diff --git a/ATPDocs/deploy/remote-calls-sam.md b/ATPDocs/deploy/remote-calls-sam.md index c04a5a329c..370a5a3e41 100644 --- a/ATPDocs/deploy/remote-calls-sam.md +++ b/ATPDocs/deploy/remote-calls-sam.md @@ -9,6 +9,13 @@ ms.topic: how-to Microsoft Defender for Identity mapping for [potential lateral movement paths](/defender-for-identity/understand-lateral-movement-paths) relies on queries that identify local admins on specific machines. These queries are performed with the SAM-R protocol, using the Defender for Identity [Directory Service account](directory-service-accounts.md) you configured. +> [!NOTE] +> This feature can potentially be exploited by an adversary to obtain the Net-NTLM hash of the DSA account due to a Windows limitation in the SAM-R calls that allows downgrading from Kerberos to NTLM. +> The new Defender for Identity sensor is not affected by this issue as it uses different detection methods. +> +> It is recommended to use a [low privileged DSA account](directory-service-accounts.md#grant-required-dsa-permissions). You can also [contact support](../support.md) to open a case and request to completely disable the [Lateral Movement Paths](../security-assessment-riskiest-lmp.md) data collection capability. +> Please note that this will result in reduced data available for the [attack path feature in Exposure Management](/security-exposure-management/review-attack-paths). + This article describes the configuration changes required to allow the Defender for Identity Directory Services Account (DSA) to perform the SAM-R queries. > [!TIP] @@ -20,7 +27,7 @@ This article describes the configuration changes required to allow the Defender To ensure that Windows clients and servers allow your Defender for Identity Directory Services Account (DSA) to perform SAM-R queries, you must modify the **Group Policy** and add the DSA, in **addition to the configured accounts** listed in the **Network access** policy. Make sure to apply group policies to all computers **except domain controllers**. > [!IMPORTANT] -> Perform this procedure in [*audit mode*](/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls#audit-only-mode) first, verifying the compatibility of the proposed configuration before making the changes to your production environment. +> Perform this procedure in the [*audit mode*](/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls#audit-only-mode) first, by verifying the compatibility of the proposed configuration before making the changes to your production environment. > > Testing in audit mode is critical in ensuring that your environment remains secure, and any changes will not impact your application compatibility. You may observe increased SAM-R traffic, generated by the Defender for Identity sensors. > @@ -31,9 +38,9 @@ To ensure that Windows clients and servers allow your Defender for Identity Dire :::image type="content" source="../media/samr-policy-location.png" alt-text="Screenshot of the Network access policy selected." lightbox="../media/samr-policy-location.png"::: -1. Add the DSA to the list of approved accounts able to perform this action, together with any other account that you've discovered during audit mode +1. Add the DSA to the list of approved accounts able to perform this action, together with any other account that you've discovered during audit mode. -For more information, see [Network access: Restrict clients allowed to make remote calls to SAM](/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls). + For more information, see [Network access: Restrict clients allowed to make remote calls to SAM](/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls). ## Make sure the DSA is allowed to access computers from the network (optional) @@ -48,10 +55,10 @@ For more information, see [Network access: Restrict clients allowed to make remo 1. Add the Defender for Identity Directory Service account to the list of approved accounts. -> [!IMPORTANT] -> When configuring user rights assignments in group policies, it's important to note that the setting *replaces* the previous one rather than adding to it. Therefore, make