| title | Deploy Microsoft Defender for Endpoint on Linux manually | |||
|---|---|---|---|---|
| description | Describes how to deploy Microsoft Defender for Endpoint on Linux manually from the command line. | |||
| ms.service | defender-endpoint | |||
| ms.author | painbar | |||
| author | paulinbar | |||
| ms.reviewer | gopkr | |||
| ms.localizationpriority | medium | |||
| audience | ITPro | |||
| ms.collection |
|
|||
| ms.topic | install-set-up-deploy | |||
| ms.subservice | linux | |||
| search.appverid | met150 | |||
| appliesto |
|
|||
| ms.date | 03/20/2026 |
You can deploy Defender for Endpoint on Linux by using various tools and methods. This article describes how to deploy Defender for Endpoint on Linux manually. To use another method, refer to the Related content section.
Note
We highly recommend using the Defender Deployment Tool deployment method, as it simplifies the onboarding process, reduces manual tasks, and supports a wide range of deployment scenarios, including new installations, upgrades, and uninstalls. Please refer to the documentation for more details. [!INCLUDE side-by-side-scenarios]
A successful deployment requires the completion of all of the following tasks:
- Prerequisites and system requirements
- Configure the Linux software repository
- Preinstall setup for custom location installation
- Application installation
- Download the onboarding package
- Client configuration
Before you begin, see Prerequisites for Defender for Endpoint on Linux for a description of prerequisites and system requirements for the current software version.
Warning
Upgrading your operating system to a new major version after the product installation requires the product to be reinstalled. You need to Uninstall the existing Defender for Endpoint on Linux application, upgrade the operating system, and then reconfigure Defender for Endpoint on Linux following the steps in this article.
Defender for Endpoint on Linux can be deployed from one of the following channels (denoted as [channel]): insiders-fast, insiders-slow, or prod. Each of these channels corresponds to a Linux software repository. The instructions in this article describe configuring your device to use one of these repositories.
The choice of the channel determines the type and frequency of updates that are offered to your device. Devices in insiders-fast are the first ones to receive updates and new features, followed later by insiders-slow and lastly by prod.
In order to preview new features and provide early feedback, it's recommended that you configure some devices in your enterprise to use either insiders-fast or insiders-slow.
Warning
Switching the channel after the initial installation requires the product to be reinstalled. To switch the product channel: uninstall the existing package, reconfigure your device to use the new channel, and follow the steps in this document to install the package from the new location.
You can use either the dnf or the yum package manager to deploy Defender for Endpoint on Linux on RHEL and its variants. The instructions in the following sections include commands for both package managers; use just the relevant one.
-
Install either
dnf-plugins-coreoryum-utilsif the one you want to use isn't installed yet:sudo dnf install dnf-plugins-core
or
sudo yum install yum-utils
-
Locate the correct package for your distribution and version. Use the following table to help guide you in locating the package:
Distro & version Package Alma 8.4 and higher https://packages.microsoft.com/config/alma/8/prod.repo Alma 9.2 and higher https://packages.microsoft.com/config/alma/9/prod.repo RHEL/Centos/Oracle 9.0-9.8 https://packages.microsoft.com/config/rhel/9/prod.repo RHEL/Centos/Oracle 8.0-8.10 https://packages.microsoft.com/config/rhel/8/prod.repo RHEL/Centos/Oracle 7.2-7.9 https://packages.microsoft.com/config/rhel/7.2/prod.repo Amazon Linux 2 https://packages.microsoft.com/config/amazonlinux/2/prod.repo Amazon Linux 2023 https://packages.microsoft.com/config/amazonlinux/2023/prod.repo Fedora 33 https://packages.microsoft.com/config/fedora/33/prod.repo Fedora 34 https://packages.microsoft.com/config/fedora/34/prod.repo Rocky 8.7 and higher https://packages.microsoft.com/config/rocky/8/prod.repo Rocky 9.2 and higher https://packages.microsoft.com/config/rocky/9/prod.repo [!NOTE] For your distribution and version, identify the closest entry for it (by major, then minor) under
https://packages.microsoft.com/config/rhel/.[!TIP] Online Kernel patching tools, such as Ksplice or similar, can lead to unpredictable OS stability if Defender for Endpoint is running. It's recommended to temporarily stop the Defender for Endpoint daemon before performing online Kernel patching. After the Kernel is updated, Defender for Endpoint on Linux can be safely restarted. This action is especially important for systems running Oracle Linux.
