It is time for part 3C of the ultimate Microsoft Defender for Endpoint (MDE) series. After Part 3B (Onboard Defender for Endpoint using Defender for Cloud) it is now time for some more technical deep-dive scoped on Azure Arc and onboarding of non-azure servers. Part 3C is focused on onboarding using Defender for Cloud and Azure Arc for on-premises / non-Azure cloud servers. Azure Arc makes it possible to onboard non-Azure servers in Defender for Cloud and Defender for Endpoint.
Important: Defender AV/ Next Generation Protection onboarding is critical and part of the complete protection platform. All AV/ Next Generation Protection information will be explained more in-depth including migration from other AV states.
NOTE: Blog series focuses on features in Microsoft Defender for Endpoint P2 all Microsoft Defender for Endpoint P1 features are available in P2.
Specific question or content idea part of Defender for Endpoint? Use the contact submission form and share the post ideas.
What is Defender for Cloud/ Defender for Servers
Defender for Cloud / Defender for Servers is already explained in part 3B. Defender for Cloud contains two plans which enable Defender for Endpoint Plan 2. In Defender for Cloud there is a Defender for Servers Plan 1 and Plan 2 available. This part focuses on the Azure Arc onboarding for on-premises servers/ non-azure machines. For the complete explanation of Defender for Cloud / Defenders for Servers view part 3B.
Important announcement
Previously it was possible to use Defender for Endpoint for Server licensing for onboarding Windows Server 2008R2 and higher in Defender for Endpoint via GPO, MECM, or other management toolings. Microsoft shared the following message:
We encourage customers to consider switching to Microsoft Defender for Servers. See the detailed migration guide. There are upcoming changes to our server protection offering. Announchment
Microsoft
Based on the announcement Microsoft will stop with Defender for Endpoint for Servers offering where Azure Arc/ Defender for Cloud is the only way for onboarding devices in Defender for Endpoint.
Update June 2023; Microsoft announced the new Direct onboarding to onboard machines without Azure Arc directly to Defender for Endpoint via the Defender for Servers P1 plan.
With the new feature called Direct onboarding, it is possible to onboard on-premises Windows and Linux servers to Defender for Servers without Azure Arc. This means we can deploy Defender for Endpoint from the M365 Defender portal using the onboarding package/ script – and have billing through Azure/ Defender for Cloud. Without the new for additional agents/ extensions or products.
The new method supports the same degree of data integration between MDC and MDE in comparison with the Azure Arc/ Defender for Servers method.
What is Azure Arc-Enabled servers?
Azure Arc-Enabled servers enable the option to manage Windows, and Linux physical servers, and virtual machines hosted outside of Azure. This management experience is designed to be consistent with the capabilities in Azure for Azure virtual machines.
When a hybrid machine (on-premises/non-Azure) is connected to Azure, it results in a connected machine and resource in Azure. Each connected machine has a resource ID and is included in the configured resource group. Based on the resource group it is easy to enable Defender for Cloud and enable Defender for Servers P1/P2 for the auto-provisioning of the Defender for Endpoint agent.
For more Azure Arc information see: Azure Arc overview
Prerequisites
Azure Arc-enabled servers support the installation of the Connected Machine agent on physical servers and virtual machines hosted outside of Azure. Azure Arc-Enabled servers are not supported for virtual machines running in Azure, Azure Stack Hub, or Azure Stack Edge. These types are already detected as Azure VM and can be onboarded directly to MDE using Defender for Cloud. Use Azure Arc for the following environments:
- Vmware
- Hyper-V
- On-premises servers
- Azure Stack HCI
- Other cloud environments (Amazon/ Google…)
Microsoft supports a couple of Windows and Linux operating systems. Azure Connected Machine agent works only for 64-bit supported machines.
For Windows the following systems are supported: (Server 2008R2 SP1 works only with MMA)
| OS | Defender for Servers onboarding method |
|---|---|
| Server 2008 R2 SP1 | MMA |
| Server 2012R2 SP1 | Unified agent |
| Server 2016 | Unified agent |
| Server 2019 and later | Build-in sense onboarding |
| Windows IoT Enterprise | Build-in sense onboarding |
More detailed prerequisites: Connected Machine agent prerequisites – Azure Arc | Microsoft Docs.
