The Microsoft Defender for Endpoint (MDE) agent runs on EC2 instances allow the Information Security and Policy Office to detect security issues and compromises, as well as providing essential information for addressing security incidents.

It is the Cloud Team's strong recommendation that systems that persist should have this agent installed. Systems where it might not be appropriate to install this agent include container hosts, EC2 instances that are part of an autoscaling group, or any other instances that could be considered ephemeral in nature. If you have questions about this, please schedule Office Hours to discuss further.

Note: The MDE agent requires a minimum of 2 CPU cores and 1 GB memory. If your EC2 instance does not meet the minimum requirements then it is strongly recommended that you upgrade your instance to one that does prior to attempting to install the agent. The following EC2 instance types do not meet the minimum requirements:

• All "nano" size instances
• t2.micro
• t2.small

Installing and Onboarding the MDE Agent on Linux

1. Attach an Instance Profile to the EC2 instance(s) you will be installing the MDE agent on. The Instance Profile should have read access to the MDE Agent Onboarding bucket. See GitLab for the specific policy.
2. Connect to your instance using SSH or AWS Systems Manager Session Manager.
3. Download the WindowsDefenderATPOnboardingPackage.zip file from the S3 bucket and unzip. Inside you'll find a Python script.

4. Microsoft provides a bash script that automates the installation and onboarding of the MDE agent. The script is the easier method and has been tested on Amazon Linux 2, Amazon Linux 2023, Ubuntu 22.04, and Ubuntu 24.04. If you prefer to install and onboard the MDE agent manually then skip to step 5.

   curl https://raw.githubusercontent.com/microsoft/mdatp-xplat/refs/heads/master/linux/installation/mde_installer.sh -o mde_installer.sh
   sudo bash mde_installer.sh -c prod -i -o MicrosoftDefenderATPOnboardingLinuxServer.py

5. Skip this step if you used the automated script in step 4. To install the agent manually, follow Microsoft's manual deployment guide. After the manual installation, execute the onboarding script:  

   sudo python3 MicrosoftDefenderATPOnboardingLinuxServer.py

6. Confirm that the MDE agent was successfully onboarded:

   mdatp health | grep -E "healthy|licensed"

   This should result in the following output:

   healthy                                     : true
   licensed                                    : true