Blog Post

Microsoft Defender for Cloud Blog
9 MIN READ

Prepare for upcoming transitions in Defender for Servers

Tom_Janetscheck's avatar
Mar 27, 2024

Last summer, within the scope of the upcoming Log Analytics agent deprecation, we announced a new agent strategy for Defender for Servers with the goal to simplify the onboarding and reduce external dependencies in our offering while improving existing and adding new capabilities. As part of that new strategy, customers should enable, agentless scanning as part of Defender for Servers Plan 2, and integration with Microsoft Defender for Endpoint in both Defender for Servers plans as a unified security agent.

 

Update April 18th 2024

In order to make it easier for customers to be prepared for the upcoming transitions, we have added a new campaign into Defender for Cloud's main portal. With this new campaign, customers can now enable agentless scanning, Microsoft Defender for Endpoint integration, or both at scale across all affected subscriptions within their environment.

 

The new transition campaign in Defender for Cloud's portal

 

The campaign also contains a link to this blog and the workbook that is discussed further below in this article. Be aware that the campaign will also show Defender for Servers Plan 2 subscriptions as affected which have Defender for Endpoint integration enabled but which do not yet have enabled Linux integration, or Unified Solution integration. When enabling Defender for Endpoint integration via this campaign, it will therefore enable Linux and Unified Solution integration, as well.

 

Recap

When we released Defender for Cloud (which was formerly known as Azure Security Center) a few years back, we had to rely on Log Analytics agent for some capabilities in both, our foundational CSPM, and in our server protection offerings. In the meantime, there had been many changes especially in the Microsoft Security platform stack, and with the upcoming deprecation of this legacy monitoring agent in summer 2024, we now had the unique chance to re-evaluate our dependencies and to remove some of them while further improving our capabilities at the same time.

With that approach, we were able to reduce the complexity of deploying Defender for Servers across your environment while adding additional coverage to resources that haven’t been protected before.

 

What does it mean for customers?

The new strategy provides three main benefits for customers:

  1. Unification of agents: Instead of using three different agents and extensions (Log Analytics/Azure monitor agent, Azure Policy guest configuration extension, Microsoft Defender for Endpoint), only one agent (Defender for Endpoint) will be required to provide in-depth security value, resulting in simple onboarding and less deployment friction.
  2. Reduced complexity: Only agentless scanning and Defender for Endpoint integration need to be enabled in order to benefit from all security value. With that, monitoring demand for prerequisites is reduced at the same time.
  3. Hybrid approach: Defender for Endpoint sensor is used for in-depth machine security and real-time detections and response, while agentless scanning provides enhanced coverage, full visibility within hours with no performance impact on machines, and advanced security capabilities such as secret scanning.

 

What did we do to make sure this new strategy aligns with customers' needs?

During the last one and half years, we have already been working on putting additional coverage and capabilities in place, before removing legacy dependencies:

  • Agentless scanning: We released agentless scanning as part of Defender for Servers Plan 2 and Defender CSPM. This new platform provides coverage for any multicloud VM, regardless of its operating system and without having to rely on an agent. While in Defender CSPM, we don’t want to force you to deploy an agent just to benefit from enhanced security posture insights, such as vulnerability assessment or secret findings, in Defender for Servers Plan 2 it complements our agent-based approach which offers real-time threat detection and in-depth analysis by covering machines that don’t have an agent (yet) deployed, or by scanning locations that are excluded in an agent-based solution. While the same agentless infrastructure is used in both plans, Defender for Servers Plan 2 comes with some unique capabilities, such as agentless malware scanning, or agentless EDR discovery. To learn more about agentless scanning in depth, please read this blog article.
  • MDE direct onboarding: For customers who are mainly interested in deploying Defender for Endpoint (MDE) to their non-Azure machines, but who are not looking into additional management capabilities or platform extensibility, we introduced a new direct onboarding approach to Defender for Servers via Microsoft Defender for Endpoint, without forcing customers to deploy Azure Arc-enabled servers in a first step. While for non-Azure machines, Azure Arc-enabled servers still is the recommended integration approach since it offers additional capabilities outside of Defender for Servers’ scope, customers can now choose which option they prefer.
  • Unified vulnerability assessments: Microsoft Defender Vulnerability Management (MDVM) has been positioned as the strategic vulnerability assessment solution in Defender for Cloud. This includes vulnerability scanning for servers, and containers, and it is used in our agentless and agent-based vulnerability assessment capabilities. This decision allowed us to further reduce our dependency on external vendors on one hand, and an even closer collaboration with the Microsoft-own MDVM team on the other hand to improve scan results, scan intervals, and integration.
  • Granular deployment options: Defender for Servers Plan 1 can now be enabled on a subset of machines in a subscription, and with Defender for Servers Plan 1 or 2 enabled on a subscription, individual machines can be downgraded, or exempted from coverage. To learn more, read this Microsoft learn document.

