Skip to main content
Red Canary help

Install and uninstall the Microsoft Defender for Endpoint sensor on Linux

  • Updated .

 

Configure the necessary network connectivity

Prior to deploying the sensor, please ensure you have accounted for the following:

Microsoft Defender for Endpoint communicates with the Microsoft Azure cloud using bidirectionally authenticated Transport Layer Security (TLS) via port 443. All communications are outbound, sensor-to-server.

Microsoft 365 Defender is built on Azure cloud, deployed in the following regions:

  • uswestcentral
  • useast2
  • useast
  • europenorth
  • europewest
  • uksouth
  • ukwest

You can find more information in Microsoft Azure Datacenter IP Ranges on Microsoft. 

Be sure that this address is authorized at network egress points and that traffic is not subject to manipulation or TLS interception.

Install Microsoft Defender for Endpoint

To install the Microsoft Defender for Endpoint sensor you will need access to the Defender portal to onboard any of the supported devices. 

  1. In Red Canary, click Defender to navigate to the Microsoft Defender Security Center.
  2. Click SettingsDevice Management, and then Onboarding.
  3. Click Select operating system to start onboarding processLinux.
  4. Select a deployment method, and then click Download Package.
  5. Onboard your devices by running the package you downloaded.
  6. Follow the "Run a detection test" instructions to verify that the device is properly onboarded. If successful, a new alert will appear in a few minutes.

Uninstall Microsoft Defender for Endpoint 

  1. In Red Canary, click Defender to navigate to the Microsoft Defender Security Center.
  2. Click SettingsDevice Management, and then Offboarding.
  3. Select Linux Server, and then Local Script.  
  4. Open a shell and navigate to the folder where the offboarding package was downloaded.
  5. Execute the following commands (replacing the x’s with the proper values for the downloaded package):
     
    unzip WindowsDefenderATPOffboardingPackage_valid_until_xxxxxx-xx.zip

    python MicrosoftDefenderATPOffboardingMacOs_valid_until_xxxx-xx-xx.py
  6. Enter su password. 

The script will uninstall the Defender ATP agent from the Linux server. 

Comments

0 comments

Please sign in to leave a comment.