Defender for Linux

Thu Jan 18, 24 | MDE | Microsoft | Security

Linux Lab is based on my larger MDE lab but is purely focused on MDE with Linux. The goal of this lab is to help familiarize people with deploying MDE on various Linux distros.

Deployment Instructions

  1. Generate a root and child certificate for the Gateway VPN using these instructions
  2. Open the Azure Portal in a seperate tab in your browser
  3. Use the Deploy to Azure button below to deploy the lab to your Azure Environment
    1. Required: Specify a Resource Group where the lab will be deployed
    2. Required: Provide an Admin Password
    3. Recommended: Select the region where the lab should be deployed if using a new resource group
    4. Recommended: Update the Admin User Name to your desired name
    5. Recommended: Specify a Gateway Cert Name
    6. Recommended: Specify the Gateway Cert Data (Generated in Step 1)

Deploy to Azure

Post Deployment Setup

Configure Point-to-Site VPN

If you did not specify the VPN Root Cert and provide the Certificate Data then you need to follow these steps. Otherwise you can skip these steps and go to the Install VPN Client section below.

  1. Use the New-P2SCertificate.ps1 script, found here to create a new Root & Child certificate pair for use with the Point-to-Site Gateway
    1. Copy the text from the rootcert.txt file that the script generates in the folder where it is run or from the console’s on-screen output
  2. In the Azure Portal go to the Resource Group where the lab was created and find the Virtual Network Gateway Resource that was created and click on it
    1. Go to the Point-to-Site Configuration
    2. Provide a name for the Root Certificate
    3. Paste the output from the above step into the Public certificate data field
    4. Save the changes

Install VPN Client

  1. In the Azure Portal go to the Resource Group where the lab was created and find the Virtual Network Gateway Resource that was created and click on it
    1. Go to the Point-to-Site Configuration
    2. Click the Download VPN client button
  2. Install the appropriate VPN client for your OS
  3. Connect the to the Point-to-Site VPN

Deployment Details

The following table details the Virtual Machines that are deployed in this lab.

VM Name Operating System IP Address Scheduled Shutdown
LinuxManager Ubuntu 20.04 LTS 7PM ET
LinuxUbuntu1 Ubuntu 20.04 LTS 7PM ET
LinuxCentOs1 CentOS 8 7PM ET
LinuxSuseOs1 SUSE 12 7PM ET


The scenarios listed here are the most common scenarios I’ve supported with customers, and these are a great way to get started learning about MDE on Linux.

Linux Remote Access

Generally speaking, especially for servers, accessing a Linux machine does not use Remote Desktop/Graphical Interaction. Instead most Linux management and interaction is done from a commandline and remote access uses Secure Shell (SSH). If you are not familiar with SSH and how to access a remote Linux server I recommend you review this article, especially the section Connect to a remote host via SSH and Copying files between client and remote systems.

The other sections about remote key are useful for getting SSH up and running, but if you have used the supplied template then SSH will already be set up on the machine and will utilize username & password.

Manual Onboarding & Offboarding of Linux Servers

If you are new to Linux, MDE, or both it is best if you start with manual onboarding so you can understand the various steps and procedures. This is also very useful if you are planning to deploy MDE at your organization to identify and plan for challenge you may experience.

Onboarding & Offboarding of Linux Servers with Management Solutions

There are a number of great, and free, Linux Management solutions like Ansible and SaltStack that are supported for onboarding & offboarding Linux machines.

Getting Started with Management Tools

If you are unfamiliar with Linux managment solutions like Ansible, SaltStack, Chef, Puppet, etc. then you should start with one of their tutorials. My personal preference of management solutions is Ansible or SaltStack, and I’ve found their processes for configuration management translate relatively well to other management solutions.

Deploying with Management Tools

There are specific articles to help with the deployment of MDE using the various management tools that provide good guidance and example playbooks, scripts, etc. to get onboarding quickly.

Managing/Configuring Defender

After onboarding the next common scenario is to manage and configure MDE on Linux which include actions like adding exclusions, configuring run mode, enabling/disabling various services/settings. There are two different ways to manage MDE on a device, but understanding how both works is helpful.

Local Defender Configuration Management

Local Defender Configuration Management utilizes the mdatp_management.json file to control the various settings. This file can be deployed manually or using one of the above deployment/configuration management tools.

MDE Security Configuration Management

MDE supports Security Configuration Management, and this support is available for Linux as well, so organizations can use the portal rather than deploying an individual file to each machine. There are some limitations about the Linux versions required to support this, but the machines in this lab are all supported.

What is great is that if your machines are onboarded enabling the Security Management is done from the portal without having to change/update/access the machine.

Something of interest: After enabling Security Configuration Management and targeting a VM you should review the folder where the Local Defender Configuration Management file was places /etc/opt/microsoft/mdatp/managed/. What you should find is a new mdeattach_management.json file with the same format as the mdatp_management.json file.

Configure a Scanning Schedule

Now that you have onboarded your devices and applied a configuration the next common activity is to set up a scanning schedule. MDE uses the standard Linux task scheduling service CRON, but it does not currently support setting this up via the portal. Instead you may need to revert to your Linux Management tool to handle this configuration.

Manage MDE Updates

Based on observation, the MDE Package is updated monthly (sometime more, seldom less) and per documentation it is valid for 9-months. For many customers I’ve supported their Linux systems are not updated nearly as frequently as their Windows systems. Personally, I’ve seen a range of customers who update their Linux environment somewhere between quarterly and yearly based on the system’s criticality. Therefore, planning for and implementing a controlled update schedule for MDE on Linux is critical.

Again, MDE utilizes the CRON services here if you want to perform automatic updates of the platform.

Security Intelligence Updates

I’ll return to this scenario in the future, but for now lets just stick with the automatic updates.


Performance tuning is one of the most important scenarios customers run into often because the system is poorly performing and impacting their business. Due to the limited useage and scale of this lab there isn’t much to do here for the scenario, but here are a few useful troubleshooting links.