Network
Azure Arc-enabled servers require outbound connectivity to reach Azure services. Proxy server configuration is possible for the Connected Machine agent. View all network requirements here: Connected Machine agent network requirements – Azure Arc | Microsoft Docs
Azure Environment
For configuring Azure Arc correctly, the following resource providers must be enabled in Azure:
- Microsoft.HybridCompute
- Microsoft.GuestConfiguration
- Microsoft.HybridConnectivity
Registration is possible using Azure PowerShell:
Connect-AzAccount
Set-AzContext -SubscriptionId [subscription you want to onboard]
Register-AzResourceProvider -ProviderNamespace Microsoft.HybridCompute
Register-AzResourceProvider -ProviderNamespace Microsoft.GuestConfiguration
Register-AzResourceProvider -ProviderNamespace Microsoft.HybridConnectivityCheck permissions
Did you know there is a risk when onboarding devices (Domain Controllers/ Tier-0 servers) to Azure Arc/ Defender for Endpoint (MDE) – the risk can generate a huge impact when the access model is not configured correctly and allows potential a take-over of the machine. Let me explain why and how to design a good structure without risk.
The risk with Azure Arc
After enabling Azure Arc on Domain Controllers or other Tier-0 servers there is the option to do a server takeover via the Arc agent and policies/scripts. You can easily run PowerShell scripts (Custom script extension) for generating local accounts or changing critical settings on the domain controllers via the available extensions. When enrolled in MDE there is a detection capability of the EDR for malicious performed actions; all not for all performed actions.
If you were to deploy a domain controller/other Tier-0 assets and manage the servers using Azure Arc, then the Azure Arc admins and all other sufficient roles who can become an Azure ARC admin in that tenant is effectively a Domain Admin for that AD forest.
See the following link for more monitoring capabilities: Monitor mode: Azure’s monitoring capabilities delivered securely to Azure Arc-enabled servers
What can we do?
When designing Azure Arc it is needed to define a good RBAC/ subscription model and define only permissions for a specific set of people. Syncing Azure Arc to one subscription/ resource group? Each member with sufficient roles can manage the servers via Azure Policies/ scripts.
– Design a good RBAC/ Azure/ IAM structure
– Give limited access to Tier-0 and Domain Controllers
– Dedicated Resource Group for Tier-0 with limited access
– Check who has control over the Azure Arc resources
The risk with Defender for Endpoint and Azure Arc?
When using Defender for Endpoint without Azure Arc there is even a risk. For all MDE onboarded devices there is a risk of a complete take-over via Live Response. With the use of Live Response, it is possible to upload custom PowerShell scripts and run scripts on any onboarded machine when there are permissions. Check always the permissions and who is able to use live response.
For MDE consider a good device structure and limited access to the Tier-0/ Domain Controller assets to a specific group of people.
What can we do?
Tag devices and assign them to a specific device group in MDE. Limit access to the device group in MDE with only access from a specific group of people. With the use of permissions, it is possible to allow only a specific group to have access.
– Tag machines
– Create separate device groups for T0/ critical assets
– Grant limited permissions to the device group
– Review live response activity
– Disable Live Response unsigned script execution when possible in the Advanced features.
Azure Arc onboarding
For getting machines onboarded in Defender for Cloud we need to make sure the machine is correctly onboarded in Azure Arc. Currently, multiple methods are available for deploying the Connected machine agent:
- Add a single server
- Add multiple servers
- Add servers from Update Management
- Add servers with Azure Migrate
Microsoft explains all available onboarding methods. For deployment, there are multiple options available. See: Azure Connected Machine agent deployment options – Azure Arc | Microsoft Docs
For onboarding machines in Azure Arc:
- Sign in to the Azure portal
- Search for Azure Arc
- In Azure Arc click on Servers
- Select Add for adding new servers and generate the onboarding method.
When onboarding multiple servers, it is advised to onboard using the multiple servers or any other supported method for multiple onboardings.
