The new Defender for Endpoint unified agent is generally available for some time (since April 11th, 2022. The new unified Microsoft Defender for Endpoint solution is supported for Server 2012R2 and Windows Server 2016. In addition, automated deployment and integration of the new solution with Microsoft Defender for Cloud is now available with the Microsoft Defender for Server P1 and P2 solution.
Recap: what is the Unified Defender solution?
The new unified solution is scoped for Server 2012R2 and 2016 and is a completely renewed Microsoft Defender for Endpoint solution for the legacy systems. With the new unified agent, it is possible to remove SCEP and use the latest features like ASR, Automated Investigation, and more advanced capabilities for prevention, detection, and response compared to Windows 10 and Windows Server 2019.
More information: Microsoft | Defending Windows Server 2012 R2 and 2016 and Jeffreyappel.nl | install the new unified Microsoft Defender for Endpoint agent on Server 2012R2 and 2016
Now the good news; Defender for Endpoint for Windows Server 2012R2 & 2016 based on the new unified agent is now finally available in Defender for Cloud P1 and P2. With a simple one-click button it is possible to upgrade the old MMA-based configuration directly to the new Unified solution for machines onboarded with Defender for Servers.
More information: Defender for Servers Plan 2 now integrates with MDE unified solution
Recap: What is Defender for Servers Plan 1 vs Plan 2?
Microsoft announced in April 2022 the Defender for Servers Plan 1 SKU that offers Cloud Security Posture Management (CSPM) capabilities and Defender for Endpoint integration.
Microsoft Defender for Servers Plan 1 deploys Microsoft Defender for Endpoint which is charged per hour instead of per seat, this reduce the cost for protecting virtual machines only when they are in use.
Microsoft Defender for Servers Plan 2 ( formerly known as Defender for Servers), includes Defender for Endpoint and all other Defender for Cloud features like Qualys Vulnerability assessment, threat detections based on OS level, network layer, control plane, Just-in-time VM access, File integrity monitoring and many more.
More information: Microsoft | What are the Microsoft Defender for server plans?
New MDE unified solution integration in Defender for Servers plan 2
Microsoft announced the release of the unified agent integration which makes it possible to directly enable the new Defender for Endpoint unified solution and remove the dependency with Log Analytics Agent (MMA) and other legacy AV toolings like SCEP. Microsoft removes the complexity of the provisioning and created two machine extensions.
Important: Defender for Servers Plan 2 contains features that are still using the Log Analytics agent. Examples; attack detections outside MDE, File Integrity Monitoring, and Adaptive Application Controls. Additional raw event logging is possible with the MMA or ideally new AMA agent.
Before enabling the new Defender unified solution, make sure the correct prerequisites are installed for Server 2012R2 and Server 2016.
Important: MDE Unified requires some extra prerequisites and minimal installed version/ network connectivity. When already using MMA-based Defender for Endpoint, make sure all additional network URLs are available and required patches are installed.
Extension and removal of components
The following extensions are now available and available for Windows, Linux machines in Azure, and non-Azure machines connected through Azure Arc-enabled servers:
- MDE.Windows
- MDE.Linux
The MDE.Windows extension will remove SCEP from the Server 2012R2 machines during the installation of the new MDE unified solution. Part of the MDE.Windows extension is the onboarding of Defender for Endpoint (SENSE)
New available Azure policies:
- Deploy Microsoft Defender for Endpoint agent on Windows virtual machines
- Deploy Microsoft Defender for Endpoint agent on Windows Azure Arc machines
- Deploy Microsoft Defender for Endpoint agent on Linux hybrid machines
- Deploy Microsoft Defender for Endpoint agent on Linux virtual machines
The Defender for Endpoint unified installation package Md4ws.msi is part of the MDE.Windows Extension. Other scripts and the onboarding file are part of the package. The same goes for MDE.Linux extension where the Linux files are visible.
Windows MDE installation files are located in the following folder; C:\Packages\Plugins\Microsoft.Azure.AzureDefenderForServers.MDE.Windows
Microsoft use the install.ps1 which is almost the same as the Microsoft helper script published on Github for customers to migrate from the MMA agent to the unified solution.
Important is the following:
Server 2012R2:
- SCEP will be uninstalled as part of the solution
- KB299922 & KB3080149 are required for 2012R2, when not installed the updated will be downloaded from Microsoft and installed. When there is no network, the deployment will fail
Server 2016
- Windefend service needs to be running before installing the new solution
- Build-in Defender servers roles are needed
- The Servicing Stack Update (SSU) from September 14, 2021 or later must be installed
- The Latest Cumulative Update (LCU) from September 20, 2018 or later must be installed
Enablement Unified Solution
MDE integration with Defender for Servers P2 is by default the new solution for new Defender for Cloud activations or new subscriptions. When Defender for Servers P2 was enabled before June 20th, 2022, or MDE integration was enabled before June 20th, 2022, the new Enable Unified Solution button is visible.
The following options are available:
- Migrate all machines in subscriptions using Enable Unified Solution button
- Testing particular machines using REST API without enabling the complete subscription
- Deploying using Azure Policy
One of the following situations is mostly available in environments;
- Defender for Servers is already enabled and Microsoft Defender for Endpoint was deployed (MMA solution)
- Defender for Servers integration was never enabled
Enablement for complete subscription
To enable the MDE unified solution in existing subscriptions you can easily opt-in to the unified solution on the subscription environment settings/integrations page. For opening the settings:
- Go to Defender for Cloud
- Go to Environment settings and select the subscription
- Go to Integrations
The button Enable unified solution is visible when the MDE integration was enabled before June 20th, 2022.
