Running Defender for Endpoint on Non-Windows Devices

Can MDE be considered a fully featured EDR on all platforms?

Over the past few years, Microsoft has proven to have a worthy security product in Microsoft Defender for Endpoint (MDE) for Windows devices. In 2022, it was named a leader in the ‘Endpoint Protection and Detection’ quadrant. While most talk about Windows when discussing Microsoft Defender, it also supports MacOS, Linux, Android, and iOS. The question arises whether MDE is a mature product for these platforms and if you can entrust Microsoft to protect devices running these operating systems.

Feature Set

One thing to say before diving into detail is that features always differ across different Operating Systems. If a new feature is rolled out (let’s take the browser extensions inventory as an example), Microsoft releases it to Windows devices first. From Microsoft’s perspective, this approach makes sense as Windows is their largest market.

Ru Campbell created an extensive overview of Defender features across all platforms. This clearly shows some missing features for non-Windows platforms. While Microsoft addresses those gaps, some gaps will always remain. Ru Campbell’s overview is updated regularly and is therefore recommended as a bookmark for everyone working with MDE across multiple platforms.

Centralized Management

Until July 2023, customers wanting to manage macOS and Linux devices needed to configure them using a third-party management system. An MDM tool such as JamF or Intune was required for macOS, while Linux could be managed by using Puppet or Ansible. The announcement of centralized security settings addressed the issue. The feature allows customers to create configuration profiles in the Microsoft Security portal to configure Windows, macOS, and Linux devices.

With this, customers don’t need to use different consoles to configure MDE for different devices. This dramatically decreases the complexity which was previously present.

macOS

macOS is the second-most popular desktop Operating System in use across all organizations. I see a big increase in adoption due to the popularity of the M1/2-powered devices. MDE has supported macOS since 2019. At the time of writing, MDE is a fully-fledged AV and EDR product that can compete with other macOS security solutions on the market. It lacks some features, such as browser extension inventory, but I expect Microsoft to release this feature in the future. Recently, Microsoft released many macOS features. In July 2023, Microsoft released native isolation/antivirus actions for macOS.

The enrollment process for macOS is more complex than for Windows devices, as multiple prerequisites must be in place. After you complete the installation, the protection and detection experience works well. While working in a SOC using MDE, I have seen it successfully remediating advanced malware that had bypassed other EDR systems before. For macOS, I recommend MDE without any hesitation.

Linux

Microsoft’s support for MDE on Linux has been a rocky road. In September 2020, the product was released with only Antivirus capabilities. Six months later (January 2021), EDR support rolled out. In today’s security industry, having only antivirus capability does not meet customer expectations, as MDE lacks some of the behavior-based detections that EDR provides. An example could be the recent supply chain attack from 3CX. In this case, a legitimate, trusted process started executing unusual commands. An EDR can pick up on this activity as it tracks what is (unusual) for an application. During 2021, I experienced many random performance issues resulting in multiple Microsoft support cases. In one of the cases, the Defender process hogged about 90% of the CPU. The experience was less than ideal, and at that time, the product was not mature enough for production deployments. Our issues were typically fixed with a new platform update, showing that the issue was on the Microsoft side.

Since then, Microsoft has released improvements for the audited engine and recently announced support for the eBPF-sensor. These announcements showcase Microsoft’s willingness to invest in engineering efforts to bring stronger MDE capabilities to Linux.

In the past year, I have seen multiple successful deployments across many Linux distributions. The most important recommendation is to take things slowly, both in the preparation and deployment phases. Not all distributions are supported, and there is even a difference between different versions of the same distribution. Before you start, you should perform a careful assessment. While a limited number of distributions are supported, this does not mean MDE will not run on other distributions. If you face issues with an unsupported distribution, you cannot escalate problems to Microsoft support. But I don’t think that should stop you. Offboarding a device can be done relatively quickly without much effort, so I recommend that customers onboard non-supported devices as a test and validate the experience. If there are no issues, you can leave the sensor running, because having an EDR sensor on all devices greatly increases your security posture.

The only type of machines you should not onboard are appliances. Appliances are Linux-based machines with a specific function such as firewalls (Meraki runs on a Linux-based VM on Azure) or tooling such as VMWare Vcenter. Those types of devices are typically not onboarded because:

• Vendors don’t support an active antivirus (and you don’t want performance issues on your routers).
• The actions you can take on a VM are limited, meaning the exposure is greatly decreased.

Android & iOS

Antivirus on mobile devices is always an interesting conversation. Mobile devices are a new attack vector that not a lot of organizations have fully under control. Antivirus is typically challenging to deploy because end-users are wary of installing monitoring software on devices they (might) also use for personal use. MDE on Android and iOS works by creating an active VPN connection initiated by the Microsoft Defender for Endpoint application. This VPN connection allows the product to monitor all network activity and take action if required. A VPN connection can be regarded as intrusive, so it is important to discuss the implementation with HR before starting and have proper communication with users about what is logged and what isn’t.

By deploying MDE on mobile devices, you can protect your users against smishing attacks (phishing attacks using SMS messages) and malicious applications (only on Android). MDE currently uses a list of blocked websites but doesn’t use any behavioral scanning to block malicious content dynamically. This decreases its usefulness as there is no smart ‘behavior,’ ‘machine learning’ detections as present on other platforms.

Due to the complicated deployment and limited feature set, I have only seen one successful platform roll-out across my customers.

Learning the Platforms

Because of the different experiences across different platforms, it is important to train deployment and support teams in all aspects of the product. Server specialists need to be aware of the management and configuration of all operating systems, but the same goes for the SOC team. While MDE abstracts some of the OS-specific activity, the SOC needs to learn what the standard behavior of each system looks like and what processes are common and uncommon. This learning curve is often forgotten but cannot be overlooked.

A Worthy Cross-Platform Solution

While Microsoft Defender for Endpoint hasn’t always been the best multi-platform endpoint protection application, Microsoft has invested heavily in its development to create a strong product. Not all features are equal across all operating systems, but Microsoft is actively expanding its functionality across all operating systems. Customers need to be aware of the platform differences, but that should not stop your deployment.