Forum Discussion

Jonhed's avatar
Jonhed
Iron Contributor
Sep 10, 2022

Onboarding servers to MDE after September 2022

Paul_Huijbregts  marysia_k HeikeRitter  (Just mentioning a few of the employees active in the community in the hope that someone knows something)   So I am rather confused how to handle MDE in ser...
Chris Moore's avatar
Chris Moore
Brass Contributor
Sep 29, 2022

The change appears more licencing driven than technical:

 

Customers on existing EA subscription terms aren't (yet) affected by this change as their MDE server licencing is still valid until the end of their agreement.

 

Customers on CSP agreements can no longer purchase new standalone licences after September or renew after December (this is how it read - please check with a suitable reseller to confirm), meaning that yes - the only way to licence MDE on servers is via Defender for Cloud onboarding.

 

Arc is free for all scenarios, but naturally raises complexities in many orgs with tier 0 systems such as DCs.

 

Arc and Defender for Cloud are used to charge for the MDE component (also worth noting that even for non-Azure resources it's unit charge is per hour now!), and yes you should technically use Arc to perform the onboarding, but in reality it's sending the same package and same onboarding script & a signature that your existing tooling does - so it shouldn't ultimately matter if you still use GPOs or ConfigMgr to onboard your devices, so long as the Arc instance has the extension as active (which should resolve quickly if it's already installed), it should bill correctly. 

 

/edit

 

Also worth noting that if a customer has paid for MDE on Servers, and there's overlap with onboarding Defender for Cloud, they can request a credit against the cost of running Defender for Cloud (i.e., not pay twice).

  • Jonhed's avatar
    Jonhed
    Iron Contributor
    Sep 29, 2022

    Chris Moore 

    Thanks.


    My main caveat with deploying MDE via Arc is that cant be controlled manually.

    You don't know exactly how long you will need to wait before the deploy process begins (have seen delays of several hours in my test environment). This is totally fine when you provision new servers, but not when you want to deploy it to existing production servers, which may or may not include migration from 3rd party EPP/EDR.

    With existing servers, I would at least want the option of manual onboarding that can be planned in detail.

     

    The inability to plan of course applies to Azure environments as well, where activating the integration would deploy MDE on any and all servers present in the subscription (assuming Defender for Servers P1).

     

    If the MDE and MDC integration is fully optional, and manual onboarding will continue to be available, everything is well. (except for the added agent in tier 0 systems as you mentioned)

    I would just like this to be confirmed.

Resources