Previously, onboarding hybrid servers to Defender for Servers with MDE required Azure Arc as a pre-requisite for the deployment. Since the standalone plan was removed from the licensing options some time ago (for CSP customers without EA agreement). Azure Arc gives a benefit in the modern management of servers, some organizations need only EDR without all additional controls and management of the Azure Resource management layer. Azure Arc is not next, next finish – it requires monthly maintenance, correct RBAC, update management, knowledge, and auditing.
With the new feature called Direct onboarding, it is possible to onboard on-premises Windows and Linux servers to Defender for Servers without Azure Arc. This means we can deploy Defender for Endpoint from the M365 Defender portal using the onboarding package/ script – and have billing through Azure/ Defender for Cloud. Without the new for additional agents/ extensions or products.
The new method supports the same degree of data integration between MDC and MDE in comparison with the Azure Arc/ Defender for Servers method.
Current limitations: Direct onboarding Current limitations
Blog information: Blog Published: June 5, 2023 Blog updated: June 5, 2023 |
Defender for Servers/ Defender for Cloud/ Defender for Enpoint and Azure Arc?
Let’s start with some explanation of the available components. Common question; What is the difference between Defender for Endpoint, Defender for Cloud, Defender for Server, and Azure Arc? And why do we need it? Let’s explain it more in-depth.
Defender for Cloud
Defender for Cloud is a Cloud-native application protection platform based on Cloud Security Posture Management (CSPM) and Cloud Workload Protection Platform (CWPP).
Defender for Cloud offers multiple Defender plans for more in-depth security. Available plans:
– Defender CSPM
– Defender for Servers
– Defender for App Service
– Defender for Databases
– Defender for Storage
– Defender for Containers
– Defender for Key Vault
– Defender for Resource Manager
– Defender for DNS
Defender for Servers
The Defender for Servers plan is part of Defender for Cloud and is available in two pricing models; P1/ P2. P1 focussed on a limited set of defenses with a strong focus on Defender for Endpoint technology. P2 contains the full set of Defender for Cloud-enhanced security features, including Network layer threat detection, FIM, Qualys vulnerability assessment, and 500MB free data ingestion.
P1=$5 Server/Month (calculated for each hour
P2=$15 Server/Month (calculated for each hour)
Both P1/ P2 contain all features of Defender for Endpoint P2 (Except the vulnerability management add-on which is only part of the Defender for Servers P2, is in MDE available as an add-on)
๐๐๐๐๐ง๐๐๐ซ ๐๐จ๐ซ ๐๐ง๐๐ฉ๐จ๐ข๐ง๐ญ
Microsoft Defender for Endpoint (MDE) is a comprehensive solution for preventing, detecting, and automating the investigation and response to threats against endpoints.
After enabling the Defender for Endpoint integration in Defender for Cloud machines will be provisioned. The configuration/ installation is pushed using Azure Policies and contains the onboarding script and additional configuration. The result is the MDE.Windows and MDE.Linux VM extension for 2012R2 and higher.
๐๐ณ๐ฎ๐ซ๐ ๐๐ซ๐
Azure Arc functions as a bridge that extends the Azure platform to on-premises environments or other clouds (AWS/ GCP). For connecting servers with Azure Arc, it is needed to use Azure Arc-enabled servers and the Azure Connected Machine agent on supported systems.
1: In Defender for Cloud
2: Is the plan Defender for Servers P1 or P2 enabled
3: Which onboards Defender for Endpoint P2 via Azure Policy
License for Defender for Endpoint is part of the Defender for Server plan – no additional license purchasing is needed.
Onboarding with the new method
Previously it was always needed to use the Defender for Servers method for getting the license for servers since the standalone license was removed some time ago. With the license decision, it was needed to enroll Azure Arc for non-Azure resources like on-premises machines or machines hosted in another cloud. With the new onboarding method Azure Arc is no longer required when onboarding machines to Defender for Endpoint.
Now the question what is the best onboarding method?
