You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: defender-endpoint/mde-linux-prerequisites.md
+11-6Lines changed: 11 additions & 6 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -12,7 +12,7 @@ ms.collection:
12
12
- mde-linux
13
13
ms.topic: article
14
14
ms.subservice: linux
15
-
ms.date: 04/28/2026
15
+
ms.date: 04/30/2026
16
16
---
17
17
18
18
# Prerequisites for Microsoft Defender for Endpoint on Linux
@@ -110,20 +110,25 @@ The following Linux server distributions are supported:
110
110
| Mariner | 2 | 2 |
111
111
112
112
> [!NOTE]
113
-
> Distributions and versions that aren't explicitly listed above, and custom operating systems, are unsupported (even if they're derived from the officially supported distributions).
113
+
> Distributions and versions that aren't explicitly listed aboveare unsupported
114
114
> Microsoft Defender for Endpoint is kernel-version agnostic for all other supported distributions and versions. The minimal requirement for the kernel version is `3.10.0-327` or later.
115
+
>
116
+
> Microsoft Defender for Endpoint on Linux **can be installed and may function** on customized operating systems that meet minimal kernel requirements and are derived from known, standard, vendor‑provided Linux distributions that Microsoft supports. Customers are free to onboard and run Defender for Endpoint on such environments; Microsoft doesn't block onboarding or execution.
117
+
> However, these customized environments aren't part of Microsoft's validated or maintained support baseline. As a result, they're treated as custom OS configurations from a support perspective.
118
+
> Customers are expected to validate Defender for Endpoint within these custom environments and, if needed, reproduce issues on a supported, standard (unmodified) Linux distribution. If an issue can't be reproduced on a supported standard base distribution, Microsoft might not be able to proceed with further investigation or remediation.
119
+
> For full support coverage and a predictable support experience, customers are recommended to run Defender for Endpoint on a supported, vendor-provided Linux distribution as outlined in the official prerequisites.
115
120
116
121
> [!WARNING]
117
-
> Running Defender for Endpoint on Linux alongside other fanotify-based security solutions is not supported and may lead to unpredictable behavior, including system hangs.
118
-
> If any applications use fanotify in blocking mode, they will appear in the conflicting_applications field of the mdatp health command output.
122
+
> Running Defender for Endpoint on Linux alongside other Fanotify-based security solutions isn't supported and may lead to unpredictable behavior, including system hangs.
123
+
> If any applications use Fanotify in blocking mode, they'll appear in the conflicting_applications field of the mdatp health command output.
119
124
> You can still safely take advantage of Defender for Endpoint on Linux by setting antivirus enforcement level to passive. See [Configure security settings in Microsoft Defender for Endpoint on Linux](linux-preferences.md).
120
125
> **EXCEPTION:** The Linux `FAPolicyD` feature, which also uses Fanotify in blocking mode, is supported with Defender for Endpoint in active mode on RHEL and Fedora platforms, provided that mdatp health reports a healthy status. This exception is based on validated compatibility specific to these distributions.
121
126
122
127
## Supported filesystems for real-time protection and quick, full, and custom scans
123
128
124
129
|Real-time protection and quick/full scans|Custom scans|
125
130
|---|---|
126
-
|`btrfs`|All filesystems that are supported for real-time protection and quick/full scans are also supported for custom scans. In addtion, the filesystems listed below are also supported for custom scans.|
131
+
|`btrfs`|All filesystems that are supported for real-time protection and quick/full scans are also supported for custom scans. In addition, the filesystems listed below are also supported for custom scans.|
127
132
|`ecryptfs`|`Efs`|
128
133
|`ext2`|`S3fs`|
129
134
|`ext3`|`Blobfuse`|
@@ -168,7 +173,7 @@ It's recommended to use Deployment Tool based deployment, as it simplifies the o
168
173
-[Guidance for Defender for Endpoint on Linux Server with SAP](mde-linux-deployment-on-sap.md)
169
174
170
175
> [!IMPORTANT]
171
-
> On Linux, Microsoft Defender for Endpoint creates an mdatp user with random UID and GID values. If you want to control these values, create an mdatp user before installation using the `/usr/sbin/nologin` shell option. Here's an example: `mdatp:x:UID:GID::/home/mdatp:/usr/sbin/nologin`.
176
+
> On Linux, Microsoft Defender for Endpoint creates a mdatp user with random UID and GID values. If you want to control these values, create a mdatp user before installation using the `/usr/sbin/nologin` shell option. Here's an example: `mdatp:x:UID:GID::/home/mdatp:/usr/sbin/nologin`.
172
177
173
178
If you experience any installation issues, self-troubleshooting resources are available. See the links in the [Related content section](#related-content).
0 commit comments