Besides all of these recent improvements in the product, there are two main changes coming towards us within the next few months.

 

What will change for Defender for Servers customers going forward?

There are two main milestones in the next few months that we encourage our customers to plan and prepare for:

 

  1. In May 2024, we will discontinue our integration with Qualys VA. As of then, the Qualys VA extension can no longer be deployed to new machines, and we will start to migrate existing machines to Microsoft Defender Vulnerability Management as the underlying vulnerability assessment solution. While new customers already benefit from Microsoft Defender Vulnerability Management since January 15th, existing customers will automatically be migrated, unless they are using the Qualys BYOL integration in their environment.
  2. In August 2024, the Log Analytics agent will be deprecated and replaced by Azure Monitor agent as its successor. While this is an overall Azure motion, Defender for Servers will no longer depend on the monitoring agent going forward. In July 2023, we shared our updated plan and strategy towards Log Analytics agent deprecation, which includes that all Defender for Servers Plan 2 capabilities will be provided either based on Microsoft Defender for Endpoint as a unified security agent, or based on agentless capabilities, including agentless scanning, and platform-based agentless features. We encourage you to read above-mentioned article as it includes further details and release/deprecation ETAs.

 

What are the prerequisites for the upcoming changes?

As part of this new strategy, there are some prerequisites that should be in place so you will be prepared for upcoming changes:

  • Previously, Azure VMs and non-Azure machine could be onboarded to Defender for Servers Plan 2 via Log Analytics agent. Since this capability will be deprecated alongside the overall agent deprecation, in order to remain protected, machines need to be connected via modern alternatives:
    • Non-Azure machines need to be onboarded to Azure Arc-enabled servers and connected to a subscription with Defender for Servers Plan 2 enabled. For multicloud VMs on AWS and GCP, Azure Arc can automatically be deployed as part of Defender for Servers onboarding on multicloud connectors. For on premises servers, there are different deployment options as outlined in this documentation
    • For Azure VMs that previously have been onboarded via Log Analytics agent, Defender for Servers Plan 2 needs to be enabled on their Azure subscription.
  • In both Defender for Servers plans, customers are advised to enable Microsoft Defender for Endpoint integration. While this integration is enabled by default when enabling any Defender for Servers plan, it is worth making sure the MDE extension is successfully deployed to your Azure VMs and Azure Arc-enabled servers.
  • In order to benefit from OS Security Baselines powered by Azure Policy's Guest Configuration capability, Defender for Servers Plan 2 customers need to deploy the Guest Configuration extension to their Azure VMs. For on premises machines, Azure Arc-enabled servers provides this capability and no additional extension is required.
  • In Defender for Servers Plan 2, agentless scanning should be enabled to benefit from agentless malware, secret, and vulnerability scanning, software inventory, and EDR discovery.
  • While we will start to auto-migrate customers currently using Qualys VA to Microsoft Defender Vulnerability Management in May 2024, we encourage you to migrate on your own, today. New subscriptions can no longer use Qualys VA and already benefit from MDVM as their vulnerability assessment solution, and in order to avoid scan results from different solution across your estate, we have published a migration guide to help you with this task. Be aware that in order to finalize the migration, you should remove the Qualys VA extension from your machines. Removing the extension will automatically uninstall the Qualys agent inside the operating system.
  • While going forward, Defender for Servers will no longer use Log Analytics or Azure Monitor agent to provide security value to machines, there are scenarios in which you might want to migrate to Azure Monitor Agent for further log ingestion scenarios. In this case, machines that are covered by Defender for Servers Plan 2 will continue to benefit from the 500 MB data allowance that is granted for log ingestion. For a migration guidance as part of your Microsoft Sentinel enrollment, please see this documentation. For a general migration guidance, see this documentation.
  • In case you no longer need the legacy Log Analytics agent, make sure you remove it from your machines. For this purpose, the Azure Monitor team released a utility to discover and remove Log Analytics agent from your machines.

 

How can I track my migration efforts?

Today, we are excited to release the new Defender for Servers deployment status workbook. With this workbook, you will have four different pivots into your environment, highlighting the most important information within the scope of the upcoming transitions.

 

Defender for Servers coverage across subscriptions

The first section of the workbook will show information about all subscriptions with Defender for Servers enabled. The pie chart on the left side shows the amount of subscriptions with Defender for Servers Plan 1, or Plan 2 enabled, while the table shows a detailed view on the plan per subscription.