There is still a benefit of Azure Arc since Azure Arc enables a couple of features that are not part of the new direct onboarding (P2 features + Arc features). When machines are hosted in Azure it is common to use the Defender for Servers onboarding method, since the provisioning is automatically via the MDE.Windows and MDE.Linux extension.
Direct onboarding method
In situations where Azure Arc is a huge overhead (it requires its own security/ policies and design decisions), it is possible to use the new direct onboarding method. With the newly announced direct onboarding, there is a seamless integration between Defender for Endpoint and Defender for Cloud without the need for additional deployment of agents. Once enabled, the machines part of Defender for Endpoint is synced to Defender for Cloud inventory in a designated Azure Subscription that is configured.
With the use of Direct onboarding the Defender for Cloud part is only used for licensing. The Azure Subscription is used for licensing, billing, alerts, and insights. For additional configuration and protection, it is needed to use Azure Arc.
The enablement of direct onboarding is an opt-in setting that needs to be enabled on the tenant level. After enabling it affects existing and new servers that are onboarded in the Defender for Endpoint tenant part of the tenant. After enabling the new onboarding machines will be synced under the designated subscriptions and pricing will be part of the Defender for Cloud process.
Enabling Direct onboarding
Direct onboarding enablement is possible in the Defender for Cloud environment settings. After enabling direct onboarding it will take up to 24 hours for machines to be synced in the designated subscription.
To manage this setting, you need Subscription Owner permissions (on the chosen subscription), and AAD Global Administrator or AAD Security Administrator
For enabling the feature go to Defender for Cloud -> Environment Settings -> Direct Onboarding
Switch the direct onboarding toggle to On
Select the subscription. The subscription will be used for the location where the machines are visible/ located. Ideally, create a separate machine for optimal control of the Defender for Servers P1/ P2 plan and cost of the servers.
When enabled it will take 24 hours before machines are synced to the inventory in the designated subscription. After enabling the feature the licensing is part of Defender for Cloud.
IMPORTANT: This setting is currently only possible tenant wide. It will sync devices part of Defender for Endpoint in a specific active time interval. Important to view the below information to make sure there is no duplicate cost.
Each machine included recommendations/ alerting and insights:
Data integration between MDE and Defender for Cloud:
Defender for Servers plan
In Defender for Servers there is P1 and P2 plan. Direct onboarding provides access to all Defender for Severs Plan 1 features, there is no real benefit of the Defender for Plan 2 features when using direct onboarding.
For Defender for Servers P2 there are a couple of features of the Azure Monitor Agent; which is only applicable via Azure Arc on non-Azure machines. Without the Azure Monitor Agent you will pay 15/month for a limited set of features.
When enabling Defender for Servers P2 in the designated subscriptions, machines onboarded directly will have access to the Defender for Servers Plan 1 feature and the Vulnerability Management add-on features. All other features are not supported or available.
The Defender for Servers plan is visible via the environment settings in Defender cloud.
NOTE: The count in the resource quality is currently not yet showing the machines onboarded via Direct onboarding.
Review machines onboarded via Direct onboarding
When machines are part of Defender for Endpoint and recently active in the inventory they will be synced automatically to the configured subscription when the requirements are in place.
For viewing machines part of the direct onboarding process: Go to Defender for Cloud and open the inventory. In the resource type there is a new filter available with the following resource types:
Resource Type | Explanation |
Servers – Defender for Endpoint | Machines onboarded via direct onboarding |
Virtual machines | Machines hosted in Azure |
Servers – Azure Arc | Machines onboarded via Azure Arc |
Resource Type: Machines onboarded via direct onboarding contain all machines onboarded via the new direct onboarding. When machines are visible as duplicated – there is billing based on the hour activity, this is the same process as used with servers onboarded via Defender for Servers or Azure Arc.
Machines are visible in the inventory. Recommendations and alerts are directly visible on the resource name.
What happens when the machine is already part of Defender for Servers?
When the machine is already part of Defender for Servers the resource is visible as resource type Virtual machines or Machines onboarded via Azure Arc when onboarded via Azure Arc.