-
In the following commands, replace [version] and [channel] with the information you've identified:
sudo dnf config-manager --add-repo https://packages.microsoft.com/config/rhel/[version]/[channel].repo
or
sudo yum-config-manager --add-repo=https://packages.microsoft.com/config/rhel/[version]/[channel].repo
[!TIP] Use hostnamectl command to identify system related information including release [version].
For example, if you're running CentOS 8 and want to deploy Defender for Endpoint on Linux from the
prodchannel:sudo dnf config-manager --add-repo https://packages.microsoft.com/config/rhel/8/prod.repo
or
sudo yum-config-manager --add-repo=https://packages.microsoft.com/config/rhel/8/prod.repo
Or if you wish to explore new features on selected devices, you might want to deploy Defender for Endpoint on Linux to insiders-fast channel:
sudo dnf config-manager --add-repo https://packages.microsoft.com/config/rhel/8/insiders-fast.repo
or
sudo yum-config-manager --add-repo=https://packages.microsoft.com/config/rhel/8/insiders-fast.repo
-
Install the Microsoft GPG public key:
sudo rpm --import https://packages.microsoft.com/keys/microsoft.asc
Note
For your distribution and version, identify the closest entry for it (by major, then minor) under https://packages.microsoft.com/config/sles/.
-
In the following commands, replace [distro] and [version] with the information you've identified:
sudo zypper addrepo -c -f -n microsoft-[channel] https://packages.microsoft.com/config/[distro]/[version]/[channel].repo
[!TIP] Use SPident command to identify system related information including release [version].
For example, if you're running SLES 12 and wish to deploy Defender for Endpoint on Linux from the
prodchannel:sudo zypper addrepo -c -f -n microsoft-prod https://packages.microsoft.com/config/sles/12/prod.repo
-
Install the Microsoft GPG public key:
sudo rpm --import https://packages.microsoft.com/keys/microsoft.asc
-
Install
curlif it isn't installed yet:sudo apt install curl
-
Install
libplist-utilsif it isn't installed yet:sudo apt install libplist-utils
[!NOTE] For your distribution and version, identify the closest entry for it (by major, then minor) under
https://packages.microsoft.com/config/[distro]/. -
In the following command, replace [distro] and [version] with the information you've identified:
curl -o microsoft.list https://packages.microsoft.com/config/[distro]/[version]/[channel].list
[!TIP] Use hostnamectl command to identify system related information including release [version].
For example, if you're running Ubuntu 18.04 and wish to deploy Defender for Endpoint on Linux from the
prodchannel:curl -o microsoft.list https://packages.microsoft.com/config/ubuntu/18.04/prod.list
-
Install the repository configuration:
sudo mv ./microsoft.list /etc/apt/sources.list.d/microsoft-[channel].list
For example, if you chose
prodchannel:sudo mv ./microsoft.list /etc/apt/sources.list.d/microsoft-prod.list
-
Install the
gpgpackage if not already installed:sudo apt install gpg
If
gpgisn't available, then installgnupg.sudo apt install gnupg
-
Install the Microsoft GPG public key:
-
For Debian 11/Ubuntu 22.04 and earlier, run the following commands.
curl -sSL https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/microsoft.gpg > /dev/null sudo chmod o+r /etc/apt/trusted.gpg.d/microsoft.gpg
-
For Debian 12, Ubuntu 24.04 and later, run the following commands.
curl -sSL https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor | sudo tee /usr/share/keyrings/microsoft-prod.gpg > /dev/null sudo chmod o+r /usr/share/keyrings/microsoft-prod.gpg
-
For Debian 13 and later, run the following commands.
curl -sSL https://packages.microsoft.com/keys/microsoft-2025.asc | gpg --dearmor | sudo tee /usr/share/keyrings/microsoft-prod.gpg > /dev/null sudo chmod o+r /usr/share/keyrings/microsoft-prod.gpg
-
-
Install the HTTPS driver if not already installed:
sudo apt install apt-transport-https
-
Update the repository metadata:
sudo apt update
-
Install
dnf-plugins-coreif it isn't installed yet:sudo dnf install dnf-plugins-core
-
Configure and enable the required repositories.
[!NOTE] On Mariner, Insider Fast Channel isn't available.
If you want to deploy Defender for Endpoint on Linux from the
prodchannel. Use the following commandssudo dnf install mariner-repos-extras sudo dnf config-manager --enable mariner-official-extras
Or if you wish to explore new features on selected devices, you might want to deploy Defender for Endpoint on Linux to insiders-slow channel. Use the following commands:
sudo dnf install mariner-repos-extras-preview sudo dnf config-manager --enable mariner-official-extras-preview
These steps are applicable only if Defender is to be installed in a custom location. For detailed instructions on installing Microsoft Defender for Endpoint to a custom location, see Manual installation: preinstallation setup.
