I'm currently managing several Linux servers with Defender for Endpoint, but they're not linked to Intune, and I'd prefer to keep it that way. I want to manage these from the Defender security console. I've set up the integration between Intune and Defender correctly, which allows policy settings from either. However, I've noticed that the devices I onboarded don't seem to create corresponding Entra ID devices. This is causing issues because I can't create a group to apply my policies to.
On the Defender side, while I can see inventories and security recommendations, and it registered alerts when testing with EICAR, it doesn't show any vulnerabilities and indicates 'managed by' as 'unknown.' Has anyone experienced this before? I would have thought that onboarding would automatically set up an Entra object, but something seems to be off here.
Edit: For anyone encountering the same issue in the future, I realized I needed to enable the proper scoping in the settings by going to Defender Console > System > Settings > Endpoints > Configuration Management Enforcement Scope and enabling Linux Devices. Initially, I was set to 'on tagged devices' and applied the "MDE-Management" tag to some test devices, which finally allowed me to create the necessary Entra device and apply my exclusion policy.
2 Answers
I hear you regarding the challenges with onboarded devices. If you're using Ubuntu 24, that should generally be supported according to their documentation. I’m not overly concerned about the active block feature either because it seems to perform well in detecting threats. However, I’ve faced issues where certain processes were mistakenly blocked. When I put Defender in bypass mode, those processes worked fine, but it was hard to prove that Defender was causing the issue since nothing was logged during those instances. I'm also trying to exclude specific paths or processes, but without an Entra object for the device, applying those policies remains a challenge.
Honestly, only a handful of specific Linux distributions are well-supported by Microsoft Defender for Endpoint. Even with that in mind, I’m not sure if you can achieve everything you're looking for. That said, it does a decent job at detecting incoming threats and blocking malicious activities. I've done more than just the EICAR test, and it seems to handle those scenarios quite well. Just keep in mind that Microsoft's support for Linux in MDATP has been limited and, over time, may have even gotten worse. The onboarding process can be frustrating too since it seems like the only way to remove a device is to wait for it to become stale which is not ideal.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures