The new Defender for Endpoint unified agent is generally available for some time (since April 11th, 2022. The new unified Microsoft Defender for Endpoint solution is supported for Server 2012R2 and Windows Server 2016. In addition, automated deployment and integration of the new solution with Microsoft Defender for Cloud is now available with the Microsoft Defender for Server P1 and P2 solution.

Recap: what is the Unified Defender solution?

The new unified solution is scoped for Server 2012R2 and 2016 and is a completely renewed Microsoft Defender for Endpoint solution for the legacy systems. With the new unified agent, it is possible to remove SCEP and use the latest features like ASR, Automated Investigation, and more advanced capabilities for prevention, detection, and response compared to Windows 10 and Windows Server 2019.

More information: Microsoft | Defending Windows Server 2012 R2 and 2016 and Jeffreyappel.nl | install the new unified Microsoft Defender for Endpoint agent on Server 2012R2 and 2016

Now the good news; Defender for Endpoint for Windows Server 2012R2 & 2016 based on the new unified agent is now finally available in Defender for Cloud P1 and P2. With a simple one-click button it is possible to upgrade the old MMA-based configuration directly to the new Unified solution for machines onboarded with Defender for Servers.

More information: Defender for Servers Plan 2 now integrates with MDE unified solution

Recap: What is Defender for Servers Plan 1 vs Plan 2?

Microsoft announced in April 2022 the Defender for Servers Plan 1 SKU that offers Cloud Security Posture Management (CSPM) capabilities and Defender for Endpoint integration.

Microsoft Defender for Servers Plan 1 deploys Microsoft Defender for Endpoint which is charged per hour instead of per seat, this reduce the cost for protecting virtual machines only when they are in use.

Microsoft Defender for Servers Plan 2 ( formerly known as Defender for Servers), includes Defender for Endpoint and all other Defender for Cloud features like Qualys Vulnerability assessment, threat detections based on OS level, network layer, control plane, Just-in-time VM access, File integrity monitoring and many more.

More information: Microsoft | What are the Microsoft Defender for server plans?


New MDE unified solution integration in Defender for Servers plan 2

Microsoft announced the release of the unified agent integration which makes it possible to directly enable the new Defender for Endpoint unified solution and remove the dependency with Log Analytics Agent (MMA) and other legacy AV toolings like SCEP. Microsoft removes the complexity of the provisioning and created two machine extensions.

Important: Defender for Servers Plan 2 contains features that are still using the Log Analytics agent. Examples; attack detections outside MDE, File Integrity Monitoring, and Adaptive Application Controls. Additional raw event logging is possible with the MMA or ideally new AMA agent.

Before enabling the new Defender unified solution, make sure the correct prerequisites are installed for Server 2012R2 and Server 2016.

Important: MDE Unified requires some extra prerequisites and minimal installed version/ network connectivity. When already using MMA-based Defender for Endpoint, make sure all additional network URLs are available and required patches are installed.

Extension and removal of components

The following extensions are now available and available for Windows, Linux machines in Azure, and non-Azure machines connected through Azure Arc-enabled servers:

  • MDE.Windows
  • MDE.Linux

The MDE.Windows extension will remove SCEP from the Server 2012R2 machines during the installation of the new MDE unified solution. Part of the MDE.Windows extension is the onboarding of Defender for Endpoint (SENSE)

New available Azure policies:

  • Deploy Microsoft Defender for Endpoint agent on Windows virtual machines
  • Deploy Microsoft Defender for Endpoint agent on Windows Azure Arc machines
  • Deploy Microsoft Defender for Endpoint agent on Linux hybrid machines
  • Deploy Microsoft Defender for Endpoint agent on Linux virtual machines

The Defender for Endpoint unified installation package Md4ws.msi is part of the MDE.Windows Extension. Other scripts and the onboarding file are part of the package. The same goes for MDE.Linux extension where the Linux files are visible.

Windows MDE installation files are located in the following folder; C:\Packages\Plugins\Microsoft.Azure.AzureDefenderForServers.MDE.Windows

Microsoft use the install.ps1 which is almost the same as the Microsoft helper script published on Github for customers to migrate from the MMA agent to the unified solution.

Important is the following:

Server 2012R2:

  • SCEP will be uninstalled as part of the solution
  • KB299922 & KB3080149 are required for 2012R2, when not installed the updated will be downloaded from Microsoft and installed. When there is no network, the deployment will fail

Server 2016

  • Windefend service needs to be running before installing the new solution
  • Build-in Defender servers roles are needed
  • The Servicing Stack Update (SSU) from September 14, 2021 or later must be installed
  • The Latest Cumulative Update (LCU) from September 20, 2018 or later must be installed

Enablement Unified Solution

MDE integration with Defender for Servers P2 is by default the new solution for new Defender for Cloud activations or new subscriptions. When Defender for Servers P2 was enabled before June 20th, 2022, or MDE integration was enabled before June 20th, 2022, the new Enable Unified Solution button is visible.

