Microsoft Defender for Cloud - strategy and plan towards Log Analytics Agent (MMA) deprecation

Blog update 07/04/2024: The release timelines for affected Defender for Servers features were updated in the blog.

Blog update 06/20/2024: The deprecation scope of adaptive recommendations was updated in the blog.

 

Log Analytics agent (also known as MMA) is on a deprecation path and will be retired in Aug 2024. The purpose of this blogpost is to clarify how Microsoft Defender for Cloud will align with this plan and what is the impact on customers.

 

There are two Defender for Cloud plans with features relying on the Log Analytics agent: Defender for Servers Plan 2 and Defender for SQL servers on machines. 

 

In this blogpost we will explain the plan of the product capabilities that depend on the Log Analytics agent and Azure Monitoring agent for Defender for Servers plan. See here the plan for Defender for SQL server on machines features.

 

Defender for Servers

Towards Log Analytics Agent (MMA) retirement in August 2024, and as part of this updated strategy, all Defender for Servers features and capabilities will be provided through Microsoft Defender for Endpoint (MDE) as a single agent, complemented by agentless capabilities, without dependency on either Log Analytics Agent (MMA) or Azure Monitoring Agent (AMA).

 

As a result, all Defender for Servers features and capabilities currently relying on Log Analytics Agent (MMA) will be deprecated in their Log Analytics version, and delivered over the alternative infrastructures mentioned above by August 2024. 

 

To ensure your servers are secured, receive all the security content of Defender for Servers, verify Defender for Endpoint (MDE) integration and agentless disk scanning are enabled on your subscriptions. This will ensure you’ll seamlessly be up-to-date and receive all the alternative deliverables once they are provided. 

 

Defender for Servers plan 2 features' plan 

The following Defender for Servers features are going to be deprecated in their Log Analytics version going forward. Most of the features are already available through the alternative platforms (MDE/Agentless). The rest will be provided by August 2024, or deprecated.

 

The following list details the alternative plan for each of Defender for Servers capabilities: 

• Microsoft Defender for Endpoint (MDE) integration for Down level machines (Windows servers 2012 R2, 2016) - Unified agent integration for Windows Server 2012 R2 and Windows Server 2016 is already available today. Use it to maintain MDE support and receive the full extended feature set.

• OS level alerts - All the OS level alerts are already available today via MDE. Duplicate alerts relying on MMA or AMA will be deprecated by August 2024.

• Detections indicating Anti-Malware activities failures (by Anti-Malware Publisher) - Detections indicating non-Microsoft's Anti-malware activities have been deprecated in January 2024. Detections indicating Microsoft’s Anti-malware activities are available via MDE.

• Adaptive Security Recommendations - The Adaptive Application Controls and Adaptive Network Hardening features will be discontinued as they exist today. New capabilities will be considered as part of the future Defender for Servers roadmap. The current GA version based on the Log Analytics agent and the preview versions based on Azure Monitoring agent will be deprecated in August 2024.

• Endpoint protection discovery recommendations - A new agentless version of these recommendations will be provided for Endpoint protection discovery and configuration gaps in July 2024. As part of this upgrade, this feature will be available for multi-cloud servers, and be provided as a component of Defender for Servers Plan 2 and Defender CSPM only. On-premises servers won't be covered in the new version. The recommendations available today based on Log Analytics Agent and Azure Monitor agent will be deprecated when the alternative is provided via agentless disk scanning.

• Missing OS patches (system updates) - The new version of System Update recommendations is already available and based on an integration with Azure Update Manager, relying on the native capabilities available for all Azure VMs and Azure Arc-enabled servers.

• OS misconfigurations (security baselines) - OS Security Baselines powered by Guest Configuration will be moved to general availability in September 2024. Existing security baselines powered by Log Analytics agent will be supported until November 2024. Support of this feature for Docker-hub and VMSS will be deprecated in August 2024 and will be considered as part of future Defender for Servers roadmap.
• File Integrity monitoring (FIM) - In August 2024, a new version will be provided via MDE, and the FIM Public Preview version based on Azure Monitor Agent (AMA), will be deprecated. FIM powered by Log Analytics agent will continue to be support until November 2024.
• 500MB benefit for data ingestion over the defined tables will remain supported for AMA agent for the machines under subscriptions covered by Defender for Servers Plan 2. Every machine is eligible for the benefit only once, even if both Log Analytics agent and Azure Monitor agent are installed on it, or if a machine is reporting to multiple workspaces. 