sure to include *all* the desired accounts in the effective group policy. By default, workstations and servers include the following accounts: Administrators, Backup Operators, Users, and Everyone -> -> The [Microsoft Security Compliance Toolkit](https://www.microsoft.com/download/details.aspx?id=55319) recommends replacing the default *Everyone* with *Authenticated Users* to prevent anonymous connections from performing network sign-ins. Review your local policy settings before managing the [Access this computer from the network](/windows/security/threat-protection/security-policy-settings/access-this-computer-from-the-network) setting from a GPO, and consider including *Authenticated Users* in the GPO if needed. + > [!IMPORTANT] + > When configuring user rights assignments in group policies, it's important to note that the setting *replaces* the previous one rather than adding to it. Therefore, make sure to include *all* the desired accounts in the effective group policy. By default, workstations and servers include the following accounts: Administrators, Backup Operators, Users, and Everyone. + > + > The [Microsoft Security Compliance Toolkit](https://www.microsoft.com/download/details.aspx?id=55319) recommends replacing the default *Everyone* with *Authenticated Users* to prevent anonymous connections from performing network sign-ins. Review your local policy settings before managing the [Access this computer from the network](/windows/security/threat-protection/security-policy-settings/access-this-computer-from-the-network) setting from a GPO, and consider including *Authenticated Users* in the GPO if needed. ## Configure a Device profile for Microsoft Entra hybrid joined devices only @@ -86,7 +93,7 @@ This procedure describes how to use the [Microsoft Intune admin center](https:// 1. Continue the wizard to select the **scope tags** and **assignments**, and select **Create** to create your profile. -For more information, see [Apply features and settings on your devices using device profiles in Microsoft Intune](/mem/intune/configuration/device-profiles). + For more information, see [Apply features and settings on your devices using device profiles in Microsoft Intune](/mem/intune/configuration/device-profiles). ## Next step diff --git a/defender-endpoint/TOC.yml b/defender-endpoint/TOC.yml index 98aa6db7f8..9cb53dd181 100644 --- a/defender-endpoint/TOC.yml +++ b/defender-endpoint/TOC.yml @@ -255,6 +255,8 @@ items: - name: Deploy Defender for Endpoint on Linux items: + - name: Defender for Endpoint on Linux for ARM64-based devices (preview) + href: mde-linux-arm.md - name: Puppet based deployment href: linux-install-with-puppet.md - name: Ansible based deployment diff --git a/defender-endpoint/mde-linux-arm.md b/defender-endpoint/mde-linux-arm.md new file mode 100644 index 0000000000..a15472dc9b --- /dev/null +++ b/defender-endpoint/mde-linux-arm.md @@ -0,0 +1,388 @@ +--- +title: Microsoft Defender for Endpoint on Linux for ARM64-based devices (preview) +description: Defender for Endpoint on Linux now supports ARM devices. Learn how it works and how to deploy it. +author: denisebmsft +ms.author: deniseb +manager: deniseb +ms.date: 12/09/2024 +ms.topic: how-to +ms.service: defender-endpoint +ms.subservice: linux +ms.localizationpriority: medium +ms.collection: +- m365-security +- tier3 +- mde-linux +ms.custom: +- partner-contribution +ms.reviewer: meghapriya +search.appverid: MET150 +f1.keywords: NOCSH +audience: ITPro +ai-usage: human-only +--- + +# Microsoft Defender for Endpoint on Linux for ARM64-based devices (preview) + +## Overview of Defender for Endpoint on Linux for ARM64-based devices + +As you might already know, [Microsoft Defender for Endpoint on Linux](microsoft-defender-endpoint-linux.md) is a unified endpoint security solution that helps you protect your server devices from advanced threats. Defender for Endpoint on Linux is now extending support for ARM64-based Linux servers in preview. Similar to x64-based Linux servers (including Intel and AMD 64-bit platform), the following capabilities are included: + +- Microsoft Defender