Deploy Defender for Endpoint on Linux with Chef

Important

This article contains information about third-party tools. This is provided to help complete integration scenarios, however, Microsoft does not provide troubleshooting support for third-party tools.
Contact the third-party vendor for support.

Before you begin: Install unzip if it's not already installed.

The Chef components are already installed and a Chef repository exists (chef generate repo <reponame>) to store the cookbook that's used to deploy to Defender for Endpoint on Chef managed Linux servers.

You can create a new cookbook in your existing repository by running the following command from inside the cookbooks folder that is in your chef repository:

chef generate cookbook mdatp

This command creates a new folder structure for the new cookbook called mdatp. You can also use an existing cookbook if you already have one you'd like to use to add the Defender for Endpoint deployment into. After the cookbook is created, create a files folder inside the cookbook folder that just got created:

mkdir mdatp/files

Transfer the Linux Server Onboarding zip file that can be downloaded from the Microsoft Defender portal to this new files folder.

Warning

Repackaging the Defender for Endpoint installation package is not a supported scenario. Doing so can negatively impact the integrity of the product and lead to adverse results, including but not limited to triggering tampering alerts and updates failing to apply.

On the Chef Workstation, navigate to the mdatp/recipes folder. This folder is created when the cookbook was generated. Use your preferred text editor (like vi or nano) to add the following instructions to the end of the default.rb file:

  • include_recipe '::onboard_mdatp'
  • include_recipe '::install_mdatp'

Then save and close the default.rb file.

Next create a new recipe file named install_mdatp.rb in the recipes folder and add this text to the file:

#Add Microsoft Defender
Repo
case node['platform_family']
when 'debian'
 apt_repository 'MDAPRepo' do
   arch               'amd64'
   cache_rebuild      true
   cookbook           false
   deb_src            false
   key                'BC528686B50D79E339D3721CEB3E94ADBE1229CF'
   keyserver          "keyserver.ubuntu.com"
   distribution       'focal'
   repo_name          'microsoft-prod'
   components         ['main']
   trusted            true
   uri                "https://packages.microsoft.com/config/ubuntu/20.04/prod"
 end
 apt_package "mdatp"
when 'rhel'
 yum_repository 'microsoft-prod' do
   baseurl            "https://packages.microsoft.com/config/rhel/7/prod/"
   description        "Microsoft Defender for Endpoint"
   enabled            true
   gpgcheck           true
   gpgkey             "https://packages.microsoft.com/keys/microsoft.asc"
 end
 if node['platform_version'] <= 8 then
    yum_package "mdatp"
 else
    dnf_package "mdatp"
 end
end

You need to modify the version number, distribution, and repo name to match the version you're deploying to and the channel you'd like to deploy. Next you should create an onboard_mdatp.rb file in the mdatp/recipies folder. Add the following text to that file:

#Create MDATP Directory
mdatp = "/etc/opt/microsoft/mdatp"
zip_path = "/path/to/chef-repo/cookbooks/mdatp/files/WindowsDefenderATPOnboardingPackage.zip"

directory "#{mdatp}" do
  owner 'root'
  group 'root'
  mode 0755
  recursive true
end

#Extract WindowsDefenderATPOnbaordingPackage.zip into /etc/opt/microsoft/mdatp

bash 'Extract Onboarding Json MDATP' do
  code <<-EOS
  unzip #{zip_path} -d #{mdatp}
  EOS
  not_if { ::File.exist?('/etc/opt/microsoft/mdatp/mdatp_onboard.json') }
end

Make sure to update the path name to the location of the onboarding file. To test deploy it on the Chef workstation, run sudo chef-client -z -o mdatp. After your deployment, you should consider creating and deploying a configuration file to the servers based on Set preferences for Microsoft Defender for Endpoint on Linux. After creating and testing your configuration file, you can put it into the cookbook/mdatp/files folder where you also placed the onboarding package. Then you can create a settings_mdatp.rb file in the mdatp/recipies folder and add this text:

#Copy the configuration file
cookbook_file '/etc/opt/microsoft/mdatp/managed/mdatp_managed.json' do
  source 'mdatp_managed.json'
  owner 'root'
  group 'root'
  mode '0755'
  action :create
end

To include this step as part of the recipe just add include_recipe ':: settings_mdatp to your default.rb file within the recipe folder.

You can also use crontab to schedule automatic updates Schedule an update of the Microsoft Defender for Endpoint (Linux).

Uninstall MDATP cookbook:

#Uninstall the Defender package
case node['platform_family']
when 'debian'
 apt_package "mdatp" do
   action :remove
 end
when 'rhel'
 if node['platform_version'] <= 8
then
    yum_package "mdatp" do
      action :remove
    end
 else
    dnf_package "mdatp" do
      action :remove
    end
 end
end

Tip

Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.