It is time for part 3B of the ultimate Microsoft Defender for Endpoint (MDE) series. After Part 3A (Onboard Defender for Endpoint using Microsoft Intune) it is now time for some more technical deep-dive scoped on Defender for Cloud. Part 3B is focused on onboarding using Defender for Cloud (previously Azure Defender).

Important: Defender AV/ Next Generation Protection onboarding is critical and part of the complete protection platform. All AV/ Next Generation Protection information will be explained more in-depth including migration from other AV states.

NOTE: Blog series focuses on features in Microsoft Defender for Endpoint P2 all Microsoft Defender for Endpoint P1 features are available in P2.

Specific question or content idea part of Defender for Endpoint? Use the contact submission form and share the post ideas.


What is Defender for Cloud / Defender for Servers

Microsoft Defender for Cloud is the way for onboarding Windows Servers in Defender for Endpoint. With Microsoft Defender for Servers, you automatically deploy Microsoft Defender for Endpoint Plan 2 to server resources using the integration. The license is part of Defender for Servers.

Defender for Cloud contains two plans which enable both Defender for Endpoint Plan 2. In Defender for Cloud there is a Defender for Servers Plan 1 and Plan 2 available. Plan 2 enables more benefits and additional enhanced security features.

Comparison table between Defender for Servers P1/ P2: For 10$ extra in cost there are more features part of Defender for Servers that can be used for increasing the security posture. Defender for Servers Plan 1 is good when using only the Defender for Endpoint / Vulnerability management and agent onboarding. There is no difference in Defender for Endpoint, both P1 and P2 enable the Defender for Endpoint Plan 2 product.

Feature/CapabilityDefender for Servers Plan 1 ($ 5)Defender for Servers Plan 2 ($ 15)
Microsoft Defender for Endpoint P2✅ P2✅ P2
Microsoft threat and vulnerability management
Automatic agent onboarding, alert, and data integration
Just-in-time VM access for management ports
Network layer threat detection
Adaptive application controls
File integrity monitoring
Adaptive network hardening
Integrated vulnerability assessment ( Qualys)
Free 500MB Log Analytics data ingestion

How works the flow

Microsoft Defender for Endpoint integrates seamlessly with Microsoft Defender for Servers. Onboarding is automatic with the build-in extension provisioning.

The following integrations are enabled using Defender for Endpoint with Defender for Cloud:

  • Automated onboarding: Defender automatically enables the Defender for Endpoint sensor using the new unified agent for all supported system
  • Single pane of glass: The Defender for Cloud portal pages display Defender for Endpoint alerts. Where you can drill down into Defender for Endpoint portal for more in-depth alert information

Auto-provisioning

When enabling Defender for Servers Plan 1 or Plan 2 and configuring the Defender for Endpoint integration – the Defender for Endpoint agent is automatically provisioned on all supported machines in the configured subscription. When enabled all supported machines in the subscription will be onboarded.

When enabled Defender for Cloud deploys the MDE.Windows extension. Part of the MDE.Windows extension installation is the following:

  • Onboard to Defender for Endpoint (MDE)
  • Install Defender for Endpoint unified client for 2012R2/ 2016 (MD4WS.MSI)
  • Uninstall when needed SCEP
  • Install missing patches when needed
  • Trying to update Defender AV product version for 2016 when not updated

Installation flowchart

A basic flowchart explaining the Defender for Servers Plan 1/ Plan 2 integration flow:


Prerequisites

Before starting with the integration we need to confirm a couple of prerequisites for Defender for Endpoint. All MDE prerequisites are explained in part 3 of the series. The following is important when using the integration in combination with Server 2012R2 and Server 2016:

Unified agent

Defender for Cloud installs the new unified agent for Server 2012R2 and Server 2016. The new agent requires some new prerequisites which are important for validating the installation of the MDE.Windows extension:

2012R2:

  • Update machines with the latest monthly rollup
  • KB2999226 & KB3080149 are required for 2012R2 (when using the latest monthly rollup, patches are already installed)

2016:

  • The Servicing Stack Update (SSU) from September 14, 2021 or later must be installed.
  • The Latest Cumulative Update (LCU) from September 20, 2018 or later must be installed. It’s recommended to use the latest available SSU and LCU and make sure the machines are fully updated before installing Defender
  • Defender Antivirus server role feature must be enabled and running / up to date
  • Update/ install the latest Defender Antivirus platform version (download package from  Microsoft Update Catalog or MMPC)

For more information see: Prerequisites for Server 2012R2 and Windows Server 2016 | Microsoft Docs

Onboard on-premises / Non-Azure machines

On-premises/ non-azure machines can be onboarded using Azure Arc. The preferred way of adding non-Azure machines to Microsoft Defender for Cloud is with the use of Azure Arc. When onboarded using Azure Arc the machine becomes an Azure resource and can be easily integrated with Defender for Endpoint. Defender for Servers integration works the same for Azure Arc devices. More information: Connect your non-Azure machines to Microsoft Defender for Cloud

View part 3C for more in-depth Azure Arc information. Microsoft Defender for Endpoint series – Onboard using Azure Arc – Part3C 


Enable the integration – Defender for Cloud

In Defender for Cloud it is needed to enable Defender for Servers P1/ P2. Both versions are using the same provisioning. Below explains the manual enablement – PowerShell/ API can be used for enabling the integration for all subscriptions.