Antivirus +- Endpoint detection and response (EDR) +- Live response +- Device isolation +- Advanced hunting +- Vulnerability management +- Centralized policy configuration using security settings management + +Initially, the following Linux distributions are supported in preview: + +- Ubuntu 20.04 ARM64 +- Ubuntu 22.04 ARM64 +- Amazon Linux 2 ARM64 +- Amazon Linux 2023 ARM64 + +> [!NOTE] +> Support for more Linux distributions is planned as part of this preview program. + +The installation procedures in this article install the agent version `101.24102.0002` from the insiders-slow channel on the ARM64-based device. (See [What's new in Microsoft Defender for Endpoint on Linux](linux-whatsnew.md).) + +## Deploy Defender for Endpoint on Linux for ARM64-based devices + +You can choose from several methods to deploy Defender for Endpoint on Linux to your ARM64-based device: + +- [Installer script](#deploy-using-the-installer-script) +- [Ansible](#deploy-using-the-installer-script-with-ansible) +- [Puppet](#deploy-using-the-installer-script-with-puppet) +- [Microsoft Defender for Cloud](#deploy-defender-for-endpoint-on-linux-using-microsoft-defender-for-cloud) + +### Before you begin + +- Make sure the [prerequisites](microsoft-defender-endpoint-linux.md#prerequisites) are met for Defender for Endpoint on Linux + +- To onboard servers to Defender for Endpoint, [server licenses](/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance#microsoft-defender-for-endpoint) are required. You can choose from these options: + + - Microsoft Defender for Servers Plan 1 or Plan 2 (as part of the [Defender for Cloud](/azure/defender-for-cloud/defender-for-cloud-introduction)) offering; or + - Microsoft Defender for Endpoint Server + +### Deploy using the installer script + +1. In the [Microsoft Defender portal](https://security.microsoft.com), go to **Settings** > **Endpoints** > **Device management** > **Onboarding**. + +2. In the onboarding screen, select the following options: + + :::image type="content" source="media/mde-linux-arm-installerscript.png" alt-text="Screenshot showing MDE onboarding using installer script."::: + + 1. In the **Select operating system to start onboarding process** list, select **Linux Server**. + + 2. In the **Connectivity type** list, select **Streamlined**. Or, if necessary, you can select **Standard**. (For more information, see [Onboarding devices using streamlined connectivity for Microsoft Defender for Endpoint](configure-device-connectivity.md).) + + 3. In the **Deployment method** list, select **Local Script (Python)**. + + 4. Select **Download onboarding package**. + +3. In a new browser window, download the [Defender for Endpoint installer bash script](https://github.com/microsoft/mdatp-xplat/blob/master/linux/installation/mde_installer.sh). + +4. Use the following command to grant the necessary permissions for the script: + + `$chmod +x /mde_installer.sh` + +5. Run the following command to execute the installer script: + + `$sudo ~/mde_installer.sh --install --channel insiders-slow --onboard ~/MicrosoftDefenderATPOnboardingLinuxServer.py` + +6. Validate the deployment by following these steps: + + 1. On the device, run the following command to check the health status. A return value of `true` denotes that the product is functioning as expected: + + `$ mdatp health --field healthy` + + 2. In the [Microsoft Defender portal](https://security.microsoft.com), under **Assets** > **Devices**, look for the Linux device you just onboarded. It can take approximately 20 minutes for the device to show up in the portal. + +7. If you run into an issue, see [Troubleshoot deployment issues](#troubleshoot-deployment-issues) (in this article). + +### Deploy using the installer script with Ansible + +1. In the [Microsoft Defender portal](https://security.microsoft.com), go to **Settings** > **Endpoints** > **Device management** > **Onboarding**. + +2. In the onboarding screen, select the following options: + + :::image type="content" source="media/mde-linux-arm-ansible.png" alt-text="Screenshot showing MDE onboarding screen to use Ansible."::: + + 1. In