Blog Post

Microsoft Defender for Cloud Blog
4 MIN READ

Defender for Servers Plan 2 now integrates with Defender for Endpoint unified solution

Tom_Janetscheck's avatar
Tom_Janetscheck
Icon for Microsoft rankMicrosoft
Jun 20, 2022

Today, we're excited to announce the release of Microsoft Defender for Endpoint’s unified agent integration with Microsoft Defender for Servers Plan 2. With this release, we align the integration experience between Microsoft Defender for Endpoint and both Microsoft Defender for Servers Plans.

 

In April 2022, we introduced Microsoft Defender for Servers Plan 1 as an entry-level SKU that offers Cloud Security Posture Management (CSPM) capabilities such as Secure Score and security recommendations in addition to integration with Microsoft Defender for Endpoint. With its release, we also introduced integration with the Defender for Endpoint unified solution that allows us to remove dependency with Log Analytics Agent and the workspace solution to deploy Defender for Endpoint to down-level Windows operating systems. With today’s change, the Defender for Endpoint integration is completely based on the two machine extensions MDE.Windows and MDE.Linux which are available for Azure VMs, and non-Azure machines that are connected through Azure Arc-enabled servers.

 

To enable the Defender for Endpoint unified solution in existing subscriptions you can opt-in on the subscription’s environment settings/integrations page.

Enable MDE unified solution integration with Microsoft Defender for Cloud on an Azure subscription

 

When clicking the Enable unified solution button, you will be asked to confirm deployment to all existing and future Windows Server 2012 R2 and 2016 machines. Once done, Defender for Cloud will deploy the MDE.Windows extension to all Windows Server 2012 R2 and 2016 machines in that subscription. The extension will then install the Defender for Endpoint unified solution and connect it to your Defender for Endpoint backend while, at the same time, deactivating the legacy Defender for Endpoint sensor.

 

Frequently asked questions

Please see below answers to questions related to integration with the Defender for Endpoint unified solution.

 

What happens when the Defender for Endpoint unified solution is deployed to a machine that already had the integration enabled?

Once the MDE.Windows extension is deployed to a machine, it will try to install the Defender for Endpoint unified solution. Once the installation successfully completed, it will stop and disable the Defender for Endpoint process in Log Analytics agent.

 

What are the prerequisites to enable the Defender for Endpoint unified solution?

You need to enable one of the Defender for Servers plans and Defender for Endpoint integration with Defender for Cloud. Also, make sure your machines meet the networking requirements. For a list of system prerequisites, please see this documentation.

 

Will I lose access to a machine’s protection history in Defender for Endpoint by upgrading to the unified solution?

No, the unified solution will replace the legacy sensor using the same resource information in Defender for Endpoint. It will be a transparent change on the Defender for Endpoint side.

 

What are the benefits of upgrading to the new Defender for Endpoint unified solution?

The new Defender for Endpoint unified solution adds a variety of improvements over the legacy solution, such as Tamper Protection, EDR in block mode, improved detection capabilities, and more. For a full list of improvements, see this documentation. In addition, the new unified solution package removes all dependencies to Log Analytics agent for onboarding and integrating into Defender for Cloud.

 

Will I be forced to use the unified solution on my legacy Windows machines?

No, we do not force you to leverage the Defender for Endpoint unified solution. However, since it comes with several major improvements (see above), we encourage you to enable it.

 

I don't see the Enable Unified Solution button. What could be the reason?

With this latest release, Defender for Endpoint integration with Defender for Servers P2 will by default deploy and integrate the Defender for Endpoint unified solution. The button only exists on subscriptions, that

  1. have already existed before June 20th 2022
  2. had Defender for Servers P2 enabled before that date
  3. had the Defender for Endpoint integration enabled before that date

All other subscriptions, for example, when upgrading from Defender for Servers P1 to P2, when enabling the Defender for Endpoint integration after June 20th 2022, or when creating new subscription, will not have this button because the Defender for Endpoint unified solution is automatically the default on those.

 

How can I enable integration with the new unified solution at scale?

You can use the Microsoft.Security/settings REST API to programmatically enable the Defender for Endpoint unified solution on a subscription.

 

Parameter Value
API call PUT
API URI 
https://management.azure.com/subscriptions/<subscriptionId>/providers/Microsoft.Security/settings/WDATP_UNIFIED_SOLUTION?api-version=2022-05-01
API version 2022-05-01
JSON body 
{
    "name": "WDATP_UNIFIED_SOLUTION",
    "type": "Microsoft.Security/settings",
    "kind": "DataExportSettings",
    "properties": {
        "enabled": true
    }
}

 

Is the unified solution available on multicloud connectors?

Yes, the new Defender for Endpoint unified solution can be deployed to Azure VMs and non-Azure machines connected through Azure Arc. In addition it is automatically deployed when enabling any Defender for Servers plan on our multicloud connectors. To learn more about Defender for Cloud's multicloud capabilities, please see https://aka.ms/mdcmc

 

What happens in case a machine has the Microsoft Antimalware (SCEP) extension deployed?

