Forum Discussion
Updating the MDE.Windows extension
UPDATE:
It's taken quite a bit of back and forth with Microsoft support, and this is basically a summary:
Once on-boarded, the extension is not used or required to maintain MDE functionalities
Updating the extension in Azure Arc serves no purpose
When deleting the MDE.Windows/MDE.Linux extension, there is no impact to the Sensor software on the server
If integration with Microsoft Defender for Endpoint is enabled, and the extension is deleted, it will be promptly installed again.
This last point I thought is particularly relevant (but not documented), as for for many organisations which have strict change-control procedures. The re-installation of the Sensor is effectively making a change on the server.
In my case, not taking any action. If not for any other reason, keeping the integration enabled.
(I submitted the bullet points above as feedback on the product page, so with any luck they'll agree it needs this key information)
Yes, the extension is pretty much there just to push the MDE onboarding package to the server.
Past that, it is just a regular MDE and MDAV installation.
Pattern updates, engine updates as well as platform updates are managed by MDAV.
https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/manage-protection-updates-microsoft-defender-antivirus?view=o365-worldwide
As for MDE itself, it depends on the version.
Windows Server 2019 and above come with the MDE sensor integrated in the OS, so MDE sensor updates are included in the OS security updates.
Windows 2012 R2 and 2016 get the MDE sensor through a separate installation (MDE unified package), and requires updates via Windows Update, WSUS etc.
https://support.microsoft.com/en-us/topic/microsoft-defender-for-endpoint-update-for-edr-sensor-f8f69773-f17f-420f-91f4-a8e5167284ac
- gilblumbergJun 08, 2023Iron ContributorAll of this is unfortunately not well articulated, if at all, in the documentation. With reference to my post, none of those 4 bullet points are covered. All very important in my opinion.
- JonhedJun 08, 2023Steel ContributorI am not quite sure if updating the MDE.windows extension itself actually has any use, since it only deploys MDE and does nothing past that.
As far as I know, any integration between MDE and defender for cloud past that happens through the APIs directly between the services, rather than through the extension.- gilblumbergJun 08, 2023Iron ContributorMicrosoft support that updating it serves no purpose whatsoever.
- JonhedJun 10, 2023Steel Contributor>When deleting the MDE.Windows/MDE.Linux extension, there is no impact to the Sensor software on the server
The point about deletion not having any effect on the sensor is covered below, but yes I do agree the relation between the extension and the MDE software in general is not covered much.
https://learn.microsoft.com/en-us/azure/defender-for-cloud/integration-defender-for-endpoint
>If integration with Microsoft Defender for Endpoint is enabled, and the extension is deleted, it will be promptly installed again.
If you check that box for MDE integration, this is indeed true.
The defender for servers plan will charge you for any server present anyways though.
Onboarding scope can be managed with Azure Policy if you uncheck that box, but you would still be charged.
Hoping to see some scoping for the actual Defender for Servers plan some time.