Microsoft Defender for Endpoint series – Onboard using Azure Arc – Part3C
It is time for part 3C of the ultimate Microsoft Defender for Endpoint (MDE) series. After Part 3B (Onboard Defender for Endpoint using Defender for Cloud) it is now time for some more technical deep-dive scoped on Azure Arc and onboarding of non-azure servers. Part 3C is focused on onboarding using Defender for Cloud and Azure Arc for on-premises / non-Azure cloud servers. Azure Arc makes it possible to onboard non-Azure servers in Defender for Cloud and Defender for Endpoint.
Important: Defender AV/ Next Generation Protection onboarding is critical and part of the complete protection platform. All AV/ Next Generation Protection information will be explained more in-depth including migration from other AV states.
NOTE: Blog series focuses on features in Microsoft Defender for Endpoint P2 all Microsoft Defender for Endpoint P1 features are available in P2.
Specific question or content idea part of Defender for Endpoint? Use the contact submission form and share the post ideas.
What is Defender for Cloud/ Defender for Servers
Defender for Cloud / Defender for Servers is already explained in part 3B. Defender for Cloud contains two plans which enable Defender for Endpoint Plan 2. In Defender for Cloud there is a Defender for Servers Plan 1 and Plan 2 available. This part focuses on the Azure Arc onboarding for on-premises servers/ non-azure machines. For the complete explanation of Defender for Cloud / Defenders for Servers view part 3B.
Previously it was possible to use Defender for Endpoint for Server licensing for onboarding Windows Server 2008R2 and higher in Defender for Endpoint via GPO, MECM, or other management toolings. Microsoft shared the following message:
We encourage customers to consider switching to Microsoft Defender for Servers. See the detailed migration guide. There are upcoming changes to our server protection offering. AnnounchmentMicrosoft
Based on the announcement Microsoft will stop with Defender for Endpoint for Servers offering where Azure Arc/ Defender for Cloud is the only way for onboarding devices in Defender for Endpoint.
What is Azure Arc-Enabled servers?
Azure Arc-Enabled servers enable the option to manage Windows, and Linux physical servers, and virtual machines hosted outside of Azure. This management experience is designed to be consistent with the capabilities in Azure for Azure virtual machines.
When a hybrid machine (on-premises/non-Azure) is connected to Azure, it results in a connected machine and resource in Azure. Each connected machine has a resource ID and is included in the configured resource group. Based on the resource group it is easy to enable Defender for Cloud and enable Defender for Servers P1/P2 for the auto-provisioning of the Defender for Endpoint agent.
For more Azure Arc information see: Azure Arc overview
Azure Arc-enabled servers support the installation of the Connected Machine agent on physical servers and virtual machines hosted outside of Azure. Azure Arc-Enabled servers are not supported for virtual machines running in Azure, Azure Stack Hub, or Azure Stack Edge. These types are already detected as Azure VM and can be onboarded directly to MDE using Defender for Cloud. Use Azure Arc for the following environments:
- On-premises servers
- Azure Stack HCI
- Other cloud environments (Amazon/ Google…)
Microsoft supports a couple of Windows and Linux operating systems. Azure Connected Machine agent works only for 64-bit supported machines.
For Windows the following systems are supported: (Server 2008R2 SP1 works only with MMA)
|OS||Defender for Servers onboarding method|
|Server 2008 R2 SP1||MMA|
|Server 2012R2 SP1||Unified agent|
|Server 2016||Unified agent|
|Server 2019 and later||Build-in sense onboarding|
|Windows IoT Enterprise||Build-in sense onboarding|
More detailed prerequisites: Connected Machine agent prerequisites – Azure Arc | Microsoft Docs.
