Forum Discussion
Updating the MDE.Windows extension
We have multiple servers running in Azure Arc onboarded into MDE using the MDE.Windows extension.
Just our luck to discover that Microsoft's documentation shows that that automatic extension upgrades are not available for this particular extension - https://learn.microsoft.com/en-gb/azure/azure-arc/servers/manage-automatic-vm-extension-upgrade?tabs=azure-portal#supported-extensions
Disappointing that this has to be performed manually. What method are others using to be alerted when an update is available and how are you updating it?
Assuming Azure Monitor for alerts and Powershell/Runbook for updating?
- gilblumbergIron Contributor
UPDATE:
It's taken quite a bit of back and forth with Microsoft support, and this is basically a summary:
Once on-boarded, the extension is not used or required to maintain MDE functionalities
Updating the extension in Azure Arc serves no purpose
When deleting the MDE.Windows/MDE.Linux extension, there is no impact to the Sensor software on the server
If integration with Microsoft Defender for Endpoint is enabled, and the extension is deleted, it will be promptly installed again.
This last point I thought is particularly relevant (but not documented), as for for many organisations which have strict change-control procedures. The re-installation of the Sensor is effectively making a change on the server.
In my case, not taking any action. If not for any other reason, keeping the integration enabled.
(I submitted the bullet points above as feedback on the product page, so with any luck they'll agree it needs this key information)
- JonhedSteel Contributor
Yes, the extension is pretty much there just to push the MDE onboarding package to the server.
Past that, it is just a regular MDE and MDAV installation.
Pattern updates, engine updates as well as platform updates are managed by MDAV.
https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/manage-protection-updates-microsoft-defender-antivirus?view=o365-worldwide
As for MDE itself, it depends on the version.
Windows Server 2019 and above come with the MDE sensor integrated in the OS, so MDE sensor updates are included in the OS security updates.
Windows 2012 R2 and 2016 get the MDE sensor through a separate installation (MDE unified package), and requires updates via Windows Update, WSUS etc.
https://support.microsoft.com/en-us/topic/microsoft-defender-for-endpoint-update-for-edr-sensor-f8f69773-f17f-420f-91f4-a8e5167284ac- JonhedSteel ContributorI am not quite sure if updating the MDE.windows extension itself actually has any use, since it only deploys MDE and does nothing past that.
As far as I know, any integration between MDE and defender for cloud past that happens through the APIs directly between the services, rather than through the extension.