Microsoft Defender for Endpoint on Linux — Manual Scan Tips

Andre Camillo, CISSP
Published in
3 min readFeb 14, 2024


Deploying and managing Defender for Endpoint on linux at Scale is something you’ll have to use linux management tools, think of Puppet or Ansible. Manual is an option, but not ideal at scale.

However, there is definitely a use case for manual operations and troubleshooting of the agent — especially locally at and endpoint — that’s why there’s a powerful Command line interface built into the agent.

and the magic all happens behind the initial command:


It’s all fun uphill from there!

MDE Linux Command Flowchart

Always referring bac kto original and official guidance in Microsoft Learn, of course.

Investigate agent health issues | Microsoft Learn

From it I managed to verify all the local commands available for MDE in supported linux endpoints.

So I created this Flowchart to help understand what kind of commands you can isue locally and what kind of settings can be configured locally too.

Source: MDE in linux tests and trial.

You can find this in my Github also. The mermaid format is available there too, please attribute if you re-use/build upon.

The key point here is that settings can be changed, but also reports and actions taken — with the proper credentials, of course.


Settings include any changes to how the agent operates locally anc incldue scan settings, monitoring, EDR, Network configuration. etc.


What I call actions are to the operation of the local agent, think of active instructions such as starting a manual scan, for example:


Lastly, what I call “Outputs” are commands that create inline reports/results, for example checking out scan results via command line:


As a result of this short learning exercise, you can infer and understand that you can create powerful policies to exclude specific files / paths to be verified.

And that the most powerful local command is

mdatp health

Check it out yourself! 😉

Learn more about my Cloud and Security Projects:

Consider subscribing to Medium (here) to access more content that will empower you!

Thank you for reading and leave your thoughts/comments!


Scattered throughout the document.



Andre Camillo, CISSP

Cloud and Security technologies, Career, Growth Mindset. Follow: . Technical Specialist @Microsoft. Opinions are my own.