Forum Discussion
Onboarding servers to MDE after September 2022
I have been told by MS support that you need Azure Arc to use defender for servers plan 1, since you can only enable plan 1 on a subscription level. I was told this will not be enabled for servers onboarded to defender for cloud via log analytics, only servers with Arc.
Also, you cannot onboard MDE via log analytics agent so you would require arc, or to use GPO onboarding etc.
(or to be precise, you could onboars servers the old way that does not use the unified agent on windows)
1. Create trial defender portal
2. Downloaded unified install package for Server 2012
3. Trial Azure portal
4. Enable Defender for Cloud
5. Selected Defender for Severs P 1
6. Created Log Analytic Workspace for Defender
7. Downloaded agent from workspace
8. Installed agent on on-prem server 2012 along with space ID and primary key
9. Installed unified client
Hey presto. Server appears in Log Analytics Workspace and as device in MDE.
So either….
The MS engineer didn’t say could do this because it’s an unsupported configuration
OR
They were somehow unaware
Interesting.
Are you able to see anywhere that said subscription counts this server as having Defender for Server plan 1 active? Such as the resource quantity shown below (87 servers)
Basically what I was told was that Defender for servers plan 1 is scoped to the subscription, so in order for Defender for Servers plan 1 to activate the server needs to be present as an azure resource. Supposedly, servers registered to defender for cloud via the log ana agent are not counted as an azure resource in the same sense, so it will not be identified as a resource that can be protected.I do not have a non-azure environment I can test with atm, so I have not tested it myself.
This is what I see in my trial view
Azure
Which shows zero resources despite there actually being 2 servers that are protected (see next screenshot)
Defender
This link also lists supported environments as Azure VMs and Azure Arc-enabled machines, so I am thinking that not using Arc is counted as an unsupported environment at this point, or will be count as such soon.
https://learn.microsoft.com/en-us/azure/defender-for-cloud/integration-defender-for-endpoint
FYI I've opened 2 tickets with Microsoft, one with an engineer for MDE and one for Defender for Cloud, and remarkably, and between them, no solid answer. It's almost like a case of "I can neither confirm nor deny" in the response from Defender for Servers engineer.
During the phone conversation, he even said can bypass Azure completely by installing the Unified Agent and onboarding package. This onboards directly into MDE and uses Defender for Servers licensing. I'm very dubious of that, and not even considering using it.
The best I can get out of the Defender for Cloud engineer is that it's a "viable" option. Strangely he even added this screenshot which specifically mentions needing to use Azure Arc.
I've used and referenced Defender and Azure documentation for years, and normally found it excellent. On this occasion though, I think the deployment methods and what's involved for each step is in need of improvement.
I'm going with Azure Arc to be safe.