After enablement it can take up to 12 hours before the extension is installed. When the extension is not installed after 12 hours, check the network and system/application prerequisites for the MDE integration. Tip; use the MDEClientAnalyzer.
Monitoring is possible directly in the Azure portal. For checking the extension deployment status; Go to; VM page -> Settings -> Extensions + Applications. The page shows the actual status for MDE.Windows and MDE.Linux. When clicking on the Extension name more detailed information is visible.
Enablement for single machine using REST API
Testing on a particular machine without enabling the integration on the whole subscription is possible using the REST API or deployment of the new Azure policies described above.
Retrieve Base64Encoded package
For the REST API method we need to retrieve the MDE Onboarding package as Base64Encoded package. For getting the package use the following GET request against management.azure.com. Replace <SUBSCRIPTIONID> with the complete subscription ID.
https://management.azure.com/subscriptions/<SUBSCRIPTIONID>/providers/Microsoft.Security/mdeOnboardings?api-version=2021-10-01-preview
Copy the complete onboardingPackgeWindows value. This is the Base64Encoded package from the MDE onboarding which is part of the subscription, and needed in the next PUT request.
Deploy extension to machine using a PUT request
The MDE.Windows extension including MDE onboarding can be easily deployed using the PUT request and the following parameters. Notice; for Azure VMs and Azure Arc machines the parameters are different.
Virtual Machines
Use the below parameters for Azure virtualmachines:
API Parameter | Value |
---|---|
API Call | PUT |
API URI | https://management.azure.com/<resourceId>/extensions/MDE.Windows&api-version=2015-06-15 |
ResourcId | Azure Resource ID |
MachineType | Compute |
MachineTypePath | virtualMachines |
API Version | 2015-06-15 |
Base64EncodedPackage | Result from Base64Encoded request |
Azure Arc machines
Use below parameters for Azure Arc machines
API Parameter | Value |
---|---|
API Call | PUT |
API URI | https://management.azure.com/<resourceId>/extensions/MDE.Windows&api-version=2020-08-02 |
ResourcId | Azure Resource ID |
MachineType | HybridCompute |
MachineTypePath | virtualMachines |
API Version | 2020-08-02 |
Base64EncodedPackage | Result from Base64Encoded request |
For Azure and Azure Arc machines use the below JSON body with the above attributes in the PUT request against:
https://management.azure.com/<resourceId>/extensions/MDE.Windows?api-version=<api-Version>
{
"name": "MDE.Windows",
"id": "<ResourceId>/extensions/MDE.Windows",
"type": " Microsoft.<MachineType>/<MachineTypePath>/extensions",
"location": "<VM_Location>",
"properties": {
"autoUpgradeMinorVersion": true,
"publisher": "Microsoft.Azure.AzureDefenderForServers",
"type": "MDE.Windows",
"typeHandlerVersion": "1.0",
"settings": {
"azureResourceId": "<ResourceId>",
"vNextEnabled": "true"
},
"protectedSettings": {
"defenderForEndpointOnboardingScript": "<Base64EncodedPackage>"
}
}
}
Response after the initial PUT request
Provisioning state: “Creating”
When the requirements are correctly in place for Defender for Endpoint; after some time Defender for Endpoint is correctly installed using the MDE.Windows extension.
Part of the new solution is the WinDefend and Sense service for Server 2012R2 and 2016.
The REST API can be used for single deployments and testing, without enabling the unified solution for the complete subscription.
Conclusion
The new Unified MDE solutions enables important security improvements and replace the dependency with Log Analytics and SCEP for 2012R2 (Antimalware extension). Based on the Defender for Cloud integration – it is now easier to manage deployments using Defender for Cloud, REST API, or Azure Policy. More important is the increase in security protection and more centralized alignment for all supported versions. Ideally managed with the new Defender for Endpoint Security Management feature.
Sources
Microsoft: Defender for Servers Plan 2 now integrates with MDE unified solution
Microsoft: Defender for Endpoint Unified Agent
Microsoft: Defender for Servers integration with MDE | Defender for Cloud in the Field #16
Query – Does integrating with DfE from Defender for Cloud cover any migration scenarios from 3rd-party AV products, e.g. Symantec?
Hi Phil, you mean automatically removing any 3rd-party AV product like Symantec?
There is currently no “automatic” migration functionality. The migration is exactly the same as explained here; https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/server-migration?view=o365-worldwide
Is much of what you’re talking about here now part of Azure Arc?
Seems the sections in Defender for Cloud that you’re referring to have changed.
Hi Bob, Azure Arc enables/creates the machine in Defender for Cloud – Auto provisioning part of Defender for Cloud enables the Defender provisioning.
Hi, Looks like number is missing in “KB299922” KB article. Could you complete it?
I can’t get the PUT REST API part to work. It keeps complaining about this:
“The resource definition is invalid.”
Also, your API parameters table is confusing. The resourceID already contains MachineType and MachineTypePath, and yet you’ve listed those out in the table and so you’re actually doubling up on the same parameters.
Could you please provide the full REST API URL? You’ve listed this out twice in the same guide, which one is it? Notice the & and the ? symbol in the link:
https://management.azure.com//extensions/MDE.Windows&api-version=2015-06-15
https://management.azure.com//extensions/MDE.Windows?api-version=
And in the URLs above, neither of them mention “Base64EncodedPackage”. So what exactly is the full URL here?