Hi Garretta86,
from an MDE perspective, it's a transparent change, so existing configuration will apply. Regarding testing on a particular machine without enabling the integration on the whole subscription, yes, that is possible via REST API:
- You need to retrieve the MDE Onboarding Package as Base64Encoded package. This can be done with a GET request against
https://management.azure.com/subscriptions/<subscriptionId>/providers/Microsoft.Security/mdeOnboardings?api-version=2021-10-01-preview
- You need to deploy the extension to your machine. To do it, you can run a PUT request against
https://management.azure.com/<resourceId>/extensions/MDE.Windows?api-version=<api-Version>
(see below the different parameters for the JSON body and API call):
Parameter |
Value |
API Call |
PUT |
API URI |
https://management.azure.com/<resourceId>/extensions/MDE.Windows?api-version=<api-Version>
|
ResourceId |
Azure Resource ID |
MachineType |
Compute (for Azure VMs) , HybridCompute (for Azure Arc machines) |
MachineTypePath |
virtualMachines (for Azure VMs) , machines (for Azure Arc machines) |
API Version |
2015-06-15 (for Azure VMs) , 2020-08-02 (for Azure Arc machines) |
Based64EncodedPackage |
result from the GET request in step 1 |
The PUT request needs to contain the following JSON body (replace the <attributes> with values from the table above):
{
"name": "MDE.Windows",
"id": "<ResourceId>/extensions/MDE.Windows",
"type": " Microsoft.<MachineType>/<MachineTypePath>/extensions",",
"location": "<location_of_vm>",
"properties": {
"autoUpgradeMinorVersion": true,
"publisher": "Microsoft.Azure.AzureDefenderForServers",
"type": "MDE.Windows",
"typeHandlerVersion": "1.0",
"settings": {
"azureResourceId": "<ResourceId>",
"vNextEnabled": "true"
},
"protectedSettings": {
"defenderForEndpointOnboardingScript": "<Base64EncodedPackage>"
}
}
}