deekayen.mde

Deploy Microsoft Defender Endpoint for Linux

To learn how to deploy Microsoft Defender for Endpoint on Linux, check out the Microsoft documentation.

If you encounter an error during installation, only a general failure message will be provided. You can find the detailed log in /var/log/microsoft/mdatp/install.log.

Dependencies

You will need the following software:

curl
unzip
apt-transport-https (for Debian)
gnupg (for Debian)
python-apt (for Debian)

Default Variables

The onboarding source can be replaced with a URL and should point to a zip file downloaded from the Microsoft Defender Security Center. You should save this file on an internal server like Nexus or as an unauthenticated Git Large File Storage (LFS) object. If you use the default onboarding_source value, an empty JSON configuration file will be created.

channel: prod
onboarding_source: "{{ role_path }}/files/WindowsDefenderATPOnboardingPackage.zip"
uninstall: false

According to Microsoft:

Defender for Endpoint for Linux can be deployed from several channels: insiders-fast, insiders-slow, or prod. Each channel corresponds to a specific Linux software repository.

The channel you choose affects how often your device gets updates and new features. Devices on insiders-fast get updates first, then insiders-slow, and finally prod.

Example Playbook

This example assumes you have a Sonatype Nexus server where you uploaded the onboarding package to a raw repository called infosec-hosted.

---

- name: Install Microsoft Defender Endpoint for Linux.
  hosts: all:!platform_windows

  vars:
    onboarding_source: https://nexus.example.com/repository/infosec-hosted/mde/WindowsDefenderATPOnboardingPackage_Linux_Mgmt_Tool.zip

  roles:
    - deekayen.mde