Browse all topics
All guidesGlossary
Microsoft Defender (Security)

Defender for Endpoint on Linux

Deploying Microsoft Defender for Endpoint on Linux servers and workstations — distributions, packaging, and integration.

Microsoft Defender for Endpoint on Linux brings the same EDR / antivirus / vulnerability-management capability to Linux that Defender provides for Windows and macOS. Important for organisations with mixed-OS infrastructure — Linux servers in data centres, Linux developer workstations, container hosts — that want unified Defender XDR coverage.

Supported distributions

Defender for Endpoint on Linux supports a wide range of distributions:

  • Red Hat Enterprise Linux 7, 8, 9.
  • CentOS / Rocky / AlmaLinux.
  • Ubuntu LTS releases.
  • Debian.
  • SUSE Linux Enterprise Server (SLES).
  • Oracle Linux.
  • Amazon Linux 2 and 2023.
  • Fedora (limited support).

Each distribution has a specific Microsoft-published package — .deb for Debian/Ubuntu, .rpm for Red Hat / SUSE / Amazon. Microsoft maintains its own package repositories for current packages.

What's included

  • Real-time antivirus with signature and behavioural detection.
  • EDR — process activity, file activity, network connections all flow into Defender XDR.
  • Threat and Vulnerability Management — Linux package inventory matched against CVEs.
  • Web protection — URL filtering.
  • Network protection.
  • Tamper protection.
  • Device control (limited).

Coverage parity with Windows / Mac is high but not complete; specific Windows / Mac features are gradually arriving on Linux.

Deployment

The typical install:

  1. Add Microsoft's package repository to the Linux host.
  2. Install the packageapt install mdatp or yum install mdatp or equivalent.
  3. Onboard by running an onboarding script Microsoft generates from the Defender XDR portal — the script registers the device with your tenant.
  4. Verify with mdatp health showing the agent connected and healthy.

For fleet deployment, package the install + onboard script in your standard config-management tooling — Ansible, Puppet, Chef, Salt, or container images for ephemeral hosts.

Integration with the rest of Defender

Linux signals flow into Defender XDR alongside Windows, Mac, identity, and email signals. Cross-platform attack chains — a phishing email leads to credential theft, then to lateral movement to a Linux server — correlate as single incidents.

Servers vs workstations

Linux Defender supports both:

  • Servers — the primary use case. Defender for Endpoint for Servers licensing (also covers Windows Server). Datacentre and cloud-VM scenarios.
  • Workstations — developer desktops and engineering workstations. Defender for Endpoint for Endpoints licensing.

Pricing differs; check current Microsoft licensing for specifics.

Common pitfalls

  • Repository connectivity — Microsoft's package repos need to be reachable from the host; firewall rules required for offline-air-gap scenarios.
  • Selinux / AppArmor interactions — sometimes need profile adjustment to let Defender's agent run unimpeded.
  • Kernel module compatibility — Defender uses eBPF on supported kernels; older kernels use legacy mechanisms with more overhead.
  • Containers — Linux containers have specific Defender for Cloud or Defender for Containers products beyond just Defender for Endpoint.

When this is essential

For organisations with:

  • Linux server fleets in production — Defender extends your SOC coverage to those workloads.
  • Linux developer workstations that connect to your network.
  • Mixed-OS environments wanting one console for security.

For Linux-only shops, Defender is still credible but the broader Microsoft ecosystem benefit is smaller — third-party Linux EDRs (CrowdStrike, SentinelOne) compete strongly. For Microsoft 365 customers with Linux as a meaningful slice, the unified-console story usually wins.