Before deploying the Defender for Endpoint unified solution, Microsoft Antimalware (also known as System Center Endpoint Protection, SCEP) needs to be removed from the machine. The MDE.Windows extension will automatically take care of removing SCEP when deploying the Defender for Endpoint unified solution to your machines.

 

Now, it’s your turn: go ahead, check it out, and let us know what you think about the new onboarding experience for Defender for Endpoint in Microsoft Defender for Servers.

 

Acknowledgements

Special thanks to Netta Norman and Erel Hansav for the great partnership and technical review.

Updated Sep 20, 2022
Version 8.0
cloud security
microsoft defender for endpoint
microsoft defender for servers
workload protection

47 Comments

Sort By
Show More
  • Tom_Janetscheck's avatar
    Tom_Janetscheck
    Icon for Microsoft rankMicrosoft
    Jun 21, 2022

    Hi Garretta86
    from an MDE perspective, it's a transparent change, so existing configuration will apply. Regarding testing on a particular machine without enabling the integration on the whole subscription, yes, that is possible via REST API:

    1. You need to retrieve the MDE Onboarding Package as Base64Encoded package. This can be done with a GET request against 
      https://management.azure.com/subscriptions/<subscriptionId>/providers/Microsoft.Security/mdeOnboardings?api-version=2021-10-01-preview​
    2. You need to deploy the extension to your machine. To do it, you can run a PUT request against 
      https://management.azure.com/<resourceId>/extensions/MDE.Windows?api-version=<api-Version>​
       (see below the different parameters for the JSON body and API call):

      Parameter Value
      API Call PUT
      API URI 
      https://management.azure.com/<resourceId>/extensions/MDE.Windows?api-version=<api-Version>
      ResourceId Azure Resource ID
      MachineType Compute (for Azure VMs), HybridCompute (for Azure Arc machines)
      MachineTypePath virtualMachines (for Azure VMs), machines (for Azure Arc machines)
      API Version 2015-06-15 (for Azure VMs), 2020-08-02 (for Azure Arc machines)
      Based64EncodedPackage result from the GET request in step 1

    The PUT request needs to contain the following JSON body (replace the <attributes> with values from the table above):

     

     

     

     

     

     

    {
  "name": "MDE.Windows",
  "id": "<ResourceId>/extensions/MDE.Windows",
  "type": " Microsoft.<MachineType>/<MachineTypePath>/extensions",",
  "location": "<location_of_vm>",
  "properties": {
    "autoUpgradeMinorVersion": true,
    "publisher": "Microsoft.Azure.AzureDefenderForServers",
    "type": "MDE.Windows",
    "typeHandlerVersion": "1.0",
    "settings": {
        "azureResourceId": "<ResourceId>",
        "vNextEnabled": "true"
    },
    "protectedSettings": {
      "defenderForEndpointOnboardingScript": "<Base64EncodedPackage>"
    }
  }
}

     

     

     

     

     

     

     

  • Tom_Janetscheck's avatar
    Tom_Janetscheck
    Icon for Microsoft rankMicrosoft
    Jun 21, 2022

    Hello AndrePKI,

    once a machine is connected via Azure Arc to a subscription that has Defender for Servers and MDE integration enabled, it will automatically get the MDE.Windows extension deployed. No need to manually download and install.

    Joonas_P, for agent-based scenarios in Defender for Servers Plan 2, such as Defender for Server's attack detections outside of MDE, File Integrity Monitoring and Adaptive Application Controls, you still need the Log Analytics agent on your machines. Also, for raw event logging to the workspace, the Log Analytics agent, or AMA would be needed.

  • Garretta86's avatar
    Garretta86
    Copper Contributor
    Jun 21, 2022

    Is there a way of testing the extension without deploying to the whole subscription?

     

    Does it just continue to use the configuration policies you are already using e.g things like ASR rules won't be turned on by default?

  • Joonas_P's avatar
    Joonas_P
    Copper Contributor
    Jun 21, 2022

    Hi! Great news. But what happens if we need to get certain log types from the servers? Do we still need to install LA / AMA agent for that?

     

    Br

    JP

  • AndrePKI's avatar
    AndrePKI
    Iron Contributor
    Jun 21, 2022

    Hello Tom_Janetscheck, could you please elaborate on how to onboard when machines are connected via Arc (at scale)?

    MDE documentation referred to doesn't mention this and I don't think one needs to download and install anything from the MDE portal, but that is just not clear from the docs

  • Tom_Janetscheck's avatar
    Tom_Janetscheck
    Icon for Microsoft rankMicrosoft
    Jun 20, 2022

    Hi Garretta86,

    this is a great question! The MDE.Windows extension will remove SCEP from your machines when deploying the MDE unified solution.

     

    Best regards,

    Tom

  • Garretta86's avatar
    Garretta86
    Copper Contributor
    Jun 20, 2022

    This is fantastic news.

     

    Can you confirm what happens if you install the extension on a VM that has SCEP installed?

     

    Thanks!