Azure Arc-enabled servers require outbound connectivity to reach Azure services. Proxy server configuration is possible for the Connected Machine agent. View all network requirements here: Connected Machine agent network requirements – Azure Arc | Microsoft Docs
For configuring Azure Arc correctly, the following resource providers must be enabled in Azure:
Registration is possible using Azure PowerShell:
Connect-AzAccount Set-AzContext -SubscriptionId [subscription you want to onboard] Register-AzResourceProvider -ProviderNamespace Microsoft.HybridCompute Register-AzResourceProvider -ProviderNamespace Microsoft.GuestConfiguration Register-AzResourceProvider -ProviderNamespace Microsoft.HybridConnectivity
Azure Arc onboarding
For getting machines onboarded in Defender for Cloud we need to make sure the machine is correctly onboarded in Azure Arc. Currently, multiple methods are available for deploying the Connected machine agent:
- Add a single server
- Add multiple servers
- Add servers from Update Management
- Add servers with Azure Migrate
Microsoft explains all available onboarding methods. For deployment, there are multiple options available. See: Azure Connected Machine agent deployment options – Azure Arc | Microsoft Docs
For onboarding machines in Azure Arc:
- Sign in to the Azure portal
- Search for Azure Arc
- In Azure Arc click on Servers
- Select Add for adding new servers and generate the onboarding method.
When onboarding multiple servers, it is advised to onboard using the multiple servers or any other supported method for multiple onboardings.
The main difference between add a single server and add multiple servers – is the authentication. For multiple servers the service principal authentication is recommended. For testing and onboarding the first machine, adding a single server option is simple and can be onboarded easily with some clicks based on single authentication with the device code flow.
For the simple demonstration of adding a single Windows Server 2022 machine, we click the Generate script button under the Add multiple servers option.
The first screen displays the prerequisites for adding servers to Azure Arc. Important is the following:
- HTTPS access to Azure Services: Port 443 and connection for outbound URLs
- Local administrator permission: Onboarding requires local administrator permission on the server.
- Connectivity method (internet/ proxy/ public/ private)
- Service Principal with Azure Connected Machine Onboarding Role (when using multiple servers option)
Step Resource details
Next; configure the resource details; subscription, resource group, region, operating system, and connectivity method.
Tip: Use different groups for Azure Arc Windows / Linux. The connectivity method can be configured for the specific connectivity requirement.
When using the onboarding for multiple servers – there is a requirement for configuring a Service principal with the correct Azure Connected Machine onboarding permissions.
Click on; Create or manage service principals with Azure Arc-related roles
- Create a new service principal using the button; Create service principal
- Fill in the Name/ Scope Assignment level/ Subscriptions/ Resource Group (1)
- Configure Client Secret (2)
- Assign the Azure Connected machine onboarding role (3)
Copy the Service Principal Client ID and Client secret.
With Azure Arc, tags can be important for configuring more structure in the resources, as you may have Arc-enabled for different geographics/data centers and locations. Use the default tags/ or create custom tags for specific Azure Arc resources.
Step Download and run the script
The script can be copied for running the initial installation and Azure Arc onboarding. The PS1 script can be downloaded using the download button. When onboarding different subscriptions. The script can be changed without performing the complete wizard again. When using connection with service principals the secret of the principal need to be filled in.
Run Azure Arc – Connected machine onboarding script
Now; you can execute the PowerShell script and complete the onboarding of Azure Arc. As a result .net Framework will be installed and the Azure Connected Machine Agent. Expected script result; Installation of azcmagent completed successfully and Machine successfully connected to azure.
For troubleshooting of the agent connection see: Troubleshoot Azure Arc-enabled servers agent connection issues | Microsoft Docs
Additional logs and configuration files can be found here: C:\ProgramData\AzureConnectedMachineAgent
Show Azure Arc State
For showing the state of the Connected Machine Agent and applied configuration run the following PowerShell command:
Result: additional information and advanced view of the running services/ installed version/ azure information such as resource group, subscriptions, tenant, and much more. Agent logfile contains the troubleshooting path for additional log files.
View machine in Azure Arc
After onboarding of the machines the devices are visible in the portal of Azure Arc. For viewing devices go to Azure Arc and click on Servers. Result: Onboarded entry visible with additional information and the configured datacenter tag “On-Premises Hyper-V”. Filtering is possible with the use of tags; which makes a designed tag structure important.
When opening the device entry more information is visible and additional Azure Arc features can be used ( Azure Policy/ Extensions/ Machine Configuration/ Automanage/ Updates and more. Some of the additional features require additional costs.
For Azure Policy guest configuration (includes Azure Automation change tracking, inventory, state configuration) you need to pay $6/Server/Month.