The following options are available:

  • Migrate all machines in subscriptions using Enable Unified Solution button
  • Testing particular machines using REST API without enabling the complete subscription
  • Deploying using Azure Policy

One of the following situations is mostly available in environments;

  • Defender for Servers is already enabled and Microsoft Defender for Endpoint was deployed (MMA solution)
  • Defender for Servers integration was never enabled

Enablement for complete subscription

To enable the MDE unified solution in existing subscriptions you can easily opt-in to the unified solution on the subscription environment settings/integrations page. For opening the settings:

  1. Go to Defender for Cloud
  2. Go to Environment settings and select the subscription
  3. Go to Integrations

The button Enable unified solution is visible when the MDE integration was enabled before June 20th, 2022.

After enablement it can take up to 12 hours before the extension is installed. When the extension is not installed after 12 hours, check the network and system/application prerequisites for the MDE integration. Tip; use the MDEClientAnalyzer.

Monitoring is possible directly in the Azure portal. For checking the extension deployment status; Go to; VM page -> Settings -> Extensions + Applications. The page shows the actual status for MDE.Windows and MDE.Linux. When clicking on the Extension name more detailed information is visible.

Enablement for single machine using REST API

Testing on a particular machine without enabling the integration on the whole subscription is possible using the REST API or deployment of the new Azure policies described above.

Retrieve Base64Encoded package

For the REST API method we need to retrieve the MDE Onboarding package as Base64Encoded package. For getting the package use the following GET request against management.azure.com. Replace <SUBSCRIPTIONID> with the complete subscription ID.

https://management.azure.com/subscriptions/<SUBSCRIPTIONID>/providers/Microsoft.Security/mdeOnboardings?api-version=2021-10-01-preview

Copy the complete onboardingPackgeWindows value. This is the Base64Encoded package from the MDE onboarding which is part of the subscription, and needed in the next PUT request.

Deploy extension to machine using a PUT request

The MDE.Windows extension including MDE onboarding can be easily deployed using the PUT request and the following parameters. Notice; for Azure VMs and Azure Arc machines the parameters are different.

Virtual Machines

Use the below parameters for Azure virtualmachines:

API ParameterValue
API CallPUT
API URIhttps://management.azure.com/<resourceId>/extensions/MDE.Windows&api-version=2015-06-15
ResourcIdAzure Resource ID
MachineTypeCompute
MachineTypePathvirtualMachines
API Version2015-06-15
Base64EncodedPackageResult from Base64Encoded request

Azure Arc machines

Use below parameters for Azure Arc machines

API ParameterValue
API CallPUT
API URIhttps://management.azure.com/<resourceId>/extensions/MDE.Windows&api-version=2020-08-02
ResourcIdAzure Resource ID
MachineTypeHybridCompute
MachineTypePathvirtualMachines
API Version2020-08-02
Base64EncodedPackageResult from Base64Encoded request

For Azure and Azure Arc machines use the below JSON body with the above attributes in the PUT request against:

https://management.azure.com/<resourceId>/extensions/MDE.Windows?api-version=<api-Version>​
{
  "name": "MDE.Windows",
  "id": "<ResourceId>/extensions/MDE.Windows",
  "type": " Microsoft.<MachineType>/<MachineTypePath>/extensions",
  "location": "<VM_Location>",
  "properties": {
    "autoUpgradeMinorVersion": true,
    "publisher": "Microsoft.Azure.AzureDefenderForServers",
    "type": "MDE.Windows",
    "typeHandlerVersion": "1.0",
    "settings": {
        "azureResourceId": "<ResourceId>",
        "vNextEnabled": "true"
    },
    "protectedSettings": {
      "defenderForEndpointOnboardingScript": "<Base64EncodedPackage>"
    }
  }
}

Response after the initial PUT request

Provisioning state: “Creating”

When the requirements are correctly in place for Defender for Endpoint; after some time Defender for Endpoint is correctly installed using the MDE.Windows extension.

Part of the new solution is the WinDefend and Sense service for Server 2012R2 and 2016.

The REST API can be used for single deployments and testing, without enabling the unified solution for the complete subscription.


Conclusion

The new Unified MDE solutions enables important security improvements and replace the dependency with Log Analytics and SCEP for 2012R2 (Antimalware extension). Based on the Defender for Cloud integration – it is now easier to manage deployments using Defender for Cloud, REST API, or Azure Policy. More important is the increase in security protection and more centralized alignment for all supported versions. Ideally managed with the new Defender for Endpoint Security Management feature.


Sources

Microsoft: Defender for Servers Plan 2 now integrates with MDE unified solution

Microsoft: Defender for Endpoint Unified Agent

Microsoft: Defender for Servers integration with MDE | Defender for Cloud in the Field #16