For details on installing to a custom location, refer: Enabling deployment of Defender for Endpoint on Linux to a custom location.
Use the commands in the following sections to install Defender for Endpoint on your Linux distribution.
sudo dnf install mdatpor
sudo yum install mdatpNote
If you have multiple Microsoft repositories configured on your device, you can be specific about which repository to install the package from. The following example shows how to install the package from the production channel if you also have the insiders-fast repository channel configured on this device. This situation can happen if you're using multiple Microsoft products on your device. Depending on the distribution and the version of your server, the repository alias might be different than the one in the following example.
# list all repositories
sudo dnf repolistor
# list all repositories
sudo yum repolist...
packages-microsoft-com-prod packages-microsoft-com-prod 316
packages-microsoft-com-prod-insiders-fast packages-microsoft-com-prod-ins 2
...For example to install the package from the production repository:
sudo dnf --enablerepo=packages-microsoft-com-prod install mdatpor
sudo yum --enablerepo=packages-microsoft-com-prod install mdatpsudo zypper install mdatpNote
If you have multiple Microsoft repositories configured on your device, you can be specific about which repository to install the package from. The following example shows how to install the package from the production channel if you also have the insiders-fast repository channel configured on this device. This situation can happen if you're using multiple Microsoft products on your device.
zypper repos...
# | Alias | Name | ...
XX | packages-microsoft-com-insiders-fast | microsoft-insiders-fast | ...
XX | packages-microsoft-com-prod | microsoft-prod | ...
...sudo zypper install packages-microsoft-com-prod:mdatpsudo apt install mdatpNote
If you have multiple Microsoft repositories configured on your device, you can be specific about which repository to install the package from. The following example shows how to install the package from the production channel if you also have the insiders-fast repository channel configured on this device. This situation can happen if you're using multiple Microsoft products on your device.
cat /etc/apt/sources.list.d/*deb [arch=arm64,armhf,amd64] https://packages.microsoft.com/config/ubuntu/18.04/prod insiders-fast main
deb [arch=amd64] https://packages.microsoft.com/config/ubuntu/18.04/prod bionic mainsudo apt -t bionic install mdatpNote
Reboots are NOT required after installing or updating Microsoft Defender for Endpoint on Linux except when you're running auditD in immutable mode.
sudo dnf install mdatpNote
If you have multiple Microsoft repositories configured on your device, you can be specific about which repository to install the package from. The following example shows how to install the package from the production channel if you also have the insiders-slow repository channel configured on this device. This situation can happen if you're using multiple Microsoft products on your device.
sudo dnf config-manager --disable mariner-official-extras-preview
sudo dnf config-manager --enable mariner-official-extrasDownload the onboarding package from the Microsoft Defender portal.
[!INCLUDE Defender for Endpoint repackaging warning]
Important
If you miss this step, any command executed shows a warning message indicating that the product is unlicensed. Also the mdatp health command returns a value of false.
-
In the Microsoft Defender portal, go to Settings > Endpoints > Device management > Onboarding.
-
In the first drop-down menu, select Linux Server as the operating system. In the second drop-down menu, select Local Script as the deployment method.
-
Select Download onboarding package. Save the file as
WindowsDefenderATPOnboardingPackage.zip.:::image type="content" source="media/portal-onboarding-linux.png" alt-text="Downloading an onboarding package in the Microsoft Defender portal":::
-
From a command prompt, verify that you have the file, and extract the contents of the archive:
ls -l
total 8 -rw-r--r-- 1 test staff 5752 Feb 18 11:22 WindowsDefenderATPOnboardingPackage.zip
unzip WindowsDefenderATPOnboardingPackage.zip
Archive: WindowsDefenderATPOnboardingPackage.zip inflating: MicrosoftDefenderATPOnboardingLinuxServer.py
-
Copy
MicrosoftDefenderATPOnboardingLinuxServer.pyto the target device.[!NOTE] Initially the client device isn't associated with an organization and the orgId attribute is blank.