the **Select operating system to start onboarding process** list, select **Linux Server**. + + 2. In the **Connectivity type** list, select **Streamlined**. Or, if necessary, you can select **Standard**. (For more information, see [Onboarding devices using streamlined connectivity for Microsoft Defender for Endpoint](configure-device-connectivity.md).) + + 3. In the **Deployment method** list, select **Your preferred Linux configuration management tool**. + + 4. Select **Download onboarding package**. + +3. In a new browser window, download the [Defender for Endpoint installer bash script](https://github.com/microsoft/mdatp-xplat/blob/master/linux/installation/mde_installer.sh). + +4. Create an installation YAML file on your Ansible server. For example, `/etc/ansible/playbooks/install_mdatp.yml`, using the `mde_installer.sh` you downloaded in step 3. + + ```yml + + name: Install and Onboard MDE + hosts: servers + tasks: + - name: Create a directory if it does not exist + ansible.builtin.file: + path: /tmp/mde_install + state: directory + mode: '0755' + + - name: Copy Onboarding script + ansible.builtin.copy: + src: "{{ onboarding_script }}" + dest: /tmp/mde_install/mdatp_onboard.json + - name: Install MDE on host + ansible.builtin.script: "{{ mde_installer_script }} --install --channel {{ channel | default('insiders-slow') }} --onboard /tmp/mde_install/mdatp_onboard.json" + register: script_output + args: + executable: sudo + + - name: Display the installation output + debug: + msg: "Return code [{{ script_output.rc }}] {{ script_output.stdout }}" + + - name: Display any installation errors + debug: + msg: "{{ script_output.stderr }}" + + ``` + +5. Deploy Defender for Endpoint on Linux by using the following command. Edit the corresponding paths and channel, as appropriate. + + ```bash + + ansible-playbook -i /etc/ansible/hosts /etc/ansible/playbooks/install_mdatp.yml --extra-vars "onboarding_script= mde_installer_script= channel= " + + ``` + +6. Validate your deployment by following these steps: + + 1. On the device, run the following commands to check for device health, connectivity, antivirus, and EDR detections: + + ```YAML + + - name: Run post-installation basic MDE test + hosts: myhosts + tasks: + + - name: Check health + ansible.builtin.command: mdatp health --field healthy + register: health_status + + - name: MDE health test failed + fail: msg="MDE is not healthy. health status => \n{{ health_status.stdout }}\nMDE deployment not complete" + when: health_status.stdout != "true" + + - name: Run connectivity test + ansible.builtin.command: mdatp connectivity test + register: connectivity_status + + - name: Connectivity failed + fail: msg="Connectivity failed. Connectivity result => \n{{ connectivity_status.stdout }}\n MDE deployment not complete" + when: connectivity_status.rc != 0 + + - name: Check RTP status + ansible.builtin.command: mdatp health --field real_time_protection_enabled + register: rtp_status + + - name: Enable RTP + ansible.builtin.command: mdatp config real-time-protection --value enabled + become: yes + become_user: root + when: rtp_status.stdout != "true" + + - name: Pause for 5 second to enable RTP + ansible.builtin.pause: + seconds: 5 + + - name: Download EICAR + ansible.builtin.get_url: + url: https://secure.eicar.org/eicar.com.txt + dest: /tmp/eicar.com.txt + + - name: Pause for 5 second to detect eicar + ansible.builtin.pause: + seconds: 5 + + - name: Check for EICAR file + stat: path=/tmp/eicar.com.txt + register: eicar_test + + - name: EICAR test failed + fail: msg="EICAR file not deleted. MDE deployment not complete" + when: eicar_test.stat.exists + + - name: MDE Deployed + debug: + msg: "MDE succesfully deployed" + + ``` + + 2. In the [Microsoft Defender portal](https://security.microsoft.com), under **Assets** > **Devices**, look for the Linux device you just onboarded. It can take approximately 20 minutes for the device to show up in the portal. + +7. If you run into an issue, see [Troubleshoot deployment issues](#troubleshoot-deployment-issues) (in this article). + +### Deploy using the installer script with Puppet + +1. In the [Microsoft Defender portal](https://security.microsoft.com), go to **Settings** > **Endpoints** > **Device management** > **Onboarding**. + +2. In the onboarding screen, select the following options: + + :::image type="content" source="media/mde-linux-arm-puppet.png" alt-text="Screenshot showing the onboarding screen in MDE for Puppet."::: + + 1. In the **Select operating system to start onboarding process** list, select **Linux Server**. + + 2. In the **Connectivity type** list, select **Streamlined**. Or, if necessary, you can select **Standard**. (For more information, see [Onboarding devices using streamlined connectivity for Microsoft Defender for Endpoint](configure-device-connectivity.md).) + + 3. In the **Deployment method** list, select **Your preferred Linux configuration management tool**. + + 4. Select **Download onboarding package**. Save the file as `WindowsDefenderATPOnboardingPackage.zip`. + +3. Extract the contents of the onboarding package by using the following command: + + `unzip WindowsDefenderATPOnboardingPackage.zip` + + You should see the following output: + + ``` + Archive: WindowsDefenderATPOnboardingPackage.zip + inflating: mdatp_onboard.json + ``` + +4. In a new browser window, download the [Defender for Endpoint installer bash script](https://github.com/microsoft/mdatp-xplat/blob/master/linux/installation/mde_installer.sh) (this script is called `mde_installer.sh`). + +5. Create a Puppet manifest by using the following procedure, which uses the `mde_installer.sh` script from step 4. + + 1. In the **modules** folder of your Puppet installation, create the following folders: + + - `install_mdatp/files` + - `install_mdatp/manifests` + + The **modules** folder is typically located at `/etc/puppetlabs/code/environments/production/modules` on your Puppet server. + + 2. Copy the `mdatp_onboard.json` file created earlier to the `install_mdatp/files` folder. + + 3. Copy `mde_installer.sh` to `install_mdatp/files folder`. + + 4. Create an `init.pp` file inside `install_mdatp/manifests` that contains the following deployment instructions: + + ```bash + tree install_mdatp + Output: + install_mdatp + ├── files + │ ├── mdatp_onboard.sh + │ └── mde_installer.sh + └── manifests + └── init.pp + ``` + +6. Use the Puppet manifest to install Defender for Endpoint on Linux on your device. + + ```bash + + # Puppet manifest to install Microsoft Defender for Endpoint on Linux. + # @param channel The release channel based on your environment, insider-fast or prod. + + class install_mdatp ( + $channel = 'insiders-slow', + ) { + # Ensure that the directory /tmp/mde_install exists + file { '/tmp/mde_install': + ensure => directory, + mode => '0755', + } + + # Copy the installation script to the destination + file { '/tmp/mde_install/mde_installer.sh': + ensure => file, + source => 'puppet:///modules/install_mdatp/mde_installer.sh', + mode => '0777', + } + + # Copy the onboarding script to the destination + file { '/tmp/mde_install/mdatp_onboard.json': + ensure => file, + source => 'puppet:///modules/install_mdatp/mdatp_onboard.json', + mode => '0777', + } + + #Install MDE on the host using an external script + exec { 'install_mde': + command => "/tmp/mde_install/mde_installer.sh --install --channel ${channel} --onboard /tmp/mde_install/mdatp_onboard.json", + path => '/bin:/usr/bin', + user => 'root', + logoutput => true, + require => File['/tmp/mde_install/mde_installer.sh', '/tmp/mde_install/mdatp_onboard.json'], # Ensure the script is copied before running the installer + } + } + ``` + +7. Validate your deployment. In the [Microsoft Defender portal](https://security.microsoft.com), under **Assets** > **Devices**, look for the Linux device you just onboarded. It can take approximately 20 minutes for the device to show up in the portal. + +### Deploy Defender for Endpoint on Linux using Microsoft Defender for Cloud + +If your organization is using Defender for Cloud, you can use it to deploy Defender for Endpoint on Linux. + +1. We recommend enabling automatic deployment on your ARM64-based Linux devices. After VM provisioning, define a variable under the file `/etc/mde.arm.d/mde.conf` on your device as follows: + + `OPT_FOR_MDE_ARM_PREVIEW=1` + +2. Wait for 1-6 hours for onboarding to complete. + +3. In the [Microsoft Defender portal](https://security.microsoft.com), under **Assets** > **Devices**, look for the Linux devices you just onboarded. + +**Need help with Defender for Cloud?