Microsoft Defender for Servers: How to Onboard Linux Servers to Defender for Endpoint and Enable Cloud Security

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
Linux server security is a gap in many Microsoft-centric security programs -- the focus is on Windows endpoints and Azure cloud, with Linux servers running in the data center or cloud with limited EDR coverage. Defender for Servers with MDE on Linux provides the same threat detection capabilities as MDE on Windows: behavioral EDR, vulnerability scanning, and integration with Defender XDR for correlated incident investigation. The onboarding process differs significantly from Windows and has common failure modes. This guide covers the installation, configuration, and validation steps for RHEL/CentOS and Ubuntu-based distributions.
Choose Onboarding Method: Manual, Ansible, or Defender for Cloud Auto-Provisioning
Three deployment options: Manual onboarding via script (download onboarding package from Defender for Endpoint portal, run the installation script). Best for small numbers of servers or initial testing. Ansible / Puppet / Chef automation (Microsoft provides Ansible playbooks for MDE Linux deployment). Best for existing configuration management infrastructure. Defender for Cloud auto-provisioning (enables automatic MDE deployment to all Azure VMs in scope when Defender for Servers Plan 1 or 2 is enabled). Best for Azure-hosted Linux servers -- the agent deploys automatically on new and existing VMs. For on-premises Linux servers: manual or Ansible deployment is required. For AWS and GCP: Defender for Cloud integrates with Arc-enabled servers to auto-deploy MDE. Regardless of method, the onboarding package from the MDE portal contains the license parameters specific to your tenant -- do not share onboarding scripts between tenants as they contain sensitive information.
Manual Installation on RHEL/Rocky Linux/AlmaLinux
Step 1: Download the onboarding package from security.microsoft.com > Settings > Endpoints > Onboarding > Linux Server > Download onboarding package. Step 2: Install the Microsoft signing key and repository: sudo rpm --import https://packages.microsoft.com/keys/microsoft.asc; sudo yum-config-manager --add-repo=https://packages.microsoft.com/yumrepos/microsoft-rhel$(cat /etc/redhat-release | grep -oE '[0-9]+'| head -1)-prod.repo. Step 3: Install the package: sudo yum install mdatp. Step 4: Apply the onboarding script from the downloaded package: sudo python3 MicrosoftDefenderATPOnboardingLinuxServer.py. Step 5: Verify onboarding status: mdatp health. The output should show licensed: true, org_id: <your-tenant-guid>, real_time_protection_enabled: true, and cloud_enabled: true. Common issues: nftables or iptables blocking outbound connections to Microsoft endpoints (add rules to allow outbound HTTPS to *.microsoft.com and *.azure.com), SELinux enforcing mode blocking mdatp daemon (set the correct SELinux policy for mdatp: sudo semanage permissive -a mdatp_t initially for testing, then configure the required policies for enforcing mode).
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
Manual Installation on Ubuntu/Debian
Step 1: Install prerequisites: sudo apt-get install curl apt-transport-https gnupg. Step 2: Install the Microsoft GPG key and repository: curl -sSL https://packages.microsoft.com/keys/microsoft.asc | sudo gpg --dearmor -o /usr/share/keyrings/microsoft.gpg; echo 'deb [arch=amd64 signed-by=/usr/share/keyrings/microsoft.gpg] https://packages.microsoft.com/ubuntu/$(lsb_release -rs)/prod $(lsb_release -cs) main' | sudo tee /etc/apt/sources.list.d/microsoft-prod.list. Step 3: Install: sudo apt-get update && sudo apt-get install mdatp. Step 4: Apply the onboarding script: sudo python3 MicrosoftDefenderATPOnboardingLinuxServer.py. Step 5: Enable real-time protection: mdatp config real-time-protection --value enabled. Step 6: Run health check: mdatp health. Ubuntu 22.04 and Debian 11 are the most tested and recommended distributions for MDE Linux in production. Verify the MDE process is running: systemctl status mdatp.
Configure Exclusions and Performance Tuning
MDE Linux performs real-time file scanning which can impact I/O-intensive workloads (database servers, high-throughput web servers). Configure exclusions for known safe paths that are high-volume: for database servers (MySQL, PostgreSQL, Oracle) exclude the data directory and transaction log paths. For web servers running application code from large file trees: exclude application content directories if they are read-only and not writable by external processes. Add exclusions: mdatp exclusion folder add --path /var/lib/mysql. List current exclusions: mdatp exclusion list. Avoid excluding broad directories like /etc, /usr, or /var -- these are common malware drop locations. For CPU throttling: mdatp config cpu-usage-limit --value 50 limits mdatp to 50% of CPU usage, reducing performance impact on CPU-bound workloads at the cost of slightly slower scan completion. Monitor MDE agent performance: mdatp diagnostic real-time-protection-statistics provides scan statistics.
