the script file executable
  3. Execute the script

sudo ./<script_name>.sh -i -c insiders-fast -o

Validated if device gets successfully onboarded

Verify that the device is now associated with your organization and reports a valid organization identifier:

mdatp health –field org_id

mdatp health –field healthy

To check if Real Time protections is enabled : mdatp health –field real_time_protection_enabled

To see the threat list : mdatp threat list

Hope this will be informative for you. Please do share if you find worth sharing it.