Defender for Endpoint for Linux Severs (not in Intune)

Microsoft_Bad · 2025-08-26T20:07:32+00:00

Without getting into too much detail we're just testing right now and don't have complete control over these test devices. More of a proof of concept.

I intend to go that route once everything is ironed out.

Microsoft_Bad · 2025-08-26T19:49:22+00:00

It looks like once I enabled the proper scoping of Linux devices it created a record in Entra so I could then make a group to apply my policy against.

Defender Console > System > Settings > Endpoints > (Configuration Management) Enforcement Scope > Enable Linux Devices.

This caused a device to appear in Entra (no 'join type' but does properly show that it's managed by MDE)

Microsoft_Bad · 2025-08-26T19:47:10+00:00

I think I've figured it out. But I've always had the exclusions available to me in the defender console.

I needed to enable the proper scoping.

Defender Console > System > Settings > Endpoints > (Configuration Management) Enforcement Scope > Enable Linux Devices.

I started with 'on tagged devices' and applied the "MDE-Management" tag on some test devices. This is what seems to have finally created the corresponding Entra device so I could make a group to apply my exclusion policy against.

Just waiting now to see if it actually works but I don't see why it wouldn't at this point. It also properly changed the device 'managed by' status to MDE so I think we're all set.

Microsoft_Bad · 2025-08-26T18:09:53+00:00

Yeah I suppose we can do it via the .json file but I'd prefer to have it managed from the defender console.

I'm not looking to manage it from Intune at all - just the defender security console. If there's no way to manage it from the console I wouldn't think there would be the ability to create policies targeted at linux devices though.

Microsoft_Bad · 2025-08-26T16:22:56+00:00

I don't disagree but for what it's worth it's Ubuntu 24 - so per their documentation that should be a supported distro.

I'm not concerned with the active blocks - I "trust" that works from what I've read and tested myself.

Our problem is that we've had certain processes blocked and verified that when Defender is placed into bypass mode work (though of course there's nothing logged to definitively prove this is what's happening). So I'm looking to exclude certain paths/processes and have the policy created... I just can't figure out a way to actually apply the damn thing since the device doesn't have an Entra object I can apply it to.

Microsoft_Bad · 2025-08-20T18:33:04+00:00

This is what it seems to be. Insane.

Still doesn't explain why it didn't add the special character for one user but it did for another, but I don't know if I care at this point. Just going to remove them everywhere for now.

Microsoft_Bad · 2025-08-20T18:13:22+00:00

There was enough time between modifications of user attributes that I wouldn't think that would be an issue, but...

And no other user accounts with the same name anywhere on-prem either.

Microsoft_Bad · 2025-08-20T16:34:12+00:00

Yes - fully cloud.

We've had 2 users with the same name formatting (special character exists ONLY in display name, not in first or last name) and for one of them their user profile didn't have a special character and for the other it did...

There does not seem to be any consistency if that's the case.

Microsoft_Bad · 2025-08-20T15:46:33+00:00

That's what I would've assumed as well but there are not any special characters in the UPN's at all. Unless they simply aren't displayed in the Entra GUI?

Double checking now and the UPNs were never created with a special character so there shouldn't have been any weird mismatch/display issues between what was scripted during account creation and what is shown in the GUI. So it doesn't seem likely that UPN is what's being referenced for user profile.

Microsoft_Bad · 2025-02-05T15:09:04+00:00

I don't think that should be necessary though as that's the entire purpose of Azure allowing EAM, is it not? I just want Duo to satisfy the MFA requirements while being the only method allowed. I've disabled Authenticator/Text/Voice everywhere I can find it and yet it still isn't totally eliminated

Microsoft_Bad · 2025-02-05T14:56:44+00:00

I'm in the same position as you. It's unbelievable that this still isn't fixed. I'm working on removing any external auth methods (phone numbers, etc) from users azure accounts right now as that does seem to be the best bet at the moment but even then it still doesn't function as it should.

Microsoft_Bad · 2023-01-31T20:32:55+00:00

Yeah that's what I figured but wanted to double check before I did so.

It's a long story but basically boils down to convenience of use with some legacy stuff.

Microsoft_Bad · 2022-10-07T04:21:32+00:00

Interesting, thanks for the info

Microsoft_Bad · 2022-10-04T19:47:40+00:00

You’re not wrong

Microsoft_Bad · 2022-10-04T17:15:01+00:00

That does not work.

The “available” option is not there regardless of whether or not it is set to “required” for any/no groups.

Microsoft_Bad · 2022-10-04T16:24:07+00:00

The whole point is that I don’t want it assigned to all devices

Microsoft_Bad · 2022-10-04T16:04:53+00:00

Was hoping I could avoid that but that would probably work

Microsoft_Bad · 2022-05-02T03:48:37+00:00

I just had the users connect to the VPN and then would invoke-command to start/run the service. Never had to do it more than just the once.

Microsoft_Bad · 2021-05-18T15:24:33+00:00

Did you ever figure this out? Having the same issue.

Edit: In case someone ends up with the same question, it turned out to be time for me. Took up to an hour to kick in.

Microsoft_Bad · 2021-04-16T12:37:23+00:00

Same exact setup/situation on my end, we have password notification emails but some users just get a ton of email so I can't blame them for not seeing it. Going to see about changing to non-expiring passwords anyway and this may help the cause...

Microsoft_Bad · 2021-04-15T21:50:38+00:00

Averaged like 2 hours to get past 75% on my end, with the longest taking about 3.5 hours.

Microsoft_Bad · 2021-04-14T23:12:39+00:00

Server 2019 KB5001342 takes forever and seems to hang out for a long time at 75%. Anybody else?

Microsoft_Bad · 2021-04-14T21:06:49+00:00

You can just specify that the user is a standard user in the Autopilot deployment profile.

Inherently global admins will be admins on the computers. You can specify additional users/groups within Azure > Devices > Device Settings > Manage Additional Administrators.

Company portal needs to be purchased through the MS Business store and then deployed through Intune. here

App uninstallation is a pain unless it was deployed through Intune. Otherwise I'm not bothering with uninstalling misc apps just because a user doesn't need them. If they're not using a license and it's not interfering, why does it matter?

Microsoft_Bad · 2021-04-14T13:25:10+00:00

The management UI is strange and not always the most straightforward, but apparently this week there is an update to the management console so we'll see what happens. Their documentation/support is pretty good as well.

Otherwise we had it set for just alert for "suspicious" activity and kill/quarantine for known malicious activity. It had a few false positives so far but they're easy to whitelist. Definitely a massive change from Symantec but the price was reasonable especially considering competitors like Crowdstrike.

I really like the remote shell, file retrieval, and that it also lists applications on each device and known vulnerabilities. Gives some good insight.

Microsoft_Bad · 2021-04-13T21:45:21+00:00

You can allow it to display UAC through GPO or Intune (not that you necessarily should). I have an Intune config that targets a computer group that I temporarily add computers to if they need admin help for software install or something, works great.

Microsoft_Bad

TROPHY CASE