Skip to main content
Red Canary help

Installing and uninstalling the Microsoft Defender for Endpoint sensor on Linux

  • Updated .

Prerequisites

Prior to deploying the sensor, please ensure you have accounted for the following:

Configure the necessary network connectivity

Microsoft Defender for Endpoint communicates with the Microsoft Azure cloud using bidirectionally authenticated Transport Layer Security (TLS) via port 443. All communications are outbound, sensor-to-server.

Microsoft 365 Defender is built on Azure cloud, deployed in the following regions:

  • uswestcentral
  • useast2
  • useast
  • europenorth
  • europewest
  • uksouth
  • ukwest

You can find the Azure IP range on Microsoft Azure Datacenter IP Ranges.

Please be sure that this address is authorized at network egress points and that traffic is not subject to manipulation or TLS interception.

Installing Microsoft Defender for Endpoint

To install the Microsoft Defender for Endpoint sensor you will need access to the Defender portal to onboard any of the supported devices. 

To install Microsoft Defender for Endpoint on a Linux server:

  1. Log into Red Canary.
  2. Click the Defender icon to navigate to the Microsoft Defender Security Center.
  3. Click Settings > Device Management > Onboarding.
  4. Click Select operating system to start onboarding process > Linux.
  5. Select a deployment method and click Download Package.
  6. Onboard your device(s) by running the package you downloaded.
  7. Follow the Run a detection test instructions to verify that the device is properly onboarded. If successful, a new alert will appear in a few minutes.

Uninstalling Microsoft Defender for Endpoint 

  1. Log into Red Canary.
  2. Click the Defender icon to navigate to the Microsoft Defender ATP Security Center.
  3. Click Settings > Device Management > Offboarding 
  4. Select “Linux Server” from the drop-down menu. 
  5. Select “Local Script” from the bottom drop-down menu. 
  6. Open a shell and navigate to the folder where the offboarding package was downloaded.
  7. Execute the following commands (replacing the x’s with the proper values for the downloaded package):
     
    unzip WindowsDefenderATPOffboardingPackage_valid_until_xxxxxx-xx.zip

    python MicrosoftDefenderATPOffboardingMacOs_valid_until_xxxx-xx-xx.py
  8. Enter su password. 
  9. The script will uninstall the Defender ATP agent from the Linux server.