Defender for Servers coverage across subscriptions

In case Defender for Servers Plan 2 is enabled, the table also shows if agentless scanning is enabled, or not. You can click the enabled or disabled value in the table to automatically be redirected to the corresponding setting for the subscription you clicked the value on, so you can seamlessly enable agentless scanning accordingly.

 

Log Analytics agent coverage across machines

The second workbook section focuses on machines that still have the legacy Log Analytics agent deployed. While it depends on your own scenario if you want to stick with Log Analytics agent, or migrate to Azure Monitor agent today, it is required to enable Defender for Endpoint integration so you will benefit from all agent-based scenarios in Defender for Servers Plan 2 going forward.

Log Analytics agent coverage across machines

Therefore, this section shows machines that still have the Log Analytics agent deployed and brings this information into context with the MDE deployment status. The pie chart on the left shows the total amount of machines with/without Log Analytics agent deployed. The table only shows machines that still have the agent, including the Log Analytics workspace they are connected to alongside information about the Defender for Endpoint deployment status for each machine.

In the end, it doesn’t matter how many machines in your environment still use the Log Analytics agent, but you want to make sure all of them have Defender for Endpoint deployed and the provision state shows “succeeded”.

 

Defender for Endpoint coverage across machines

The third workbook section focuses on Defender for Endpoint coverage, only. The pie chart will show the total amount of machines in your environment, divided by Defender for Endpoint deployment status. The table shows all machines, regardless of their Log Analytics agent deployment, so it will also show machines that do not or no longer have the legacy agent deployed.

Defender for Endpoint coverage across machines

With that, even if you are not using Log Analytics agent anymore, you can still see the Defender for Endpoint coverage across all your machines.

 

Qualys VA coverage across machines

The fourth and final section in the workbook shows the coverage of Qualys VA across your environment. While the pie chart will show all machines, including their Qualys deployment status, the table will focus on machines with the extension deployed, only.

Qualys VA coverage across machines

In case there are no machines covered by Qualys (anymore), you will see a success message, as shown below.

Machines with Qualys VA extension deployed

 

Summary

In case you are using Defender for Servers Plan 2, make sure you have both, agentless scanning, and Defender for Endpoint integration enabled so you are prepared for the upcoming deprecation of Log Analytics agent. In case you have been using our Qualys VA integration, start your migration to MDVM today! With the new Defender for Servers deployment status workbook, we offer you a handy tool to keep track of your migration efforts.

Now, it’s your turn. Deploy the workbook, discover your machines’ current state, and get started towards the future of Defender for Servers!

 

Acknowledgements

Thanks to Gal Fenigshtein and Miri Herszfang for reviewing this article and providing their feedback.

Updated Aug 05, 2024
Version 5.0
  • Hi ReemaP1140,

    even today, you can use Defender for Servers Plan 2 with MDE direct onboarding, but you won’t benefit from all capabilities. In general, Defender for Servers Plan 2 is best-suited for cloud VMs as it includes a variety of cloud-only capabilities such as JIT VM access, network-layer threat detection and agentless scanning.

    Regarding your second question, this understanding is correct.

  • Tom_Janetscheck great article! 2 questions to confirm understanding:
    1. MDE direct onboarding still only works for Plan 1 , Arc is still needed for Plan 2?
    2. Reading the granular deployment options, customers now have the option to deploy plan 1 or 2 within the same subscription?

  • rdsouza's avatar
    rdsouza
    Copper Contributor

    Hi Tom_Janetscheck - thanks for this article.  However also want to confirm process for non-azure virtual machines.
    My objective is to deploy Def for Servers P2 (including EDR & FIM capability) to servers NOT hosted in azure (AWS or other on-prem DC).
     - currently we understand 3 things to be true to meet the requirement;
        a) deploy ARC agent
        b) deploy AMA/LogAnalytics agent
        c) deploy MS Defender for server agent

    With the new unified agent and to meet the requirement "Def for Servers P2 (including EDR & FIM capability)" what process should we follow please?  

    Thanks

    Roy

  • Hi rdsouza 
    for AWS/GCP machines Defender for Cloud will automatically take care of deploying Azure Arc and MDE to your machines as soon as you enable Defender for Servers Plan 2 on the multicloud connector. For onprem machines, you can deploy Azure Arc enabled servers on your own and then have Defender for Cloud deploy MDE. Once Azure Arc is deployed and the machine is connected to a subscription with Defender for Servers and MDE integration enabled, we will deploy the MDE.Windows/MDE.Linux extension to this Azure Arc machine. Please also see https://learn.microsoft.com/en-us/azure/defender-for-cloud/enable-defender-for-endpoint for further reference on enabling MDE integration.