There is a limitation to this part. When the Azure VM or Azure Arc machine is onboarded in Defender for Servers via an Azure subscription or Log Analytics workspace and running the Defender for Endpoint it will be part of the direct onboarding flow when the MDE.Windows or MDE.Linux extension is not installed.
Make sure machines hosted in Azure or onboarded via Azure Arc are correctly registered using the MDE.Windows or MDE.Linux extension. When the extension is not visible it will result in overshares when the direct onboarding is enabled.
Log Analytics workspace
When machines are already onboarded and billed by Defender for Servers P2 via the Log Analytics workspace the machines will be part of the direct onboarding flow and result in duplicate devices.
For more limitations see: Simultaneous onboarding limited support | Microsoft Learn.
When to use the different methods
In general, there are now three options:
- Onboard via Azure Arc
- Onboard via Defender for Servers
- Onboard via direct onboarding
Azure Arc
Azure Arc is not focused on Defender for Endpoint onboarding and contains more features for managing the machines with Azure services. With the use of Azure Arc it is possible to deploy and use Azure Policies, Update management, Extensions, Automanage, and more.
When there is the need for collecting custom events via the Azure Monitor Agent it is needed to use Azure Arc for on-premises/ non-Azure machines.
When Azure Arc? When there is a use case for the management capabilities in Azure Arc or a requirement for collecting logs via the Azure Monitor agent.
Defender for Servers
Use Defender for Servers for machines hosted in Azure. With the use of Defender for Servers it is possible to deploy Defender for Endpoint automatically via the MDE.Windows or MDE.Linux extension. Customers can enable Defender for Servers P1 or Defender for Servers P2 and use all features.
When Defender for Servers? When machines are part of Azure it is easy to enable Defender for Servers. This gives flexibility in using/ securing machines with more advanced features like FIM/ JIT and more.
Direct onboarding
Direct onboarding is useful when Azure Arc gives an overhead and machines are hosted on-premises or in another cloud. With the use of direct onboarding it is possible to deploy only Defender for Endpoint and integrate alerts/ insights with Defender for Cloud and get the license managed via Defender for Cloud. With the use of direct onboarding there is no more a requirement for Azure Arc.
When direct onboarding? Direct onboarding is useful for only Defender for Endpoint and there is no need for Azure Monitor Agent deployment. When the Azure Monitor Agent is required; direct onboarding is not possible, since AMA requires Azure Arc for on-premises machines.
From direct onboarding to Azure Arc
It is supported to move from Direct onboarding to Azure Arc without any duplicate cost. When Azure Arc is needed for collecting logs via AMA or any other feature not supported it is completely supported to install the Azure Arc agent. No offboarding is required in Defender for Endpoint.
How to onboard using the Direct onboarding method
When using Direct onboarding the onboarding can be deployed via the available deployment options in Defender for Endpoint. For Windows the following options can be used:
- Microsoft Configuration Manager
- Intune (Via Tenant-Attach)
- Scripting/ GPO)
- And more..
For Linux the following options are available:
- Script
- Puppet
- Ansible
- Chef
- Saltstack
More information here: Onboard to the Microsoft Defender for Endpoint service
When using the unified agent for Server 2012R2 and 2016 it is needed to install the MSI and run the onboarding package. When the machine is onboarded in Defender for Endpoint it will automatically sync to the designed subscription in Defender for Cloud/ Defender for Server. In general, the order is the following:
- Onboard machine using available onboarding methods in MDE
- Enable direct onboarding in Defender for Cloud with Defender for Servers P1 enabled
- Machines will be synced automatically for licensing to Defender for Cloud
- Alert and recommendation experience is visible in Defender for Cloud
- The result is active Defender for Endpoint which is onboarded via GPO/ Configuration Manager or any other method – and licensing is billed via Defender for Servers P1.
Conclusion
With the new onboarding capability, there is more flexibility for organizations/ customers. It is good to see the Azure Arc agent is no longer a requirement for enrolling in MDE and getting the license for MDE since the standalone plan was removed some time ago.