The main difference between add a single server and add multiple servers – is the authentication. For multiple servers the service principal authentication is recommended. For testing and onboarding the first machine, adding a single server option is simple and can be onboarded easily with some clicks based on single authentication with the device code flow.
For the simple demonstration of adding a single Windows Server 2022 machine, we click the Generate script button under the Add multiple servers option.
Step Prerequisites
The first screen displays the prerequisites for adding servers to Azure Arc. Important is the following:
- HTTPS access to Azure Services: Port 443 and connection for outbound URLs
- Local administrator permission: Onboarding requires local administrator permission on the server.
- Connectivity method (internet/ proxy/ public/ private)
- Service Principal with Azure Connected Machine Onboarding Role (when using multiple servers option)
Step Resource details
Next; configure the resource details; subscription, resource group, region, operating system, and connectivity method.
Tip: Use different groups for Azure Arc Windows / Linux. The connectivity method can be configured for the specific connectivity requirement.
Step Authentication
When using the onboarding for multiple servers – there is a requirement for configuring a Service principal with the correct Azure Connected Machine onboarding permissions.
Click on; Create or manage service principals with Azure Arc-related roles
- Create a new service principal using the button; Create service principal
- Fill in the Name/ Scope Assignment level/ Subscriptions/ Resource Group (1)
- Configure Client Secret (2)
- Assign the Azure Connected machine onboarding role (3)
Copy the Service Principal Client ID and Client secret.
Step Tags
With Azure Arc, tags can be important for configuring more structure in the resources, as you may have Arc-enabled for different geographics/data centers and locations. Use the default tags/ or create custom tags for specific Azure Arc resources.
Step Download and run the script
The script can be copied for running the initial installation and Azure Arc onboarding. The PS1 script can be downloaded using the download button. When onboarding different subscriptions. The script can be changed without performing the complete wizard again. When using connection with service principals the secret of the principal need to be filled in.
Run Azure Arc – Connected machine onboarding script
Now; you can execute the PowerShell script and complete the onboarding of Azure Arc. As a result .net Framework will be installed and the Azure Connected Machine Agent. Expected script result; Installation of azcmagent completed successfully and Machine successfully connected to azure.
For troubleshooting of the agent connection see: Troubleshoot Azure Arc-enabled servers agent connection issues | Microsoft Docs
Additional logs and configuration files can be found here: C:\ProgramData\AzureConnectedMachineAgent
Show Azure Arc State
For showing the state of the Connected Machine Agent and applied configuration run the following PowerShell command:
azcmagent showResult: additional information and advanced view of the running services/ installed version/ azure information such as resource group, subscriptions, tenant, and much more. Agent logfile contains the troubleshooting path for additional log files.
View machine in Azure Arc
After onboarding of the machines the devices are visible in the portal of Azure Arc. For viewing devices go to Azure Arc and click on Servers. Result: Onboarded entry visible with additional information and the configured datacenter tag “On-Premises Hyper-V”. Filtering is possible with the use of tags; which makes a designed tag structure important.
When opening the device entry more information is visible and additional Azure Arc features can be used ( Azure Policy/ Extensions/ Machine Configuration/ Automanage/ Updates and more. Some of the additional features require additional costs.
For Azure Policy guest configuration (includes Azure Automation change tracking, inventory, state configuration) you need to pay $6/Server/Month.
Defender for Cloud
After some time, the device will be visible in Defender for Cloud. When Defender for Servers is correctly enabled the device will be onboarded automatically in Defender for Endpoint. Important to validate of the following items are correctly enabled:
- Defender for Servers (P1 or P2) enabled
- Integration with Defender for Endpoint enabled + unified solution
Defender for Cloud shows the Azure Arc device with the resource type; Servers – Azure Arc
Recommendations part of Defender for Cloud are visible. Important for Defender for Endpoint is the value; Endpoint protection should be installed on machines and other relevant recommendations for the Defender for Endpoint onboarding.
When the onboarding is completed; The device is correctly visible in Defender for Endpoint via security.microsoft.com -> Devices and the MDE.Windows extension is installed.
Azure Arc Extensions:
MDE portal:
Log Analytics Agent / Azure monitoring agent required?
