Linux is everywhere… except in your console
If you run web servers, build products, or crunch data, odds are you lean on Linux. Yet, most IT teams still patch, monitor, and secure those machines the old way: one shell command at a time. That’s like hand-washing dishes while the dishwasher sits empty.
I sat in a client war-room last year watching an engineer spend four days tracking which Ubuntu boxes still had the last OpenSSL bug. Four days. We missed a marketing launch because of it. One box slipped through, got popped, and suddenly we’re on the nightly news. That day convinced me: we need the same love for Linux that we give Windows.
Why the mess happens
Picture your fleet like city streets.
- Windows devices = bright, mapped avenues with traffic lights, cameras, and bike lanes.
- Linux boxes = dim side streets full of shortcuts, no signs, and zero patrol cars.
Same city. Totally different risk.
Without a single tool to see every endpoint, you ship patches by hand, chase logs in twenty places, and pray compliance auditors don’t ask for screenshots. Spoiler: they always do.
The new way: Intune now speaks Linux
As of 2025, Microsoft rolled Intune’s Linux support into general availability. No more bolt-on scripts or third-party portals—just one console for Windows, macOS, iOS, Android, and now Linux.
Step 1 – Check the guest list (supported distros)
If your distro isn’t on the list, it won’t even knock on the door. Right now:
- Green light: Ubuntu 22.04 LTS or newer, Red Hat 9+, CentOS Stream, Fedora 38+, and SLES 15+ (preview).
- Licence: You need Intune Plan 1 or higher.
- Must-have: Every machine must join or register in Entra ID.
Step 2 – Install the agent (two copy-paste commands)
Ubuntu/Debian
wget https://packages.microsoft.com/linux/intune/ubuntu/pool/main/i/intune-portal/intune-portal_1.0.0_amd64.deb sudo dpkg -i intune-portal_1.0.0_amd64.deb
RHEL/CentOS/Fedora
sudo rpm -ivh https://packages.microsoft.com/linux/intune/rhel/intune-portal-1.0.0.x86_64.rpm
Then enroll:
sudo intune-portal enroll --username you@yourcompany.com
Pop over to intune.microsoft.com, open Devices > Linux, and you should see your box waving hello.
Step 3 – Lock it down with policies
Once the device checks in, treat it like any other endpoint.
- Apply CIS hardening baselines for firewalls, password rules, and sudo rights.
- Push Microsoft Defender for Linux automatically—no manual rpm installs.
- Need something special? Drop a Bash script into Intune and it runs everywhere. I use it to auto-install
fail2banand tweaksshd_configin one shot.
Step 4 – Apps and patches without tears
Intune can deliver:
- Your own .deb or .rpm packages.
- Flatpak apps like Slack, VS Code, or Zoom straight from Flathub.
- Auto-sync with Canonical Livepatch or Red Hat Insights so kernels fix themselves at 3 a.m. while you sleep.
Set compliance rules—disk encryption on, Defender threat level low—and any box that drifts gets blocked by Conditional Access. Users call the help desk less. You sleep more.
Step 5 – Keep an eye on things
Logs live at /var/log/intune.log. When something smells fishy, run:
sudo intune-portal diagnostic --full-report
In the web console, head to Reports > Linux for a bird’s-eye view. CISA keeps saying continuous monitoring is key—now you have it baked in.
What’s still rough (and how to cope)
- No Autopilot for Linux yet. We still need hands-on for the first boot. Work-around: pre-install the agent in your golden image.
- CLI-heavy. If you adore clicking wizards, this feels retro. I lean on Ansible to wrap the commands and push them over SSH—same outcome, less typing.
The roadmap says Kubernetes clusters and AI anomaly detection land next year. I’ll believe it when I see it, but the signs are good.
Quick FAQ
Which distros again?
Ubuntu 22.04+, RHEL 9+, CentOS Stream, Fedora 38+, and SLES 15+ (preview). Check docs—Microsoft keeps adding.
Can I push my own Bash scripts?
Yes. Package them as “shell scripts” in Intune and target any group you like.
Does Defender integrate?
Absolutely. One toggle installs it, and the signatures update through the same channel.
How do I know it enrolled?
Open the Intune portal, click Devices > Linux. If your hostname shows up, you’re golden.
Licensing?
Intune Plan 1 or higher. Nothing extra for Linux.
Zero-touch?
Not yet. For now we script or image.
Conditional Access?
Works like any other platform—MFA, device compliance, block legacy auth.
Bottom line
Stop treating Linux like the weird cousin nobody talks to. Bring it into the family barbecue. One console, one set of rules, way fewer fires.
Your next task: spin up a test VM, run the two commands above, and watch it appear in Intune. Five minutes from now you’ll have proof it works. After that, the rest is just scale.