mdatp health --field org_id
-
Run one of the following commands, depending on your scenario:
[!NOTE] To run this command, you must have
pythonorpython3installed on the device depending on the distro and version. If needed, see Step-by-step Instructions for Installing Python on Linux.If you're running RHEL 8.x or Ubuntu 20.04 or higher, you need to use
python3. Run the following command:sudo python3 MicrosoftDefenderATPOnboardingLinuxServer.py
For other distros and versions, you need to use
python. Run the following command:sudo python MicrosoftDefenderATPOnboardingLinuxServer.py
-
Verify that the device is now associated with your organization and reports a valid organization identifier:
mdatp health --field org_id
-
Check the health status of the product by running the following command. A return value of
truedenotes that the product is functioning as expected:mdatp health --field healthy
[!IMPORTANT] When the product starts for the first time, it downloads the latest anti-malware definitions. This process might take up to a few minutes depending on the network connectivity. During this time, the command mentioned earlier returns a value of
false. You can check the status of the definition update using the following command:mdatp health --field definitions_status
You might also need to configure a proxy after completing the initial installation. See Configure Defender for Endpoint on Linux for static proxy discovery: Post-installation configuration.
-
Run an antivirus detection test to verify that the device is properly onboarded and reporting to the service. Perform the following steps on the newly onboarded device:
-
Ensure that real-time protection is enabled (denoted by a result of
truefrom running the following command):mdatp health --field real_time_protection_enabled
If it isn't enabled, execute the following command:
mdatp config real-time-protection --value enabled
-
To run a detection test, open a Terminal window, and then run the following command:
curl -o /tmp/eicar.com.txt https://secure.eicar.org/eicar.com.txt
-
You can run more detection tests on zip files using either of the following commands:
curl -o /tmp/eicar_com.zip https://secure.eicar.org/eicar_com.zip curl -o /tmp/eicarcom2.zip https://secure.eicar.org/eicarcom2.zip
The files should be quarantined by Defender for Endpoint on Linux.
-
Use the following command to list all the detected threats:
mdatp threat list
-
-
Run an EDR detection test and simulate a detection to verify that the device is properly onboarded and reporting to the service. Perform the following steps on the newly onboarded device:
-
Verify that the onboarded Linux server appears in Microsoft Defender XDR. If this is the first onboarding of the machine, it can take up to 20 minutes until it appears.
-
Download and extract the script file to an onboarded Linux server, and then run the following command:
./mde_linux_edr_diy.shAfter a few minutes, a detection should be raised in Microsoft Defender XDR.
-
Look at the alert details, machine timeline, and perform your typical investigation steps.
-
For information, see Software requirements.
If you experience any installation issues, for self-troubleshooting, follow these steps:
-
For information on how to find the log that's generated automatically when an installation error occurs, see Log installation issues.
-
For information about common installation issues, see Installation issues.
-
If health of the device is
false, see Defender for Endpoint agent health issues. -
For product performance issues, see Troubleshoot performance issues.
-
For proxy and connectivity issues, see Troubleshoot cloud connectivity issues.
To get support from Microsoft, open a support ticket, and provide the log files created by using the client analyzer.
For example, to change channel from Insiders-Fast to Production, do the following:
-
Uninstall the
Insiders-Fast channelversion of Defender for Endpoint on Linux.sudo dnf remove mdatp
or
sudo yum remove mdatp
-
Disable the Defender for Endpoint on Linux Insiders-Fast channel
sudo dnf config-manager --disable packages-microsoft-com-fast-prod
or
sudo yum-config-manager --disable packages-microsoft-com-fast-prod
-
Reinstall Microsoft Defender for Endpoint on Linux using the
Production channel, and onboard the device in the Microsoft Defender portal.
To configure antivirus and EDR settings, see the following articles:
- Defender for Endpoint security settings management describes how to configure settings in the Microsoft Defender portal. (This method is recommended.)
- Set preferences for Defender for Endpoint on Linux describes settings you can configure.
For manual uninstallation, execute the following command for your Linux distribution.
sudo dnf remove mdatporsudo yum remove mdatp(depending on your package manager) for RHEL and variants(CentOS and Oracle Linux).sudo zypper remove mdatpfor SLES and variants.sudo apt purge mdatpfor Ubuntu and Debian systems.sudo dnf remove mdatpfor Mariner
-
Other deployment methods:
- Deployment tool based deployment (Recommended)
- Installer script based deployment
- Ansible based deployment
- Chef based deployment
- Puppet based deployment
- Saltstack based deployment
- Golden Image based deployment
- Connect your non-Azure machines to Defender for Cloud with Defender for Endpoint (direct onboarding using Defender for Cloud)
- Deployment guidance for Defender for Endpoint on Linux for SAP
- Install Defender for Endpoint on Linux to a custom location
[!INCLUDE Defender for Endpoint Tech Community]