Let’s chat
0330 043 0826 | [email protected]
InfoSec Governance Logo

How to manually install Defender for Endpoint on Linux

How to manually install Defender for Endpoint on Linux

This article is following the steps from the Microsoft website on how to manually install Defender for Endpoint on a Linux based machine. If you are a Microsoft house, already use Windows Defender, you should also look to use Defender on your linux based devices. This is a great way to stay in compliance with Cyber Essentials as well.

For the purposes of this demo, we are installing within Azure AD on a Red Hat Enterprise Linux 9.4 based Virtual Machine which is fully up to date at the time of writing. For other distributions, please check the Microsoft for appropriate installation instructions.

First of all, if you haven’t already you need to have your machines up and running within Azure and fully patched and up to date.

Downloading the installer script from GitHub

Download the installer script from the Microsoft GitHub page which can be found at: https://raw.githubusercontent.com/microsoft/mdatp-xplat/refs/heads/master/linux/installation/mde_installer.sh

wget  https://raw.githubusercontent.com/microsoft/mdatp-xplat/refs/heads/master/linux/installation/mde_installer.sh -O mde_installer.sh

Next, configure the script to be executable

sudo chmod +x mde_installer.sh

Then, test to make sure the script works:

./mdeinstaller.sh –help

Install yum-utils, if not’s not already installed

sudo yum install yum-utils

Add and configure the repo for Linux

At the time of writing the repos are as follows:

Distro & version Package
For Alma 8.4 and higher https://packages.microsoft.com/config/alma/8/prod.repo
For Alma 9.2 and higher https://packages.microsoft.com/config/alma/9/prod.repo
For RHEL/Centos/Oracle 9.0-9.8 https://packages.microsoft.com/config/rhel/9/prod.repo
For RHEL/Centos/Oracle 8.0-8.10 https://packages.microsoft.com/config/rhel/8/prod.repo
For RHEL/Centos/Oracle 7.2-7.9 & Amazon Linux 2 https://packages.microsoft.com/config/rhel/7.2/prod.repo
For Amazon Linux 2023 https://packages.microsoft.com/config/amazonlinux/2023/prod.repo
For Fedora 33 https://packages.microsoft.com/config/fedora/33/prod.repo
For Fedora 34 https://packages.microsoft.com/config/fedora/34/prod.repo
For Rocky 8.7 and higher https://packages.microsoft.com/config/rocky/8/prod.repo
For Rocky 9.2 and higher https://packages.microsoft.com/config/rocky/9/prod.repo

Add the appropriate repo to your instance. For our testing, we are using the Red Hat Linux 9 repo.

sudo yum-config-manager --add-repo=https://packages.microsoft.com/config/rhel/9/prod.repo

Install the Microsoft GPG public key

sudo rpm --import https://packages.microsoft.com/keys/microsoft.asc

Install Microsoft Defender for endpoint

Now that we have added the repo, we can install the actual product to start protecting our instance.

sudo yum install mdatp

Download the onboarding package

Next we need to download the onboarding script and get it onto the device in question.  Log into the Microsoft Defender portal, go to Settings > Endpoints > Device management > Onboarding

In the first drop-down menu, select Linux Server as the operating system. In the second drop-down menu, select Local Script as the deployment method.

Select Download onboarding package. Save the file as WindowsDefenderATPOnboardingPackage.zip.

Once downloaded, run the python script to onboard the device.

sudo python WindowsDefenderATPOnboardingPackage.py

Verify that the device has onboarded correctly

Once the onboarding script has ran, wait a few minutes and then check to make sure it has fully connected and is onboarded by checking the fields.  If anything comes back as failed or errors. Wait a little longer and try again.

mdatp health –field ord_id

mdatp health –field healthy

Check to make sure that the product is updated

mdatp health –field definitions_status

Run AV detection tests

mdatp health --field real_time_protection_enabled

If this value comes back as false, perform the following command:

sudo mdatp config real-time-protection --value enabled

Perform tests with eicar

curl -o /tmp/eicar.com.txt https://secure.eicar.org/eicar.com.txt

curl -o /tmp/eicar_com.zip https://secure.eicar.org/eicar_com.zip

curl -o /tmp/eicarcom2.zip https://secure.eicar.org/eicarcom2.zip

Check that the files have been detected

mdatp threat list