For enabling Defender for Cloud:

  • Sign in to the Azure portal
  • Search for Microsoft Defender for Cloud
  • In Defender for Cloud, select Environment settings
  • Open the subscription page
  • Enable Defender for Servers

For configuring Plan 1 or Plan 2 use the Change plan button for selecting the relevant plan.

Defender for Servers will be activated for all supported resources in the subscription – when enabled it will onboard Windows and Linux machines to Defender for Endpoint. Linux will be installed with the MDE.Linux extension. NOTE: Linux is onboarded in passive mode.

Enable Defender for Endpoint integration

In the same view for the specific subscription enable the Defender for Endpoint integration / optionally enable Defender for Cloud Apps integration under Settings -> Integrations:

(1) The button Enable unified solution is only visible for older subscriptions (before June 20th 2022) where Defender for Servers was already enabled. Advised is to use always the new unified solution which removes the complexity from the legacy MMA solution. When the button is visible; click; Enable unified solution.

Without Defender for Endpoint provisioning?

The following Azure policies can be used for installation without the provisioning in Defender for Cloud.

New available Azure policies:

  • Deploy Microsoft Defender for Endpoint agent on Windows virtual machines
  • Deploy Microsoft Defender for Endpoint agent on Windows Azure Arc machines
  • Deploy Microsoft Defender for Endpoint agent on Linux hybrid machines
  • Deploy Microsoft Defender for Endpoint agent on Linux virtual machines

Auto-provisioning Log Analytics agent / Azure Monitor agent

A common question from organizations; do we need to enable auto-provisioning when using only Defender for Servers/ Defender for Endpoint?

The new MDE solution for 2012R2/ 2016 doesn’t use or require the installation of the Log Analytics agent via auto-provisioning. The Defender solution is based on the SENSE service (compared with Windows 10/ Server 2019 and higher). Auto-provisioning is only needed for the following Defender for Server features. It is always recommended to use more features in Defender for Cloud and use the auto-provisioning of the Azure Monitor Agent.

  • Endpoint protection assessment- Security posture management (CSPM)
  • Adaptive application controls – Defender for Servers Plan 2
  • File Integrity Monitoring – Defender for Servers Plan 2
  • Fileless attack detections – Defender for Servers Plan 2

Defender AV – installed mode

There is no auto deactivation of defender if there is another AV for servers active and using Defender for Cloud. Only Linux installs automatically in passive mode. When Defender AV is not primary it can be advised to configure Defender AV in passive mode. Important: make sure Defender AV is active when there is no 3rd party AV solution installed. Using the following registry key it is possible to force the passive mode:

  • Path: HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection
  • Name: ForceDefenderPassiveMode
  • Type: REG_DWORD
  • Value: 1

Monitoring installation

The installation of the extension can be monitored via the Azure machine extensions page. The onboarding is completely based on the MDE.Windows extension for Windows Endpoints. Extension installation status can be checked via Extension + Applications in Azure:

Open the specific VM -> open Extensions+applications -> open the MDE.Windows extension for more details.

When clicking on the MDE.Windows extension name you will receive more detailed details about the provisioning.

When the extension is failed – it is always recommended to check of all prerequisites are correctly configured. Based on my experience the following is common:

  • Defender not running in active mode for 2016/2019
  • Defender server role not installed for Server 2016
  • Correct prerequisites updates not installed
  • Connectivity requirements not correctly configured
  • Defender disabled via a registry key/ GPO setting

Conclusion

Part3B of the Microsoft Defender for Endpoint series is completed – focussed on the initial Defender for Endpoint onboarding using Defender for Cloud. Stay tuned for the next parts; where more in-depth knowledge and experience will be shared around Defender for Endpoint focussing on all the components and additional settings.

Next, some smaller sub-parts focussing on the initial deployment for:

  • Microsoft Endpoint Configuration Manager
  • Group Policy
  • Local script (PowerShell)

Searching for specific Defender for Endpoint information? Use the contact submission form and share the post ideas or contact using Linkedin or Twitter. I will take all suggestions into the Defender for Endpoint series and help the community as far as possible.

View previous part – Microsoft Defender for Endpoint series – Onboard using Microsoft Intune – Part3A 


Sources

Microsoft: Deploy the Azure Monitor Agent with auto-provisioning

Microsoft: Migrate to Azure Monitor Agent from Log Analytics agent