Verify Detection and Enable Vulnerability Management
Test EDR functionality: run the EICAR test file (a benign virus test signature): echo 'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*' > /tmp/eicar.txt. MDE should detect and quarantine the file immediately. Check detection: mdatp threat list shows detected threats. Verify the detection appears in the Microsoft 365 Defender portal under Devices > your Linux server > Alerts within 2 to 5 minutes. For vulnerability management (requires Defender for Servers Plan 2 or the MDVM add-on): mdatp threat vulnerability-assessment shows known CVEs affecting installed packages. Vulnerability data syncs to the Defender for Cloud and Defender XDR portal where it appears in the Vulnerability Management > Recommendations view. The MDVM scan runs automatically; to force an immediate scan: mdatp scan quick or mdatp scan full. File integrity monitoring (FIM) for Linux: in Defender for Cloud > Environment Settings > Defender for Servers Plan 2 > File Integrity Monitoring, configure the Linux FIM workspace and add monitored paths (/etc, /usr/bin, /usr/sbin, /home). FIM alerts when files in those paths are modified.
The bottom line
Onboarding Linux servers to Defender for Endpoint provides EDR, vulnerability management, and cloud security posture coverage using the same investigation platform as Windows endpoints. The installation steps are distribution-specific but well-documented. The most common failure modes are: repository misconfiguration, firewall blocking MDE outbound endpoints, and SELinux enforcing mode conflicts. Validate with mdatp health and an EICAR test after every installation. Enable Defender for Servers Plan 2 to unlock vulnerability management and file integrity monitoring.
Frequently asked questions
Does MDE Linux support ARM (Apple Silicon, ARM servers)?
MDE Linux supports ARM64 architecture as of 2023/2024 on RHEL 8+, Ubuntu 20.04+, and Debian 11+. Check the current Microsoft documentation for the complete supported architecture list as it expands with new releases. For Apple Silicon Macs running macOS, MDE has a native macOS agent (separate from the Linux agent) that supports ARM64 via Rosetta 2 compatibility and native ARM binaries.
What is the performance impact of MDE Linux on production servers?
In Microsoft's benchmarks, MDE Linux adds approximately 5 to 10% CPU overhead and 1 to 3% I/O overhead on typical workloads. For I/O-intensive workloads (database servers with high write rates), configure appropriate exclusions for the data directories to reduce scan overhead. The CPU throttling setting can limit MDE's CPU usage on CPU-bound servers. Monitor actual impact after deployment: compare system performance metrics (iostat, top, vmstat) before and after MDE deployment and tune exclusions if necessary.
Can MDE Linux detect kernel-level rootkits?
MDE Linux uses eBPF-based monitoring (on supported kernels) for process, network, and file events at the kernel level, which provides visibility into activity that user-space monitoring misses. It can detect many rootkit techniques through behavioral indicators. However, a sophisticated kernel rootkit that directly patches kernel data structures to hide itself may be able to evade even eBPF-based monitoring -- that level of evasion is rare outside nation-state attacks. For additional Linux rootkit detection, auditd with comprehensive syscall auditing and memory integrity verification tools (like AIDE for file integrity) complement MDE.
How do I manage MDE Linux configuration at scale via Intune?
For Linux servers enrolled in Intune (via Microsoft Entra ID device registration or Arc), MDE policies can be applied via Intune Endpoint Security > Antivirus policies > Linux. This allows central management of scan schedules, exclusions, real-time protection settings, and cloud protection configuration. For non-Intune-managed Linux servers, use the mdatp CLI for configuration and deploy configuration files via Ansible or configuration management. The managed configuration file is at /etc/opt/microsoft/mdatp/managed/mdatp_managed.json -- placing a configuration file here allows setting all mdatp config options centrally.
What is the difference between MDE Linux and Microsoft Defender for Cloud for Linux servers?
MDE Linux is the endpoint detection and response agent installed on the Linux host. It provides real-time process monitoring, threat detection, vulnerability assessment, and incident response capabilities at the endpoint level. Microsoft Defender for Cloud (MDC) is a cloud security posture management (CSPM) and workload protection service that monitors Azure, AWS, and GCP resources from the cloud control plane. For Azure Linux VMs, MDC can automatically provision the MDE agent and provides additional recommendations (network exposure, missing patches, misconfigured settings) visible in the Azure portal. Deploy both: MDE Linux for endpoint-level detection, MDC for cloud-layer posture management and cross-service threat correlation.
How do you configure auditd on Linux alongside MDE to avoid duplicate log generation and performance issues?
MDE Linux uses an eBPF-based sensor for kernel event collection on supported kernel versions (5.10 and later). When auditd is also running, both tools may capture overlapping events (process creation, file system access, network connections), creating duplicate telemetry and unnecessary CPU overhead. On kernels where MDE uses eBPF: MDE will automatically manage auditd to avoid duplication if the AUOMS (Audit OMS) component is present. If you run auditd independently for compliance logging (required by PCI DSS, HIPAA, or STIG), configure auditd rules that cover compliance-required events (loginuid tracking, privilege use, file integrity monitoring of specified paths) while MDE's eBPF sensor handles security detection events. Check MDE's current collection mode with mdatp health --field real_time_protection_enabled and mdatp health --field kernel_extension_version to understand which kernel mechanism is active. On older kernels where MDE falls back to auditd integration (via AUOMS), MDE will configure auditd on its own -- adding manual auditd rules on top can create conflicts. Review /etc/audit/rules.d/ for any MDE-generated rule files (prefixed with 'mdatp' or 'auoms') before adding custom rules to avoid conflicts with MDE's auditd integration.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