Azure Arc is a good solution, all not perfect for some organizations. When there is no knowledge about Azure it is a security risk when Azure Arc is not correctly configured with the IAM permissions/ landing zone design/ update management and Azure policy monitoring. When only using Defender for Endpoint the new Direct onboarding capability is really nice and makes the deployment more easier. I would prefer still the migration path to Azure Arc and start learning the new options for managing on-premises servers. Update management is powerful in Azure Arc and Arc enables way more flexibility.
Currently, the setting is tenant wide; so make sure the machines are checked before enabling the feature to avoid duplicate costs in the billing when extensions are missing or machines are connected as part of Log Analytics and onboarded to Defender for Endpoint.
Can I move previously registered Azure Arc machines to Direct Attached aswell?
Yes, when correct when uninstalling the Azure Arc agent it will automatically map to a direct onboarding device.
Give it a try on a test machine to see the behavior (not tested this situation). Make sure to use the disconnect command of Azure Arc; since the object is with this method automatically removed from Azure. After the disconnected state the uninstall of the agent is possible.
It is not needed to offboard/onboard MDE again.
Is there a way to manage ASR rules for Windows servers from the cloud since we have onboarded them from the SCCM and we used a Unified solution (direct onboarding). Also when applying ASR from SCCM they are not applying to the servers, any solution for this (tried directly apply from Powershell it is not gonna apply)?
When using SCCM Endpoint Protection policies ASR is only working for Windows 10/11 endpoints. The policy is not applying when targeting to servers.
ASR can be managed via MDE Management, GPO or PowerShell.
MDE Management: https://jeffreyappel.nl/managing-microsoft-defender-for-endpoint-with-the-new-security-management-feature-in-mem/
Options (PowerShell): https://jeffreyappel.nl/microsoft-defender-for-endpoint-series-attack-surface-reduction-and-additional-protection-part4b/
Hi Jeffrey. I am currently evaluating MDE onboarding for our on-prem servers. We would love to benefit from the central management of settings, but since we have several independent domains and only synchronize one with Entra Connect, this does not seem to be possible at the moment. Azure Arc is currently out of the question. Does direct onboarding without Azure Arc still create these synthetic device identities, which then enables Security Management for MDE?
It is possible to use Direct onboarding without Azure Arc; the entries are only applicable for licensing, this syncs all onboarded machines to the subscription which is configured.
For settings management this will do the trick with synthetic device identities; this can be from multiple domains (when not synced to entraID)
https://jeffreyappel.nl/manage-mde-for-windows-macos-and-linux-via-security-settings-management/
Hi Jeffrey, what about domain controller ? Is it possible to onboard them in defender mde ? I tried and the device is always managed by “Unknow”, so how are we supposed to manage defender on a domain controller ? I know about defender for identities but it is not a malware or virus solution.
Domain controller is supported via direct onboarding/ MDE onboarding. When it is 2012R2 and higher follow the onboarding steps from the MDE documentation.
When the SENSE service is running actie; run the client analyzer for checking the client analyzer logs. MDE Management is not supported for domain controllers; which makes the managed by unknown.
More troubleshooting steps in this blog: https://jeffreyappel.nl/microsoft-defender-for-endpoint-series-validate-defender-protection-and-additional-troubleshooting-part6/
Thank you for the reply, I understand and I already read your post ๐ but if the domain controllers are not MDE managable, how I am supposed to manage antivirus, attack surface reduction and other settings ? Do you have Microsoft information saying domain controller are not supported ?
Thank you !!
Yes; MDE/ MDAV and additional controls can be managed via GPO/ PowerShell or any of the supported methods.
