Forum Discussion
Onboarding servers to MDE after September 2022
Paul_Huijbregts marysia_k HeikeRitter
(Just mentioning a few of the employees active in the community in the hope that someone knows something)
So I am rather confused how to handle MDE in servers now that stand-alone licensing for "MDE for servers" is being phased out, leaving just Defender for Servers.
Servers in Azure are OK I suppose, since they are visible in Defender for Cloud to begin with, but this is not the case with servers in AWS, GCP, and On-premise.
Q1: Azure Arc
Do we now have to install the Azure Arc agent in servers outside of Azure, just to be able to activate the Defender for Servers plan in Defender for Cloud? Does this require Azure Arc licensing, or is this usage free like with AMA (AMA requires Arc outside of Azure, and can be used free when you just need to fulfill this prereq for AMA)
Q2: Onboarding
Can we still use GPO, MECM, local scripts etc for onboarding, or do we need to deploy via Defender for Cloud (by activating the Defender for Servers plan)
Me and my colleagues are all very confused here, which also hinders our pre-sales as a MS partner, so any sort of information would be much appreciated.
(We have been unable to get any real info from support or from our MS representatives it seems)
24 Replies
Hi, there is a new feature, Defender for Endpoint : Direct On-Boarding. This blog post is not my own, it is an excellent blog post by Jeffrey Appel : https://jeffreyappel-nl.cdn.ampproject.org/c/s/jeffreyappel.nl/onboard-defender-for-endpoint-without-azure-arc-via-direct-onboarding/amp/
Hope this helps.
Seán- Just to add to this, that I've been through a very similar exercise recently too.
Reading the updated documentation, it feels like Microsoft is pushing Azure Arc very strongly, and almost as if it's the only option. However this isn't the case.
Non-Azure servers can just be onboarded into a Log Analytics Workspace in Defender for Cloud and from there onboarded into MDEI have been told by MS support that you need Azure Arc to use defender for servers plan 1, since you can only enable plan 1 on a subscription level. I was told this will not be enabled for servers onboarded to defender for cloud via log analytics, only servers with Arc.
Also, you cannot onboard MDE via log analytics agent so you would require arc, or to use GPO onboarding etc.
(or to be precise, you could onboars servers the old way that does not use the unified agent on windows)
- Mmm. This is an interesting development as I have done just that in a trial Defender + Azure portal.
1. Create trial defender portal
2. Downloaded unified install package for Server 2012
3. Trial Azure portal
4. Enable Defender for Cloud
5. Selected Defender for Severs P 1
6. Created Log Analytic Workspace for Defender
7. Downloaded agent from workspace
8. Installed agent on on-prem server 2012 along with space ID and primary key
9. Installed unified client
Hey presto. Server appears in Log Analytics Workspace and as device in MDE.
So either….
The MS engineer didn’t say could do this because it’s an unsupported configuration
OR
They were somehow unaware
The change appears more licencing driven than technical:
Customers on existing EA subscription terms aren't (yet) affected by this change as their MDE server licencing is still valid until the end of their agreement.
Customers on CSP agreements can no longer purchase new standalone licences after September or renew after December (this is how it read - please check with a suitable reseller to confirm), meaning that yes - the only way to licence MDE on servers is via Defender for Cloud onboarding.
Arc is free for all scenarios, but naturally raises complexities in many orgs with tier 0 systems such as DCs.
Arc and Defender for Cloud are used to charge for the MDE component (also worth noting that even for non-Azure resources it's unit charge is per hour now!), and yes you should technically use Arc to perform the onboarding, but in reality it's sending the same package and same onboarding script & a signature that your existing tooling does - so it shouldn't ultimately matter if you still use GPOs or ConfigMgr to onboard your devices, so long as the Arc instance has the extension as active (which should resolve quickly if it's already installed), it should bill correctly.
/edit
Also worth noting that if a customer has paid for MDE on Servers, and there's overlap with onboarding Defender for Cloud, they can request a credit against the cost of running Defender for Cloud (i.e., not pay twice).
Thanks.
My main caveat with deploying MDE via Arc is that cant be controlled manually.You don't know exactly how long you will need to wait before the deploy process begins (have seen delays of several hours in my test environment). This is totally fine when you provision new servers, but not when you want to deploy it to existing production servers, which may or may not include migration from 3rd party EPP/EDR.
With existing servers, I would at least want the option of manual onboarding that can be planned in detail.
The inability to plan of course applies to Azure environments as well, where activating the integration would deploy MDE on any and all servers present in the subscription (assuming Defender for Servers P1).
If the MDE and MDC integration is fully optional, and manual onboarding will continue to be available, everything is well. (except for the added agent in tier 0 systems as you mentioned)
I would just like this to be confirmed.
Perhaps these questions fall more under the Defender of Cloud purview since this concerns Defender for Servers.
Would you be able to shed any light on these questions?
Nothing that can be shared in regards to this matter?
We have received some mixed answers, especially about the use of onboarding scripts.
I have a colleague that was told that the use of the regular onboarding scripts require the standalone MDE for Servers SKU, and that these onboarding scripts may not be available heading forward, making automatic provisioning through Defender for Cloud mandatory.
This honestly sounded a bit odd to me.- I work for a CSP, and unfortunately we've been receiving mixed messaging from Microsoft with the DforE Server license. Initially we were told (through Microsoft webinars, etc., Sept-Nov 2022) that any servers would need to be onboarded through Defender for Servers (Azure). But Microsoft are still sending us our monthly Price Files with DforE Server SKUs, so customer can still purchase this license. And of course for organisations who don't use Azure, they don't want to have to get an Azure Subscription set up, Azure Arc, learn about how Azure works, etc., purely to defend their servers. I have asked the question here: https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/defender-for-endpoint-server-sku-is-it-still-valid/m-p/3726569 (no reply as yet) and also had our Support team log a ticket with Microsoft to try to get a definitive answer. My hunch is that initially Microsoft wanted to have servers onboarded through Defender for Servers, but due to the backlash (their 'Demystifying Defender for Servers' webinar is a case in point) they are re-thinking this approach. I could be wrong, but until we have a definitive answer from Microsoft, we're in the dark.