The new MDE solution for 2012R2/ 2016 doesn’t use or require the installation of the Log Analytics agent via auto-provisioning. The Defender solution is based on the SENSE service (compared with Windows 10/ Server 2019 and higher). Auto-provisioning is only needed for the following Defender for Server features. It is always recommended to use more features in Defender for Servers and use the auto-provisioning of the Azure Monitor Agent to use the benefit of all features.
- Endpoint protection assessment- Security posture management (CSPM)
- Adaptive application controls – Defender for Servers Plan 2
- File Integrity Monitoring – Defender for Servers Plan 2
- Fileless attack detections – Defender for Servers Plan 2
For Defender for Servers Plan 2 the following capabilities require additional monitoring agents. Endpoint protection recommendations check if an endpoint protection solution is installed. OS baseline recommendation checks the OS recommendations.
| Capability | Log Analytics | Azure Monitor Agent | Guest Configuration Extension |
|---|---|---|---|
| OS Baseline recommendation | ✅ | ✅ (preview) | |
| Endpoint protection recommendations | ✅ | ✅ preview | |
| File Integrity Monitoring | ✅ | ✅preview | |
| Adaptive Application Controls | ✅ | ✅preview | |
| OS-level and fileless attack detections | ✅ | ✅preview |
Recommended webinar for more in-depth information: Demystifying Microsoft Defender for Servers
Part 3B of the MDE series contains more in-depth information for Defender for Cloud. Part 3B can be viewed here.
Flowchart
To summarize – the following flow is a basic view of the flow for Server 2012R2+ and higher when onboarded with Azure Arc and enabled using Defender for Cloud.
Update Azure Arc agent
The Azure Connected Machine agent is updated regularly to address bug fixes, stability enhancements, and new functionality. The agent update recommendations are visible via Azure Advisor. There is no automatic update based on the agent itself.
With the use of the following KQL query, it is possible to view all machines which are not running the latest agent version.
AdvisorResources
| where type == 'microsoft.advisor/recommendations'
| where properties.category == 'HighAvailability'
| where properties.shortDescription.solution == 'Upgrade to the latest version of the Azure Connected Machine agent'
| project
id,
JoinId = toupper(properties.resourceMetadata.resourceId),
machineName = tostring(properties.impactedValue),
agentVersion = tostring(properties.extendedProperties.installedVersion),
expectedVersion = tostring(properties.extendedProperties.latestVersion)
| join kind=leftouter(
Resources
| where type == 'microsoft.hybridcompute/machines'
| project
machineId = toupper(id),
status = tostring (properties.status)
) on $left.JoinId == $right.machineId
| where status != 'Expired'
| summarize by id, machineName, agentVersion, expectedVersion
| order by tolower(machineName) ascThe Azure Connected Machine agent for Windows can be upgraded to the latest release manually or via Microsoft Update.
Direct download of the latest Azure Arc Connected Machine agent: Microsoft Download center
See: Upgrade the agent | Microsoft Docs for all in-depth update instructions for each method.
Onboard machine using Direct onboarding without Azure Arc
Previously, onboarding hybrid servers to Defender for Servers with MDE required Azure Arc as a pre-requisite for the deployment. Since the standalone plan was removed from the licensing options some time ago (for CSP customers without EA agreement). Azure Arc gives a benefit in the modern management of servers, some organizations need only EDR without all additional controls and management of the Azure Resource management layer. Azure Arc is not next, next finish – it requires monthly maintenance, correct RBAC, update management, knowledge, and auditing.
With the new feature called Direct onboarding, it is possible to onboard on-premises Windows and Linux servers to Defender for Servers without Azure Arc. This means we can deploy Defender for Endpoint from the M365 Defender portal using the onboarding package/ script – and have billing through Azure/ Defender for Cloud. Without the new for additional agents/ extensions or products.
The new method supports the same degree of data integration between MDC and MDE in comparison with the Azure Arc/ Defender for Servers method.
Current limitations: Direct onboarding Current limitations
Onboarding via Direct onboarding
Previously it was always needed to use the Defender for Servers method for getting the license for servers since the standalone license was removed some time ago. With the license decision, it was needed to enroll Azure Arc for non-Azure resources like on-premises machines or machines hosted in another cloud. With the new onboarding method Azure Arc is no longer required when onboarding machines to Defender for Endpoint.