MDE Management information and the support with Domain Controllers is available here: https://learn.microsoft.com/en-us/mem/intune/protect/mde-security-integration#managing-security-configurations-on-domain-controllers
Thanks for the answer, it’s very clear! Just one last, is defender for cloud “obligatory” for billing to be done? Or I can buy a defender for server P1 license myself (about 5$) ? Thank you, have a good day
Great blog. Nice and much needed step from Microsoft. Only question that remains, is it supported and Does it work for non-persistent servers (citrix) ? Advice from Microsoft was not to use Azure aard. So what happens if we enable direct onboard & onboard a citrix server with the vdi onboard script , then reboot and re-onboard?
Not sure – how non-persistent servers (Citrix) works in this situation. Defender for Server/ Cloud billing is per machine/ hour calculated – for the pricing there is no impact and you will pay only for devices with active timestamps. From what I know Citrix servers/ non-persistent servers are working fine, and there is only payment for the devices active in the last 1h.
Hi Jeffrey,
Are Windows Server 2012 R2 and Windows Server 2016 supported for Direct Onboarding? I have noticed that the “Managed by” status in MDE for these operating systems remains ‘Unknown’. As a result, the Intune AV policies are not being applied.
Managed by is a different state and is used for MDE management. See this blog for more information.
https://jeffreyappel.nl/manage-mde-for-windows-macos-and-linux-via-security-settings-management/
If I use direct onboarding, can I later onboard the machine to Azure Arc have no issues? Will Defender for Cloud still install the extension to my machines?
Yes, the upgrade situation from direct onboarding to Azure Arc is supported, without no double cost. The extension will be installed on the machine. It will use the already onboarded device in Defender for Endpoint.
It appears this article and your newer one https://jeffreyappel.nl/manage-mde-for-windows-macos-and-linux-via-security-settings-management/
are complementary. Are there any additional considerations when leveraging Direct Onboarding with the latest security settings management for servers?
Direct onboarding is for the licensing and sync to Defender for Server/ Defender for Cloud. The new security settings management feature is for managing the AV configuration and additional configuration controls.
Using Direct onboarding we notice that the resource quantity is not yet showing, like you also mentioned.
Do you happen to know when this will be added?
Correct – the current resource quantity is not counting for Direct onboarding. Currently, have no more information when this will be added.
Thanks for your detailed manual, looks very Nice.
I just wonder if there is a way to deploy specific policies (exclusions for example) to Directly Onboarded Defender for Endpoint devices ?
Nevermind, found it.
Hi Jeffrey,
Will direct onboarding also function using the Microsoft Management Agent from onprem servers instead of MDE?
As you mentioned the Log Analytics Workspace- is this also a way of mixing P1 and P2?
Meaning P1 Subscription wide and P2 on the workspace?
Just for all as info… This is now possible.
https://learn.microsoft.com/en-us/azure/defender-for-cloud/release-notes?WT.mc_id=Portal-Microsoft_Azure_Security#defender-for-servers-at-the-resource-level-available-as-ga
https://github.com/Azure/Microsoft-Defender-for-Cloud/tree/main/Powershell%20scripts/Defender%20for%20Servers%20on%20resource%20level
Hi Jeffrey, such a great blog! Im looking into onboarding all our server to MDE but getting confused because of the licensing. So currently we have already onboarded some server for testing purposes via Direct Onboarding via script (GPO). We have like 350 M365 E3 licenses but can’t find out which licenses we need for our servers. Defender for Server Plan 1 * amount of servers?
HI Jeffrey,
Thanks for explaining so nicely My question is if we onboard our device with this feature will it provide defender for vulnerability protection ?
Thanks
AL
Yes, all the futures as part of the Defender for Endpoint P2 suite are available, including AV/ EDR/ TVM
Hi Jeffrey,
Currently all our servers are already onboarded with the Defender for Endpoint Sensor, but direct onboarding is not enabled. The settings for my member servers are managed by GPO.
At the moment, we are not yet purchasing individual licenses for Defender for Endpoint for servers. Is enabling this through Direct Onboarding the correct approach? Will the servers with ‘Server’ as the OS automatically appear in Security Center and be included in Defender for Cloud through Direct Onboarding?
There is any impact on the servers when they al already onboarded and configured with Defender for Endpoint?
Many thanks.