Forum Discussion
Microsoft Defender for Endpoint Confusion
I have some questions that I am currently not able to find a clear answer to that I hoped someone could help.
Here's where I am. I have Windows Servers (2008R2/2012/2016) and Linux VMs in Azure. I am looking to replace the current McAfee ePo solution.
I have Azure Security Center, and expect to pay for Azure Defender licences @ £10.88/$14.60 per VM per month.
I can see my VMs in Azure Security Center and I can see a recommendation here to enable endpoint protection (Install endpoint protection solution on virtual machines).
When I look at the minimum requirements for Microsoft Defender for Endpoint here (Minimum requirements for Microsoft Defender for Endpoint - Windows security | Microsoft Docs) it notes the use of Microsoft Defender for EndPoint Trial, which links back to a page offering details on pricing for enterprise and starting a free trial. But what is this for? 365? I'm only looking to protect VMs in Azure.
Do I need to use the Microsoft Defender Portal (https://securitycenter.windows.com.) to provide protection to my Azure VMs to replace ePo? Following this guide seems to suggest that I need to complete my dedicated cloud instance of Microsoft Defender for Endpoint (McAfee to Microsoft Defender for Endpoint - Prepare - Windows security | Microsoft Docs).
I also find links suggesting that Windows Server 2008R2/2012/2019 and Linus are supported for endpoint
Minimum requirements for Microsoft Defender for Endpoint - Windows security | Microsoft Docs
And also other links that state Windows Server 2019 and Linux are not supported for Endpoint.
I can't seem to track the right level of information on this and am looking for some assistance. End game is, i'd like to move away from McAfee ePo, and have my new solution support Windows Server (2008R2/2012/2016/2019) and Linux OS Server VMs only.
So what do I need? 🙂
Appreciate any help.
- Hi
You are correct, if you have Azure Defender Enabled, they will automatically all be licensed for MDE. Alll but 2019/Linux will be onboarded automatically
You are correct that you can use the anti-malware extensions. It does pratically the same. From within the security center, in Threat & Vulnerability Management you can see if they have AV enabled
If your Linux is in security center, that's all good. Just make sure EDR is enabled for them as well: https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/edr-for-linux-is-now-generally-available/ba-p/2048539
- IT's a bit confusing, I agree.
When you protect machines with Azure Security Center, you receive a license for Microsoft Defender for Endpoint. Defender for Endpoint is the EDR solution from Microsoft which can protect Windows, Windows Server, Linux, MacOS, Android and iOS.
Azure Security Center isn't an EDR solution and for EDR detections, you need to use the Security Center portal. This will contain all the machines that are protection with Microsoft Defender for Endpoint.
To onboard servers (install EDR) you can use Azure Security Center. When you enable Security Center for Virtual Machines, Windows Server 2008R2,2012,2016 is automatically onboarded.
Windows Server 2019 & Linux need to be manually onboarded. This is done through a script, which is described here: https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints#windows-server-sac-version-1803-windows-server-2019-and-windows-server-2019-core-edition
Now that Defender for Endpoint is an EDR, not an AV. For AV, there are also some differences between the different OS'es: https://www.thecloudtechnologist.com/defender-for-endpoint-mdatp-for-windows-servers/
Do let me know if you have any questionsHey there,
Thank you for the detailed response. This does seem clearer now.
So I guess I can say that my VMs in the subscription which are already protected by the "Azure Defender enabled" Security Center would therefore already have a licence for the EDR which will be automatically onboarded (except Linux/2019) in the new portal?
In terms of AV (in the classic sense) I can also seek to install the Anti-malware extension in the Azure Portal Security Center by installing "endpoint protection solution on virtual machines". Which in turn installs the Microsoft Antimalware extension to supported Windows OS?
Finally, my Linux nodes in the new ATP (Microsoft Defender) portal, I presume that's about as protected as I can get in terms of 'anti-virus' protection once I on-board them?
Much appreciated.
- Hi
You are correct, if you have Azure Defender Enabled, they will automatically all be licensed for MDE. Alll but 2019/Linux will be onboarded automatically
You are correct that you can use the anti-malware extensions. It does pratically the same. From within the security center, in Threat & Vulnerability Management you can see if they have AV enabled
If your Linux is in security center, that's all good. Just make sure EDR is enabled for them as well: https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/edr-for-linux-is-now-generally-available/ba-p/2048539