 

Log analytics & Azure Monitor agent Auto Provisioning experience

MMA auto-provisioning mechanism and its related policy initiative will remain optional and supported until November 2024 through MDC platform.

The provisioning process that provides the installation and configuration of both agents (MMA/AMA), has been adjusted according to the plan mentioned above: 

• The current shared ‘Log Analytics agent’/’Azure Monitor agent’ auto-provisioning mechanism in MDC platform is applied to ‘Log Analytics agent’ only.
• ‘Azure Monitor agent’ (AMA) related Public Preview policy initiatives have been deprecated and replaced with New auto-provisioning process for Azure Monitor agent (AMA), targeting only Azure registered SQL servers (SQL Server on Azure VM/ Arc-enabled SQL Server). 
• Deploying Azure Monitor Agent (AMA) with Defender for Cloud portal is available only for SQL servers on machines, with new deployment policy, see here. 
• Current customers with AMA with the Public Preview policy initiative enabled will still be supported but are recommended to migrate to the new policy. 
• Alternately you can deploy AMA on your servers using standard methods including PowerShell, CLI, and Resource Manager templates.

The MMA auto provisioning capability will be deprecated as well in 2 stages:

1. By the end of September 2024- auto provisioning of MMA will be disabled for customers that are no longer using the capability, as well as for newly created subscriptions. After the end of September, the capability will be permanently disabled on those subscriptions and will not be available for reactivation.

2. End of November 2024- auto provisioning of MMA will be disabled on subscriptions that have not yet switched it off. From that point forward, it can no longer be possible to enable the capability on existing subscriptions.

 

Agents' migration planning 

All Defender for Servers customers are advised to enable Defender for Endpoint integration and agentless disk scanning as part of the Defender for Servers offering, at no additional cost. This will ensure you are automatically covered with the new alternative deliverables, with no additional onboarding required.   

 

Following that, we recommend plan your migration plan according to your organization requirements: 

AMA required (for Defender for SQL or other scenarios)	On of File Integrity Monitoring (FIM) /Endpoint protection recommendations /security baseline recommendations are required as part of Defender for Servers	What should I do
No	Yes	You can remove MMA starting August 2024
No	No	You can remove MMA starting now
Yes	No	You can start migration from MMA to AMA now
Yes	Yes	You can either start migration from MMA to AMA starting August 2024 or alternatively, you can use both agents side by side starting now.

 

Changes to legacy Defender for Servers Plan 2 onboarding via Log Analytics agent

The legacy approach of onboarding servers to Defender for Servers Plan 2 based on Log Analytics agent and using Log analytics workspaces is set for retirement as well:

• The onboarding experience for onboarding new non-Azure machines to Defender for Servers using Log Analytics agents and workspaces will be removed from Inventory and Getting started blades in Defender for Cloud portal in July 2024.
• In order to avoid losing security coverage in August 2024, current customers who have on premises servers onboarded via this legacy approach are recommended to connect these machines via Azure Arc-enabled servers and enable Defender for Servers Plan 2 on the Azure subscription those servers are connected to.
• Customers that have been using this legacy approach to granularly enable Defender for Servers Plan 2 on selected Azure VMs are recommended to enable Defender for Servers Plan 2 on these machines' Azure subscriptions and exempt individual machines from Defender for Servers coverage by leveraging the Defender for Servers per-resource configuration.

Defender for Servers feature coverage in sovereign clouds

In Azure sovereign clouds, divergent feature coverage and timelines apply:

• For Azure Government, in addition to existing Defender for Servers capabilities that do not rely on Log Analytics agent, such as Just-in-time VM access and Defender for Endpoint integration, Defender for Servers will add feature parity for its renewed capabilities by early 2025. This includes system updates recommendations, File Integrity Monitoring, OS security baselines, and EPP recommendations. Additional capabilities may be added in later phases.
• After Log Analytics agent deprecation, Defender for Endpoint serves as the single main agent for Defender for Servers capabilities. Since Defender for Endpoint is not available yet in Azure operated by 21Vianet in China, at this point, capabilities that relied on Log Analytics agent do not have direct replacements in this cloud.

 

Q&A

 

What should I do next?