Now the question what is the best onboarding method?
There is still a benefit of tAzure Arc since Azure Arc enables a couple of features that are not part of the new direct onboarding (P2 features + Arc features). When machines are hosted in Azure it is common to use the Defender for Servers onboarding method, since the provisioning is automatically via the MDE.Windows and MDE.Linux extension.
Direct onboarding method
In situations where Azure Arc is a huge overhead (it requires its own security/ policies and design decisions), it is possible to use the new direct onboarding method. With the newly announced direct onboarding, there is a seamless integration between Defender for Endpoint and Defender for Cloud without the need for additional deployment of agents. Once enabled, the machines part of Defender for Endpoint is synced to Defender for Cloud inventory in a designated Azure Subscription that is configured.
With the use of Direct onboarding the Defender for Cloud part is only used for licensing. The Azure Subscription is used for licensing, billing, alerts, and insights. For additional configuration and protection, it is needed to use Azure Arc.
The enablement of direct onboarding is an opt-in setting that needs to be enabled on the tenant level. After enabling it affects existing and new servers that are onboarded in the Defender for Endpoint tenant part of the tenant. After enabling the new onboarding machines will be synced under the designated subscriptions and pricing will be part of the Defender for Cloud process.
Enabling Direct onboarding
Direct onboarding enablement is possible in the Defender for Cloud environment settings. After enabling direct onboarding it will take up to 24 hours for machines to be synced in the designated subscription.
To manage this setting, you need Subscription Owner permissions (on the chosen subscription), and AAD Global Administrator or AAD Security Administrator
For enabling the feature go to Defender for Cloud -> Environment Settings -> Direct Onboarding
Switch the direct onboarding toggle to On
Select the subscription. The subscription will be used for the location where the machines are visible/ located. Ideally, create a separate machine for optimal control of the Defender for Servers P1/ P2 plan and cost of the servers.
When enabled it will take 24 hours before machines are synced to the inventory in the designated subscription. After enabling the feature the licensing is part of Defender for Cloud.
IMPORTANT: This setting is currently only possible tenant wide. It will sync devices part of Defender for Endpoint in a specific active time interval. Important to view the below information to make sure there is no duplicate cost.
Each machine included recommendations/ alerting and insights:
Data integration between MDE and Defender for Cloud:
Defender for Servers plan
In Defender for Servers there is P1 and P2 plan. Direct onboarding provides access to all Defender for Severs Plan 1 features, there is no real benefit of the Defender for Plan 2 features when using direct onboarding.
For Defender for Servers P2 there are a couple of features of the Azure Monitor Agent; which is only applicable via Azure Arc on non-Azure machines. Without the Azure Monitor Agent you will pay 15/month for a limited set of features.
When enabling Defender for Servers P2 in the designated subscriptions, machines onboarded directly will have access to the Defender for Servers Plan 1 feature and the Vulnerability Management add-on features. All other features are not supported or available.
The Defender for Servers plan is visible via the environment settings in Defender cloud.
NOTE: The count in the resource quality is currently not yet showing the machines onboarded via Direct onboarding.
Review machines onboarded via Direct onboarding
When machines are part of Defender for Endpoint and recently active in the inventory they will be synced automatically to the configured subscription when the requirements are in place.
For viewing machines part of the direct onboarding process: Go to Defender for Cloud and open the inventory. In the resource type there is a new filter available with the following resource types:
| Resource Type | Explanation |
| Servers – Defender for Endpoint | Machines onboarded via direct onboarding |
| Virtual machines | Machines hosted in Azure |
| Servers – Azure Arc | Machines onboarded via Azure Arc |
Resource Type: Machines onboarded via direct onboarding contain all machines onboarded via the new direct onboarding. When machines are visible as duplicated – there is billing based on the hour activity, this is the same process as used with servers onboarded via Defender for Servers or Azure Arc.
Machines are visible in the inventory. Recommendations and alerts are directly visible on the resource name.
What happens when the machine is already part of Defender for Servers?
When the machine is already part of Defender for Servers the resource is visible as resource type Virtual machines or Machines onboarded via Azure Arc when onboarded via Azure Arc.
