Forum Discussion

Jonhed's avatar
Jonhed
Steel Contributor
Sep 09, 2022

Onboarding servers to MDE after September 2022

Paul_Huijbregts  marysia_k HeikeRitter  (Just mentioning a few of the employees active in the community in the hope that someone knows something)   So I am rather confused how to handle MDE in ser...
gilblumberg's avatar
gilblumberg
Iron Contributor
Mar 07, 2023

Jonhed 

FYI  I've opened 2 tickets with Microsoft, one with an engineer for MDE and one for Defender for Cloud, and remarkably, and between them, no solid answer. It's almost like a case of "I can neither confirm nor deny" in the response from Defender for Servers engineer.

 

During the phone conversation, he even said can bypass Azure completely by installing the Unified Agent and onboarding package. This onboards directly into MDE and uses Defender for Servers licensing. I'm very dubious of that, and not even considering using it.

 

The best I can get out of the Defender for Cloud engineer is that it's a "viable" option. Strangely he even added this screenshot which specifically mentions needing to use Azure Arc.

 

 

I've used and referenced Defender and Azure documentation for years, and normally found it excellent. On this occasion though, I think the deployment methods and what's involved for each step is in need of improvement.

 

I'm going with Azure Arc to be safe.

Chris Moore's avatar
Chris Moore
Brass Contributor
Mar 08, 2023
The crux here is that the change has limited the way customers can license the product. Yes, you can onboard directly with the modern onboarding package, or use the legacy MMA onboarding, but you will be in breach of your licensing agreement without having the coverage numbers tracked in Defender for Cloud, which is consumption based and as I understand it will track the actual hours used and not just per device per month. For on premises resources, this will now currently require also onboarding to Azure Arc (which can present it's own challenges).

If you have an NDA in place with Microsoft you should join the private community (Defender Customer Connection Program), where the options and future of this is being discussed in greater detail.
  • mara's avatar
    mara
    Copper Contributor
    Jul 26, 2023
    Please let me know how to set up Option B ??
    There are multiple servers in one subscription, but I want to install the defender for server only on one arc machine..
  • Ciyaresh's avatar
    Ciyaresh
    Brass Contributor
    Mar 14, 2023

    Chris Moore 

     

    Chris Moore wrote:
    If you have an NDA in place with Microsoft you should join the private community (Defender Customer Connection Program), where the options and future of this is being discussed in greater detail.

    I know because of NDA you can't discuss this but I'm hoping that they are reconsidering forcing Arc to use these features. Azure Arc is nice and has many features but not everyone is willing to install this agent on all of their on-prem servers, maintain it, make their servers visible on cloud etc...

     

  • gilblumberg's avatar
    gilblumberg
    Iron Contributor
    Mar 08, 2023
    The options using Azure Arc are indeed great and glad to have learnt about it.
  • Jonhed's avatar
    Jonhed
    Steel Contributor
    Mar 08, 2023

    Having said that you have 3 options to onboard through Arc, which gives you enough control over onboarding to be fine for most parts.
    Option A) Using the automatic onboarding of Defender for Cloud, which will deploy to any server in said subscription (which requires that checkbox for MDE integration to be checked)
    Option B) Using the Azure Policies to scope the deployment to resource groups or individual resources
    Option C) Using Azure CLI Powershell to onboard a specific server instantly (Azure resources can be onboarded with the Az CLI cloudshell, but not arc resources)

    Option B and C allows for more granularity when you need to onboard existing resources and want to manage the pace or timing. You would have to (at least temporarily) disable the MDE integration checkbox though to manage the pace, so MDE alerts would not be surfaced in Defender for Cloud (you will still be charged for all servers within the subscription)

  • Jonhed's avatar
    Jonhed
    Steel Contributor
    Mar 08, 2023

    As Chris Moore said, the device needs to be registered with Azure Arc for licensing purposes.


    What the support may have meant was that you do not have to deploy MDE through arc.

    As long as you have Arc installed you are covered by the licensing, so you could then probably proceed to install the onboarding package directly, without breaching the license agreement.

    (I think I was told you are supposed to deploy through Arc for Plan 1, but not required for plan 2.. though I am not sure about this)