Forum Discussion

Jonhed's avatar
Jonhed
Iron Contributor
Sep 10, 2022

Onboarding servers to MDE after September 2022

Paul_Huijbregts  marysia_k HeikeRitter  (Just mentioning a few of the employees active in the community in the hope that someone knows something)   So I am rather confused how to handle MDE in ser...
gilblumberg's avatar
gilblumberg
Iron Contributor
Mar 06, 2023
Just to add to this, that I've been through a very similar exercise recently too.
Reading the updated documentation, it feels like Microsoft is pushing Azure Arc very strongly, and almost as if it's the only option. However this isn't the case.

Non-Azure servers can just be onboarded into a Log Analytics Workspace in Defender for Cloud and from there onboarded into MDE
  • Jonhed's avatar
    Jonhed
    Iron Contributor
    Mar 06, 2023

    gilblumberg 

    I have been told by MS support that you need Azure Arc to use defender for servers plan 1, since you can only enable plan 1 on a subscription level. I was told this will not be enabled for servers onboarded to defender for cloud via log analytics, only servers with Arc.

     

    Also, you cannot onboard MDE via log analytics agent so you would require arc, or to use GPO onboarding etc.

    (or to be precise, you could onboars servers the old way that does not use the unified agent on windows)

    • gilblumberg's avatar
      gilblumberg
      Iron Contributor
      Mar 06, 2023
      Mmm. This is an interesting development as I have done just that in a trial Defender + Azure portal.

      1. Create trial defender portal
      2. Downloaded unified install package for Server 2012
      3. Trial Azure portal
      4. Enable Defender for Cloud
      5. Selected Defender for Severs P 1
      6. Created Log Analytic Workspace for Defender
      7. Downloaded agent from workspace
      8. Installed agent on on-prem server 2012 along with space ID and primary key
      9. Installed unified client

      Hey presto. Server appears in Log Analytics Workspace and as device in MDE.

      So either….
      The MS engineer didn’t say could do this because it’s an unsupported configuration
      OR
      They were somehow unaware
      • Jonhed's avatar
        Jonhed
        Iron Contributor
        Mar 06, 2023

        gilblumberg 

        Interesting.
        Are you able to see anywhere that said subscription counts this server as having Defender for Server plan 1 active? Such as the resource quantity shown below (87 servers)

         


        Basically what I was told was that Defender for servers plan 1 is scoped to the subscription, so in order for Defender for Servers plan 1 to activate the server needs to be present as an azure resource. Supposedly, servers registered to defender for cloud via the log ana agent are not counted as an azure resource in the same sense, so it will not be identified as a resource that can be protected.

        I do not have a non-azure environment I can test with atm, so I have not tested it myself.

Resources