Defender for Cloud
After some time, the device will be visible in Defender for Cloud. When Defender for Servers is correctly enabled the device will be onboarded automatically in Defender for Endpoint. Important to validate of the following items are correctly enabled:
- Defender for Servers (P1 or P2) enabled
- Integration with Defender for Endpoint enabled + unified solution
Defender for Cloud shows the Azure Arc device with the resource type; Servers – Azure Arc
Recommendations part of Defender for Cloud are visible. Important for Defender for Endpoint is the value; Endpoint protection should be installed on machines and other relevant recommendations for the Defender for Endpoint onboarding.
When the onboarding is completed; The device is correctly visible in Defender for Endpoint via security.microsoft.com -> Devices and the MDE.Windows extension is installed.
Azure Arc Extensions:
Log Analytics Agent / Azure monitoring agent required?
The new MDE solution for 2012R2/ 2016 doesn’t use or require the installation of the Log Analytics agent via auto-provisioning. The Defender solution is based on the SENSE service (compared with Windows 10/ Server 2019 and higher). Auto-provisioning is only needed for the following Defender for Server features. It is always recommended to use more features in Defender for Servers and use the auto-provisioning of the Azure Monitor Agent to use the benefit of all features.
- Endpoint protection assessment- Security posture management (CSPM)
- Adaptive application controls – Defender for Servers Plan 2
- File Integrity Monitoring – Defender for Servers Plan 2
- Fileless attack detections – Defender for Servers Plan 2
For Defender for Servers Plan 2 the following capabilities require additional monitoring agents. Endpoint protection recommendations check if an endpoint protection solution is installed. OS baseline recommendation checks the OS recommendations.
|Capability||Log Analytics||Azure Monitor Agent||Guest Configuration Extension|
|OS Baseline recommendation||✅||✅ (preview)|
|Endpoint protection recommendations||✅||✅ preview|
|File Integrity Monitoring||✅||✅preview|
|Adaptive Application Controls||✅||✅preview|
|OS-level and fileless attack detections||✅||✅preview|
Recommended webinar for more in-depth information: Demystifying Microsoft Defender for Servers
Part 3B of the MDE series contains more in-depth information for Defender for Cloud. Part 3B can be viewed here.
To summarize – the following flow is a basic view of the flow for Server 2012R2+ and higher when onboarded with Azure Arc and enabled using Defender for Cloud.
Part3C of the Microsoft Defender for Endpoint series is completed – focussed on the initial Defender for Endpoint onboarding using Defender for Cloud & Azure Arc. Stay tuned for the next parts; where more in-depth knowledge and experience will be shared around Defender for Endpoint focussing on all the components and additional settings.
Searching for specific Defender for Endpoint information? Use the contact submission form and share the post ideas or contact using Linkedin or Twitter. I will take all suggestions into the Defender for Endpoint series and help the community as far as possible.
View previous part – Microsoft Defender for Endpoint series – Onboard using Defender for Cloud – Part 3B
View next part – Onboard using MECM/ GPO – Part3D
Microsoft: Overview of Microsoft Defender for Servers
Microsoft: Connect your non-Azure machines to Microsoft Defender for Cloud
Microsoft: Overview of Azure Connected Machine agent
Microsoft: Azure Arc-Enabled servers
When devices are visible in Defender for Endpoint the integration works correctly. Important to validate is the state of the MDE management enrollment.
See https://jeffreyappel.nl/managing-microsoft-defender-for-endpoint-with-the-new-security-management-feature-in-mem/ for additional troubleshooting.
Based on my experience it takes +- 60 minutes before the first registration.
What a high quality blog series on Microsoft Defender for Endpoint. It is fantastic to read….
Something of the better, if not the best and most detailed I have read so far….
Thanks for your time
I have one question about OnBoarding via Azure Arc/Defender for Cloud and MDE (Intune managed) of servers.
All the servers I have onboarded via Arc this morning, I see in Security Center as Onboarded. However, the servers do not appear in Intune as Device and MDE managed nor do they have the ‘Managed by MDE’ in the Security Center.
2 weeks ago I onboarded a server as a test, this server has the MDE flag and is visible in Intune and the policies are assigned.
Question: Do you know how long it takes from onboarding a server in the Security Center until it can be managed via Intune (MDE/SENSE)?