Edit

Share via

Prerequisites for Microsoft Defender for Endpoint on Linux

This article lists the prerequisites for deploying and onboarding Defender for Endpoint on Linux servers.

Important

If you want to run multiple security solutions side by side, see Considerations for performance, configuration, and support.

You might have already configured mutual security exclusions for devices onboarded to Microsoft Defender for Endpoint. If you still need to set mutual exclusions to avoid conflicts, see Add Microsoft Defender for Endpoint to the exclusion list for your existing solution.

License requirements

To onboard servers to Defender for Endpoint, server licenses are required. You can choose from the following options:

For more detailed information about licensing requirements for Microsoft Defender for Endpoint, see Microsoft Defender for Endpoint licensing information.

For detailed licensing information, see Product Terms: Microsoft Defender for Endpoint and work with your account team to learn more about the terms and conditions.

System requirements

  • CPU: One CPU core minimum. For high-performance workloads, more cores are recommended.
  • Disk Space: 2 GB minimum. For high-performance workloads, more disk space might be needed.
  • Memory: 1 GB of RAM minimum. For high-performance workloads, more memory might be needed.
  • For installation at a custom path, refer to Prerequisites and system requirements for custom location installation.

Note

Performance tuning might be needed based on workloads. For more information, see Performance tuning for Microsoft Defender for Endpoint on Linux

Software requirements

Linux server endpoints should have systemd (system manager) installed.

Note

Linux distributions using system manager support both SystemV and Upstart. The Microsoft Defender for Endpoint on Linux agent is independent from Operation Management Suite (OMS) agent. Microsoft Defender for Endpoint relies on its own independent telemetry pipeline.

To use device isolation functionality, the following must be enabled:

  • iptables
  • ip6tables
  • Linux kernel with CONFIG_NETFILTER, CONFIG_IP_NF_IPTABLES, and CONFIG_IP_NF_MATCH_OWNER for kernel version lower than 5.x and CONFIG_NETFILTER_XT_MATCH_OWNER from 5.x kernel.

Network requirements

Linux server endpoints should be able to access the endpoints documented in:

If necessary, configure static proxy discovery.

Warning

PAC, WPAD, and authenticated proxies aren't supported. Use only static or transparent proxies. SSL inspection and intercepting proxies aren't supported for security reasons. Configure an exception for SSL inspection and your proxy server to allow direct data pass-through from Defender for Endpoint on Linux to the relevant URLs without interception. Adding your interception certificate to the global store doesn't enable interception.

Verify if devices can connect to Defender for Endpoint cloud services

  1. Prepare your environment, as described in Step 1 of the following article Configure your network environment to ensure connectivity with Defender for Endpoint service.

  2. Connect Defender for Endpoint on Linux through a proxy server by using the following discovery methods:

  3. Permit anonymous traffic in the previously listed URLs, if a proxy or firewall blocks traffic.

Note

Configuration for transparent proxies isn't needed for Defender for Endpoint. See Manual Static Proxy Configuration.

For troubleshooting steps, see Troubleshoot cloud connectivity issues for Microsoft Defender for Endpoint on Linux.

Supported Linux distributions

The following Linux server distributions are supported:

Distribution x64 (AMD64/EM64T) ARM64
Red Hat Enterprise Linux 7.2+, 8.x, 9.x, 10.x 8.x, 9.x, 10.x
CentOS 7.2+, 8.x Not supported
CentOS Stream 8.x, 9.x, 10.x 8.x, 9.x, 10.x
Ubuntu LTS 16.04, 18.04, 20.04, 22.04,24.04 20.04, 22.04, 24.04
Ubuntu Pro 22.04, 24.04 22.04, 24.04
Debian 9–13 11, 12
SUSE Linux Enterprise Server 12.x, 15.x 15 (SP5, SP6)
Oracle Linux 7.2+, 8.x, 9.x 8.x, 9.x
Amazon Linux 2, 2023 2, 2023
Fedora 33–42 Not supported
Rocky Linux 8.7+, 9.2+ Not supported
Alma Linux 8.4+, 9.2+ Not supported
Mariner 2 Not supported

Note

Distributions and versions that aren't explicitly listed above, and custom operating systems, are unsupported (even if they're derived from the officially supported distributions). Microsoft Defender for Endpoint is kernel-version agnostic for all other supported distributions and versions. The minimal requirement for the kernel version is 3.10.0-327 or later.

Warning

Running Defender for Endpoint on Linux alongside other fanotify-based security solutions is not supported and may lead to unpredictable behavior, including system hangs. If any applications use fanotify in blocking mode, they will appear in the conflicting_applications field of the mdatp health command output. You can still safely take advantage of Defender for Endpoint on Linux by setting antivirus enforcement level to passive. See Configure security settings in Microsoft Defender for Endpoint on Linux. EXCEPTION: The Linux FAPolicyD feature, which also uses Fanotify in blocking mode, is supported with Defender for Endpoint in active mode on RHEL and Fedora platforms, provided that mdatp health reports a healthy status. This exception is based on validated compatibility specific to these distributions.

Supported filesystems for real-time protection and quick, full, and custom scans

Real-time protection and quick/full scans Custom scans
btrfs All filesystems that are supported for real-time protection and quick/full scans are also supported for custom scans. In addtion, the filesystems listed below are also supported for custom scans.
ecryptfs Efs
ext2 S3fs
ext3 Blobfuse
ext4 Lustr
fuse glustrefs
fuseblk Afs
jfs sshfs
nfs (v3) cifs
nfs4 smb
overlay gcsfuse
ramfs sysfs
reiserfs
tmpfs
udf
vfat
xfs

Note

To scan NFS v3 mount points, make sure to set the no_root_squash export option. Without this option, scanning NFS v3 can potentially fail due to lack of permissions.

Roles and permissions

  • Administrative privileges on the Linux server endpoint are required for installation.
  • An appropriate role assigned in Defender for Endpoint. See Role-based access control.

Installation methods and tools

There are several methods and tools that you can use to deploy Microsoft Defender for Endpoint on supported Linux servers.

It's recommended to use Deployment Tool based deployment, as it simplifies the onboarding process, reduces manual tasks, and supports a wide range of deployment scenarios, including new installations, upgrades, and uninstalls. For more information, see Deploy Microsoft Defender endpoint security to Linux devices using the Defender deployment tool (preview).

Important

On Linux, Microsoft Defender for Endpoint creates an mdatp user with random UID and GID values. If you want to control these values, create an mdatp user before installation using the /usr/sbin/nologin shell option. Here's an example: mdatp:x:UID:GID::/home/mdatp:/usr/sbin/nologin.

If you experience any installation issues, self-troubleshooting resources are available. See the links in the Related content section.

Next steps

Related content

  • Last updated on