** + +See these articles: + +- [Enable the Defender for Endpoint integration: Linux](/azure/defender-for-cloud/enable-defender-for-endpoint#linux) +- [Connect your non-Azure machines to Microsoft Defender for Cloud: Onboard your Linux server](/azure/defender-for-cloud/quickstart-onboard-machines#onboard-your-linux-server) + + +## Troubleshoot deployment issues + +If you run into any issues deploying Defender for Endpoint on Linux to your ARM64-based devices, help is available. First, review our list of common issues and how to resolve them. If the problem persists, contact us. + +### Common issues and how to resolve them + +The following table summarizes common issues and how to resolve them. + +| Error message or issue | What to do | +|--|--| +| `mdatp not found` | The repository might not be configured correctly. Check to see if the channel is set to `insiders-slow` in the installer script | +| `mdatp health` indicates a missing license | Make sure you're passing the correct onboarding script or json file to your automation script or tool | +| Exclusions aren't working as expected | If you had exclusions working on other devices, but they're not working on your ARM64-based Linux servers, contact us at `mdearmsupport@microsoft.com`. You need your client analyzer logs. | +| You want help with tuning mdatp. | Contact us at `mdearmsupport@microsoft.com`. | + +### Contact us if you need help + +When you contact us at `mdearmsupport@microsoft.com`, make sure to describe the issue in detail. Include screenshots if possible, and your client analyzer logs. + +### XMDE Client Analyzer ARM Preview + +1. Using Bash, download the [XMDE Client Analyzer ARM Preview](https://go.microsoft.com/fwlink/?linkid=2299668). + + ```bash + wget --quiet -O XMDEClientAnalyzerARMPreview.zip https://go.microsoft.com/fwlink/?linkid=2299668 + ``` +2. Run the support tool. + + ```bash + sudo ./MDESupportTool -d --mdatp-log debug + ``` +3. Follow the on-screen instructions and then follow up with at the end of the log collection. The logs are located in the `/tmp` directory. + + The log set is owned by the root user, so you might need root privileges to remove the log set. + +## See also + +- [Microsoft Defender for Endpoint on Linux](microsoft-defender-endpoint-linux.md) + +- [Supported Microsoft Defender for Endpoint capabilities by platform](supported-capabilities-by-platform.md) \ No newline at end of file diff --git a/defender-endpoint/media/mde-linux-arm-ansible.png b/defender-endpoint/media/mde-linux-arm-ansible.png new file mode 100644 index 0000000000..10d83fd71f Binary files /dev/null and b/defender-endpoint/media/mde-linux-arm-ansible.png differ diff --git a/defender-endpoint/media/mde-linux-arm-installerscript.png b/defender-endpoint/media/mde-linux-arm-installerscript.png new file mode 100644 index 0000000000..177793bf9b Binary files /dev/null and b/defender-endpoint/media/mde-linux-arm-installerscript.png differ diff --git a/defender-endpoint/media/mde-linux-arm-puppet.png b/defender-endpoint/media/mde-linux-arm-puppet.png new file mode 100644 index 0000000000..10d83fd71f Binary files /dev/null and b/defender-endpoint/media/mde-linux-arm-puppet.png differ diff --git a/defender-endpoint/microsoft-defender-endpoint-linux.md b/defender-endpoint/microsoft-defender-endpoint-linux.md index b3a1dad277..3a6289d778 100644 --- a/defender-endpoint/microsoft-defender-endpoint-linux.md +++ b/defender-endpoint/microsoft-defender-endpoint-linux.md @@ -15,11 +15,14 @@ ms.collection: ms.topic: conceptual ms.subservice: linux search.appverid: met150 -ms.date: 12/04/2024 +ms.date: 12/10/2024 --- # Microsoft Defender for Endpoint on Linux +> [!TIP] +> We are excited to share that Microsoft Defender for Endpoint on Linux now extends support for ARM64-based Linux servers in preview! For more information, see [Microsoft Defender for Endpoint on Linux for ARM64-based devices (preview)](mde-linux-arm.md). + [!