This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(313.6, 99%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETJ%3C/text%3E%3C/svg%3E)
Hi,
I have Defender for Servers Plan 1 enabled on a Subscription via Defender for Cloud.
Now I'm testing the enrollment of the Windows Defender Endpoint protection software to three Linux machines (CentOS 7.9.2009) in the Azure Subscription.
According to this article - https://learn.microsoft.com/en-us/azure/defender-for-cloud/integration-defender-for-endpoint?WT.mc_id=Portal-Microsoft_Azure_Security_CloudNativeCompute&tabs=linux I need to navigate to the Microsoft Defender for Cloud Subscription settings and under "Integration" make sure that "Allow Microsoft Defender for Endpoint to access my data." option is selected, and after that - click on the "Enable for Linux machines" button. So here I encounter my first problem - the "Enable for Linux machines" button is missing.
Fine, since this was or is a preview feature - maybe something changed and now the EDR solution is being installed to Linux machines automatically without the need to enable it specifically for Linux machines, so that's what I'm currently testing. Keep in mind, that MMA agents are installed manually (automatic provisioning of the MMA agent is switched of in MS Defender for Cloud "Provisioning" settings) via Log Analytics Workspace for two Linux VMs in the environment.
As I mentioned before - I have three Linux CentOS machines in my subscription with three different configurations:
So I've waited for more than 12 hours for the automatic enrollment to finish and all three Linux VMs do not have the EDR solution present in them. (Checked that with "mdatp health" command in Bash).
Can anyone explain to me why this is happening? I've checked the requirements for Linux hosts for this feature and my hosts should be compliant for it.
What am I missing here?
Could this be the issue with using Defender for Servers Plan 1 on the subscription? From the official MS documentation - Plan 1 comes with "Defender for Endpoint Plan 2" which supports Linux hosts - so it would be odd, if the issue is with the plan selection. I'm running out of ideas here. Any help with this would be greatly appreciated.
So after more than 24 hours - all of three machines got mdatp automatically installed.
This still raises a question of how this was done for the 1. machine, since it did not have MMA agent installed.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 17%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGM%3C/text%3E%3C/svg%3E)
Apologies for the delay in answering this post. As I understand you want to know how Standalone Linux VM without a Log Analytics Workspace (so no MMA agent installed) has been onboarded to Defender for endpoint portal ?
As you mentioned above you have Microsoft Defender for Servers Plan 1, as per the documentation Microsoft Defender for Servers Plan 1 - Microsoft Defender for Endpoint deploys automatically to all cloud workloads so that you know they're protected when they spin up.
Let me know if this helps or we can have a offline discussion to discuss the same.
In this case it is still unsure how mdatp is being pushed to the Endpoint, even if the Endpoint does not have a MMA agent installed.
This would change the state of the machine - which I'm trying to prevent.
I understand that there is a possibility to onboard mdatp with Ansible to Linux endpoints using the prepared Onboarding package in M365 Security portal (https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/linux-install-with-ansible?view=o365-worldwide).
Would this kind of deployment work with the Subscription wide enabled Defender for Cloud - Defender for Servers plan 1/2? (In a sense that the Linux VM would still be covered by the Defender for Servers Plan, but the automatic mdatp provisioning would be skipped due to the agent being installed during the build of the machine).