Onboard Windows servers to Microsoft Defender for Endpoint using Defender for Cloud

In this blog I’ll show you step by step how to onboard Windows Servers (Known in Microsoft Defender for Cloud) to Microsoft Defender for Endpoint. This could be Azure Virtual Machines or Azure ARC enabled servers for example. We’re not going deep dive into the theory. We’re focusing here on the onboarding part. This blog also does not mention the pre-requisites needed for older operating systems. This blog is based on a Windows Server 2022 OS.

What is Defender for Cloud?

Defender for Cloud is a security solution designed to protect cloud-based applications and services from various cyber threats. It offers a range of features to help organizations secure their cloud infrastructure, including threat detection, vulnerability management, and compliance monitoring.

Overall, Defender for Cloud is a valuable tool for organizations that rely on cloud-based services to run their business operations. It can help ensure that their cloud infrastructure is secure, compliant, and protected from a wide range of cyber threats.

Configure Defender for Cloud

There are some configurations to be made in Defender for Cloud. These are subscription wide settings! Each subscription can have different configurations or services being enabled or for example different Defender for Endpoint Plans. Where your production subscription might have Defender for Endpoint P2, you could save some money choosing Defender for Endpoint P1 for your test subscription.

Navigate to https://portal.azure.com -> Defender for Cloud -> Environment settings -> Select subscription.

The Defender plans page is your starting point. There are several things we can do and choose from. We’re now focussing on Servers.

  • Set Servers status to ON.
  • Select the desired Defender for Endpoint plan by clicking Change plan. Select the desired plan.
  • Click Settings under Monitoring coverage and pick additional components.

Defender for Servers Plan 1 vs. Defender for Servers Plan 2

In most scenario’s you would be able to select all additional components. The most important one is the Endpoint Protection component. Make sure this one is set to On.

MDE.Windows Extension deployment

If all settings where configured (as shown above), Defender for Cloud automatically deploys the extension to machines running:

  • Windows Server 2019 and Windows Server 2022
  • Windows Server 2012 R2 and 2016 if MDE Unified Solution integration is enabled
  • Windows 10 on Azure Virtual Desktop.
  • Other versions of Windows Server if Defender for Cloud doesn’t recognize the OS version (for example, when a custom VM image is used). In this case, Microsoft Defender for Endpoint is still provisioned by the Log Analytics agent.
  • Linux.

The MDE.Windows extension deployment can take up to 12 hours before its actually deployed on new subscriptions/integrations. In my experience the first deployment took almost 24 hours for the first machine. All upcoming servers will have the MDE.Windows extension installed within 1 or 2 hours. The documentation is not really clear about this at the moment of writing. This is already reported.

Once the MDE.Windows extension is deployed, your device will soon be onboarded into Defender for Endpoint!

Note: Uninstalling the MDE.Windows extension from the Azure Portal does uninstall the exension from the server. This does NOT offboard the device from Defender for Endpoint. The official offboarding still has to be done!

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *

19 − 11 =