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)] > Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-exposedapis-abovefoldlink) @@ -47,37 +50,13 @@ Microsoft Defender for Endpoint for Linux includes anti-malware and endpoint det > [!NOTE] > Microsoft Defender for Endpoint on Linux agent is independent from [OMS agent](/azure/azure-monitor/agents/agents-overview#log-analytics-agent). Microsoft Defender for Endpoint relies on its own independent telemetry pipeline. -### Installation instructions - -There are several methods and deployment tools that you can use to install and configure Microsoft Defender for Endpoint on Linux. Before you begin, make sure the [Minimum requirements for Microsoft Defender for Endpoint](minimum-requirements.md) are met. - -You can use one of the following methods to deploy Microsoft Defender for Endpoint on Linux: - -- To use command-line tool, see [Manual deployment](linux-install-manually.md) -- To use Puppet, see [Deploy using Puppet configuration management tool](linux-install-with-puppet.md) -- To use Ansible, see [Deploy using Ansible configuration management tool](linux-install-with-ansible.md) -- To use Chef, see [Deploy using Chef configuration management tool](linux-deploy-defender-for-endpoint-with-chef.md) -- To use Saltstack, see [Deploy using Saltstack configuration management tool](linux-install-with-saltack.md) - -If you experience any installation failures, see [Troubleshooting installation failures in Microsoft Defender for Endpoint on Linux](linux-support-install.md). - -> [!IMPORTANT] -> Installing Microsoft Defender for Endpoint in any location other than the default install path is not supported. -> Microsoft Defender for Endpoint on Linux creates an `mdatp` user with random UID and GID. If you want to control the UID and GID, create an `mdatp` user prior to installation using the `/usr/sbin/nologin` shell option. Here's an example: `mdatp:x:UID:GID::/home/mdatp:/usr/sbin/nologin`. - ### System requirements -- Disk space: 2 GB - - > [!NOTE] - > An additional 2 GB disk space might be needed if cloud diagnostics are enabled for crash collections. Please make sure that you have free disk space in /var. - -- Cores: Two minimum, four preferred +- 1 CPU core minimum. For high-performance workloads, more cores are recommended. - > [!NOTE] - > If you are on Passive or RTP ON mode, at least two Cores are required. Four Cores are preferred. If you are turning on BM, then at least four Cores are required. +- Memory: At least 1 GB of RAM. For high-performance workloads, more memory might be needed. -- Memory: 1 GB minimum, 4 GB preferred +- Performance tuning might be needed based on workloads. See [Troubleshoot performance issues for Microsoft Defender for Endpoint on Linux](linux-support-perf.md). - The following Linux server distributions and x64 (AMD64/EM64T) and x86_64 versions are supported: - Red Hat Enterprise Linux 7.2 or higher @@ -100,19 +79,28 @@ If you experience any installation failures, see [Troubleshooting installation f - Fedora 33-38 - Rocky 8.7 and higher - Rocky 9.2 and higher - - Alma 8.4 and higher + - Alma 8.4 and higher - Alma 9.2 and higher - Mariner 2 + +- The following Linux server distributions on ARM64 are now supported in preview: + - Ubuntu 20.04 ARM64 + - Ubuntu 22.04 ARM64 + - Amazon Linux 2 ARM64 + - Amazon Linux 2023 ARM64 + > [!IMPORTANT] + > Support for Microsoft Defender for Endpoint on Linux for ARM64-based Linux devices is now in preview. For more information, see [Microsoft Defender for Endpoint on Linux for ARM64-based devices (preview)](mde-linux-arm.md). + > [!NOTE] > Distributions and version that are not explicitly listed are unsupported (even if they are derived from the officially supported distributions). > After a new package version is released, support for the previous two versions is reduced to technical support only. Versions older than that which are listed in this section are provided for technical upgrade support only. > Microsoft Defender Vulnerability Management is not supported on Rocky and Alma currently. > Microsoft Defender for Endpoint for all other supported distributions and versions is kernel-version-agnostic. With a minimal requirement for the kernel version to be at or greater than 3.10.0-327. - + > [!CAUTION] > Running Defender for Endpoint on Linux side by side with other `fanotify`-based security solutions is not supported. It can lead to unpredictable results, including hanging the operating system. If there are any other applications on the system that use `fanotify` in blocking mode, applications are listed in the `conflicting_applications` field of the `mdatp health` command output. The Linux **FAPolicyD** feature uses `fanotify` in blocking mode, and is therefore unsupported when running Defender for Endpoint in active mode. You can still safely take advantage of Defender for Endpoint on Linux EDR functionality after configuring the antivirus functionality Real Time Protection Enabled to [Passive mode](linux-preferences.md#enforcement-level-for-antivirus-engine). - + - List of supported filesystems for RTP, Quick, Full, and Custom Scan. |RTP, Quick, Full Scan| Custom Scan| @@ -141,6 +129,25 @@ If you experience any installation failures, see [Troubleshooting installation f - /opt/microsoft/mdatp/sbin/wdavdaemon requires executable permission. For more information, see "Ensure that the daemon has executable permission" in [Troubleshoot installation issues for Microsoft Defender for Endpoint on Linux](linux-support-install.md). +### Installation instructions + +There are several methods and deployment tools that you can use to install and configure Microsoft Defender for Endpoint on Linux. Before you begin, make sure the [Minimum requirements for Microsoft Defender for Endpoint](minimum-requirements.md) are met. + +You can use one of the following methods to deploy Microsoft Defender for Endpoint on Linux: + +- To use command-line tool, see [Manual deployment](linux-install-manually.md) +- To use Puppet, see [Deploy using Puppet configuration management tool](linux-install-with-puppet.md) +- To use Ansible, see [Deploy using Ansible configuration management tool](linux-install-with-ansible.md) +- To use Chef, see [Deploy using Chef configuration management tool](linux-deploy-defender-for-endpoint-with-chef.md) +- To use Saltstack, see [Deploy using Saltstack configuration management tool](linux-install-with-saltack.md) +- To install on ARM64-based Linux servers, see [Microsoft Defender for Endpoint on Linux for ARM64-based devices (preview)](mde-linux-arm.md). + +If you experience any installation failures, see [Troubleshooting installation failures in Microsoft Defender for Endpoint on Linux](linux-support-install.md). + +> [!IMPORTANT] +> Installing Microsoft Defender for Endpoint in any location other than the default install path is not supported. +> Microsoft Defender for Endpoint on Linux creates an `mdatp` user with random UID and GID. If you want to control the UID and GID, create an `mdatp` user prior to installation using the `/usr/sbin/nologin` shell option. Here's an example: `mdatp:x:UID:GID::/home/mdatp:/usr/sbin/nologin`. + ### External package dependency If the Microsoft Defender for Endpoint installation fails due to missing dependencies errors, you can manually download the prerequisite dependencies. The following external package dependencies exist for the mdatp package: @@ -149,7 +156,7 @@ If the Microsoft Defender for Endpoint installation fails due to missing depende - For RHEL6 the mdatp RPM package requires `audit`, `policycoreutils`, `libselinux`, and `mde-netfilter` - For DEBIAN the mdatp package requires `libc6 >= 2.23`, `uuid-runtime`, `auditd`, and `mde-netfilter` -The mde-netfilter package also has the following package dependencies: +The`mde-netfilter` package also has the following package dependencies: - For DEBIAN the mde-netfilter package requires `libnetfilter-queue1`, and `libglib2.0-0` - For RPM the mde-netfilter package requires `libmnl`, `libnfnetlink`, `libnetfilter_queue`, and `glib2`