PART 2 - Deploy Endpoint Security policies to Linux Servers via Intune with Security Settings Management

***ARTICLE UPDATED ON MARCH 18th 2025***

Network Protection has been removed from this article as this feature is being redesigned by Microsoft currently. If interested in Network Protection, please reach out to Microsoft [email protected]:

This article is part 2 of a 2-part series and we will review what MDE Security Settings Management is in the context of Linux and some of the benefits. I will then review how to configure the tenant for this feature and how to assign a policy to a Linux device and then review the different ways to validate that we have enable Security Settings Management on our Linux device.

Table of Contents

1. Overview of Security Settings Management
2. Configuring MDE Security Settings Management (guide starts here)
3. Create a dynamic Entra ID Security Group for your Linux device
4. Create an AV Policy for Linux in Intune and assign to Entra ID group
5. Tag Linux device in MDE (for piloting)
6. Validate Linux device security settings are managed by MDE
7. Confirm policy is being picked up by Linux device

Overview - MDE Security Settings Management

With Defender for Endpoint Security Settings Management, we can deploy security policies from Intune. This can be done without needing to enroll your Linux devices into Intune (for flavors that can at least).

MDE on the device will enforce the policies and report the device's status. The devices status becomes available in Intune and MDE.

When we enable Security Settings Management, a synthetic Entra ID registration object is created and we can then find our device in Entra ID All Devices and we will also find our device in Intune. When this happens, that means we can then add this Linux device to a (dynamic) security group in Entra ID. The devices Security Settings Management property will show "MDE".

IMPORTANT: Security Settings Management is only available if there is at least one MDE User license active in the tenant. That is, if you're using MDE only via Defender for Server (part of Defender for Cloud), then this feature is not available.

Linux Policy types supported

See here for more info on Policy Types

Current state of our Linux device

In Part 1, we onboarded our Linux device to Azure Arc and through automation via Defender for Cloud, onboarded our device to MDE. When we drill into this device in Defender XDR, under Device Management, we can see "Unknown" and "N/A" as the status for "Managed By" and "MDE Enrollment status" respectively.

When we log into Intune and look at our Linux Device count, it shows 0:

And when we log into Entra ID --> Devices --> All Devices, we cannot find the Linux server we onboarded last week (mc-srv-Linux05):

Configuring MDE Security Settings Management

Perquisites

• MDE Linux agent version 101.23052.0009 or later
• Check supported Linux platforms here
• MDE and Intune Integration
• Network connectivity to *.dm.microsoft.com
• Global Administrator or Security Administrator Entra ID role and/or Unified RBAC equivalent with Intune Endpoint Security Manager(NOTE* the Intune Endpoint Security Manager role might not have the permission to enable this feature. See here.)

2. Configure Security Settings Management for the tenant

Navigate to Defender XDR (security.microsoft.com) and go to Settings --> Endpoints --> Enforcement Scope and click on the slider to turn on "Use MDE to enforce security configuration settings from Intune":

When the Platform options appear, select the checkbox for Linux and then select the radio button "On tagged devices".

Under "Security settings management for Microsoft Defender for Cloud onboarded devices" to On and then scroll to the bottom and click save:

Enabling Security Settings Management in Intune

Log into Intune (intune.microsoft.com) and navigate to Endpoint security --> Microsoft Defender for Endpoint and switch the toggle for "Allow Microsoft Defender for Endpoint to enforce Endpoint Security Configurations" under Endpoint Security Profile Settings and then click Save:

3. Create Dynamic Security Group for pilot Linux Devices

While in the Intune portal, select Groups in the left pane and then select New group at the top. On the New Group creation wizard, give your group a name, a description and select "Dynamic Device" from the Membership type drop-down.

Then click on "Add dynamic query":

For the dynamic query, select "deviceOSType". For Operator , select "Equals" and for value, type "Linux" and then Save:

4. Create an AV Policy in Intune (Or Defender XDR)

Note, when using Security Settings Management, the policy can be created and assigned from both the Intune portal or the Defender XDR portal. That is, if you create an AV policy in Intune, you will see this same policy under Defender XDR --> Endpoints --> Configuration Management --> Endpoint security policies:

Creating policy from Intune

In Intune. select Endpoint Security --> Antivirus and then Create Policy:

Give the policy a Name and select Next:

Note, you can review the settings available in the AV Policy and configure accordingly for your Pilot. I will outline the settings I have configured for my lab.

For our pilot, we will configure our AV settings accordingly. Expand "Cloud delivered protection preferences":

Expand "Antivirus Engine":

Expand "Network protection". Note, this is currently in preview and configuration on the endpoint is required. We will enable for now:

Click next and on the Assignments page, add the group we created in an earlier step:

On the Review page, select Save.

5. Tag our Pilot Linux Device in MDE

Log back into Defender XDR and navigate to Assets --> Devices. Select the checkbox next to your Linux device(s) and then select "Manage tags":

When the Manage tags fly out opens, type in "MDE-Management" and select the tag to create it: Then click "save and close" at bottom of fly out:

In the list of devices, I can now see the newly added tag:

6. Validating Security Settings Management on Linux Device

There are several things we will check now to demonstrate that we have successfully configured the feature and applied to our pilot Linux device.

As per the architecture below, after we onboarded the device to MDE and configure Security Settings Management, the the Linux device will report to Intune and then a synthetic device registration occurs with Entra ID (#2 and #3 below):

Entra ID

Log into your Entra ID and navigate to Devices --> All Devices. Search for the Linux device name which we onboarded last week and we will see the Security Settings Management property is "Microsoft Defender for Endpoint":

Defender XDR

If we find the device in Defender XDR, under Device Management, we will now see Managed By and MDE Enrollment status set to "MDE" and "Success" respectively:

Intune

Log into Intune and navigate to Devices --> Linux and I can now see my registered Linux device in Intune and the Managed By property again shows "MDE":

7. Confirm Policy is Being Applied to the Linux Device

GUI method

We can check if the policy is being applied via the Security Policies tab under the device in the Defender XDR portal.

CLI method

Prior to tagging the Linux device in MDE with "MDE-Management", running the following command would show our MDE settings on the device like this:

sudo mdatp health        

Now, with Security Settings Management enabled, our setting look like this:

Can you spot the difference? Notice a lot of our properties are now appended with [Managed]:

If we try to change the settings that are enforced by MDE, we won't be able to. If I try to change Network Protection from Block to Audit, I get the message "This setting is managed by your organization".

You are now successfully managing AV policies for your Linux device via Intune and your device is reporting the status back to MDE and Intune!

Thank you for reading and I hope this was informative!