As mentioned, we advise Defender for Servers customers to enable Defender for Endpoint integration and agentless disk scanning as part of the Defender for Servers offering, at no additional cost, to automatically get the new alternative deliverables with no additional onboarding required. Following that, plan your migration according to your organization's requirements: 

Customers with Log analytics Agent (MMA) enabled 

• If File Integrity Monitoring (FIM) and OS security baselines recommendations are required in your organization, you can start retiring from MMA in August 2024 when an alternative will be delivered. GA versions of FIM and OS security baselines based on MMA will continue to be supported until November 2024.

• If the features mentioned above are required in your organization, and Azure Monitor agent (AMA) is required for other services as well, you can start migrating from MMA to AMA in August 2024. Alternatively, use both MMA and AMA side-by-side now, then remove MMA as of August 2024. 

• If the features mentioned above are not required, and Azure Monitor agent (AMA) is required for other services, you can start migrating from MMA to AMA now. However, note that the preview Defender for Servers capabilities over AMA will be deprecated in August 2024. 

 

Customers with Azure Monitor agent (AMA) enabled 

• No action is required from your end. 

• You’ll receive all Defender for Servers capabilities through Agentless and Defender for Endpoint. File Integrity Monitoring (FIM) and OS security baselines recommendations will be available as of August 2024. The preview Defender for Servers capabilities based on AMA will be deprecated in August 2024.

Can I migrate from MMA to AMA?  

Yes, you can migrate to AMA. Please note that the following Defender for Servers features are not going to be GA on top of it: File Integrity Monitoring (FIM), Endpoint Protection recommendations, OS misconfigurations (security baselines recommendations). Those remain available over MMA and will be provided over alternative infrastructures in or before August 2024, as explained above.

 

What should I do if I wish to receive the data allowance as part of Defender for Servers plan 2?

To preserve the 500 MB of free data ingestion allowance for the supported data types, you need to migrate from MMA to AMA. Note that:

• The benefit is granted to every AMA machine that is part of a subscription with Defender for Servers plan 2 enabled.
• The benefit is granted on the workspace the machine is reporting to. In case the machine is reporting to more then one workspace, the benefit will be granted to only one of them. The allowance is only granted in case Defender for Servers is also enabled on the workspace.

Can I run MMA and AMA side by side? what is the impact of that?

You can run both the Log Analytics and Azure Monitor Agents on the same machine. Each machine is billed once in Defender for Cloud. In cases both agents are running on the machines, we recommend to avoid collecting duplicate data by sending the data to different workspaces or alternatively disable security event data collection by MMA. For further information please see the migration guide and the Impact of running both agents.

 

What happens to my machines using MMA after it is depreciated?

After MMA deprecation in August 2024, Microsoft will no longer provide any support for the Log Analytics agent. Therefore, Defender for Servers customers need to fully onboard to Defender for Endpoint integration within Defender for Servers, as well as agentless disk scanning, prior to the deprecation date in order to receive all the security capabilities. For existing customers using File Integrity Monitoring (FIM) and OS security baselines based on MMA, support is extended until November 2024

Do my machines using AMA remain secure? What should I do with my machines that have AMA installed?

Machines with AMA installed will remain protected with Defender for Servers features that are based on AMA public preview. These features will remain supported in public preview until an alternative version is provided as highlighted above. We recommend ensuring MDE integration and agentless machine scanning are enabled as part of Defender for Servers plans to be fully secured.

 

How do I make sure my down-level machines (Windows Server 2012 R2 and Windows Server 2016) remain fully protected?

Unified solution integration for Windows Server 2012 R2 and Windows Server 2016 is already available today in GA. We recommend enabling the unified solution integration as soon as possible, as it removes all dependencies from Log Analytics agent for onboarding and integrating into Defender for Cloud. In addition, the new Defender for Endpoint unified solution adds a variety of improvements over the legacy solution, such as Tamper Protection, EDR in block mode, improved detection capabilities, and more. For a full list of improvements, see this documentation. For enablement at scale across your environment, you can use this PowerShell script.

 

When will MMA integration finally be disabled in Defender for Cloud?

• While MMA is end of life since August 31st, it will continue to be supported for FIM, OS Security Baselines, and the 500-MB data allowance as part of Defender for Servers Plan 2 until end of November 2024.​
• MMA will continue to work for log ingestion scenarios (outside of MDC) without support until February 2025.

What do I need to do to remove MMA from my machines?

1. Disable MMA auto provisioning to prevent Defender for Cloud from re-deploying the agent.​
2. Remove MMA from their machines, for example by using the MMA removal utility.​

​

​