There is a limitation to this part. When the Azure VM or Azure Arc machine is onboarded in Defender for Servers via an Azure subscription or Log Analytics workspace and running the Defender for Endpoint it will be part of the direct onboarding flow when the MDe.Windows or MDE.Linux extension is not installed.
Make sure machines hosted in Azure or onboarded via Azure Arc are correctly registered using the MDE.Windows or MDE.Linux extension. When the extension is not visible it will result in overshares when the direct onboarding is enabled.
Log Analytics workspace
When machines are already onboarded and billed by Defender for Servers P2 via the Log Analytics workspace the machines will be part of the direct onboarding flow and result in duplicate devices.
For more limitations see: Simultaneous onboarding limited support | Microsoft Learn.
From direct onboarding to Azure Arc
It is supported to move from Direct onboarding to Azure Arc without any duplicate cost. When Azure Arc is needed for collecting logs via AMA or any other feature not supported it is completely supported to install the Azure Arc agent. No offboarding is required in Defender for Endpoint.
How to onboard MDE using the Direct onboarding method
When using Direct onboarding the onboarding can be deployed via the available deployment options in Defender for Endpoint. For Windows the following options can be used:
- Microsoft Configuration Manager
- Intune (Via Tenant-Attach)
- Scripting/ GPO)
- And more..
For Linux the following options are available:
- Script
- Puppet
- Ansible
- Chef
- Saltstack
More information here: Onboard to the Microsoft Defender for Endpoint service
When using the unified agent for Server 2012R2 and 2016 it is needed to install the MSI and run the onboarding package. When the machine is onboarded in Defender for Endpoint it will automatically sync to the designed subscription in Defender for Cloud/ Defender for Server. In general, the order is the following:
- Onboard machine using available onboarding methods in MDE
- Enable direct onboarding in Defender for Cloud with Defender for Servers P1 enabled
- Machines will be synced automatically for licensing to Defender for Cloud
- Alert and recommendation experience is visible in Defender for Cloud
- The result is active Defender for Endpoint which is onboarded via GPO/ Configuration Manager or any other method – and licensing is billed via Defender for Servers P1.
Conclusion
Part3C of the Microsoft Defender for Endpoint series is completed – focussed on the initial Defender for Endpoint onboarding using Defender for Cloud & Azure Arc. Stay tuned for the next parts; where more in-depth knowledge and experience will be shared around Defender for Endpoint focussing on all the components and additional settings.
Searching for specific Defender for Endpoint information? Use the contact submission form and share the post ideas or contact using Linkedin or Twitter. I will take all suggestions into the Defender for Endpoint series and help the community as far as possible.
View next part – Onboard using MECM/ GPO – Part3D
Sources
Microsoft: Overview of Microsoft Defender for Servers
Microsoft: Connect your non-Azure machines to Microsoft Defender for Cloud
Microsoft: Overview of Azure Connected Machine agent
Microsoft: Azure Arc-Enabled servers
2 Comments
Leave a Reply
Hello Jeffrey
What a high quality blog series on Microsoft Defender for Endpoint. It is fantastic to read….
Something of the better, if not the best and most detailed I have read so far….
Thanks for your time
I have one question about OnBoarding via Azure Arc/Defender for Cloud and MDE (Intune managed) of servers.
All the servers I have onboarded via Arc this morning, I see in Security Center as Onboarded. However, the servers do not appear in Intune as Device and MDE managed nor do they have the ‘Managed by MDE’ in the Security Center.
2 weeks ago I onboarded a server as a test, this server has the MDE flag and is visible in Intune and the policies are assigned.
Question: Do you know how long it takes from onboarding a server in the Security Center until it can be managed via Intune (MDE/SENSE)?
Thanks
Marc Gehri
Hi Marc,
When devices are visible in Defender for Endpoint the integration works correctly. Important to validate is the state of the MDE management enrollment.
See https://jeffreyappel.nl/managing-microsoft-defender-for-endpoint-with-the-new-security-management-feature-in-mem/ for additional troubleshooting.
Based on my experience it takes +- 60 minutes before the first registration.
See