Forum Discussion
Onboard servers to Defender in Servers in passive mode using MDC?
Is it possible to utilise the deployment of Defender for Servers in Defender for Cloud - (ie you enable Defender for Servers on the subscription level to trigger the deployment of the MDE.Windows extension), but have Defender for Endpoint go into Passive/EDR Block mode?
I tested by manually adding the ForceDefenderPassiveMode reg value set to 1 on an Azure 2016 VM that wasnt onboarded to MDE (but had Defender AV feature installed). When the MDE.Windows extension installed via Defender for Cloud it overwrote the PassiveMode reg key and set it to 0 - i.e. put Defender in Active mode.
I work with many large clients who wish to leverage passive mode first when migrating to Defender for Servers.
4 Replies
- I have seen exactly this behavior!
It was several months back, but I think whenever I was looking into it - the Defender for Cloud configuration was ignoring the ForceDefenderPassive mode registry key.
In fact, it was deleting it.
I believe that ultimately what was happening is that the Policy was pushing by default with no FORCEPASSIVE, and that since FORCEPASSIVE was not explicitly set, the Defender configurations were clearing the registry keys for Defender before Deploying the new config to onboard to.
This is normal, since you COULD have been onboarded to a DIFFERENT tenant for DIFFERENT Defender before - so it's trying to wipe the old identity and use the one related to YOUR configurations Onboarding Blob.
I cannot find any specific detail for HOW to enable Defender for Servers with Passive mode, but the most that I have seen is there are options for Manual installation. https://learn.microsoft.com/en-us/azure/defender-for-cloud/plan-defender-for-servers-agents#provisioning-considerations and several examples of when you should OPT-OUT of the Auto Provisioning. - So the approach when deploying defender out onto a server happens in 2 parts
Onboarding the agent - (if it shows active it doesn't break anything)
Enrollment - (based on config this will start doing stuff)
When you onboard the agent, it will show as active on the server, but won't take any action if it see's any malicious activity this is essentially passive / onboarding mode. This phase is to make your server ready and to apply exclusions if you need too etc.
For Enrolling the Server, you first need to define policy either in intune/GPO/MDE etc. and push out the policy to the server that's been onboarded. MDE will recieve the policy and apply the appropriate security controls based on the configuration
To summarize, onboarding the agent doesn't do a thing, enrollment (push policy) this does stuff. Make sure before you transition from onboarding to enrollment that you monitor the servers for exclusions and add them into the policy appropriately
Hope this helps- Do you have any link to documentation to back that up?
I've never heard of this 2 stage approach for servers as you have outlined and have searched extensively. It sounds like you are describing passive/EDR block mode and Active mode using your own terminology?PJR_CDF I know this is a late response, but believe this is a bit of a misconception and I wanted to outline it more fully for anyone else who might find this.
I would say there are a few parts to "Putting Defender on a Machine", so to speak, and the best way to think about them is for a 1-off installation via Local Script, since most of the other methods kind of combine these in the background
- Installation: Actually INSTALLING the services that are needed for Defender to run (on some varieties of Windows Server, you might need to install the Defender for Endpoint, on some it will already be included)
- Onboarding: Defender services start, and get an Onboarding Blob, I believe always from the Registry. This might be put in the Registry as an "OnboardingBlob" through one of several methods, though like Group Policy, Intune/MDM Policy, or by the Local Script. (Intune and Defender for Cloud pushing Defender for Servers, for example all lump "Onboarding" to "Install the software, get it configured to talk to Defender, and make sure it's set to be running"
Once Defender services start, it will use that onboarding blob, and the Azure AD Joined identity to ACTUALLY ONBOARD itself to Defender, and establish communications with Defender.
Now, at this point, your machine MAY have installed to passive (because of that Registry Key, for example, or because it detected another AV and went into Passive mode) or it may be showing as active.
In all likelihood, if you are JUST STARTING setting up your Defender environment, at this point there won't be any Configurations applying, so there won't be much to Block - but many forms of SCANNING (and reporting to the portal security.microsoft.com will likely be active, unless it receives a configuration that specifically DISABLED them from Defender. Which brings us to the next step...
- Configuration: If your setup has policies which would apply configurations to your machines, it may CHANGE things, and start managing things like "Enable Network Scanning" or "Realtime Protection Disabled" or "Enable Tamper Protection"
Be default, I believe that several of the capabilities will be monitoring things, but won't be set to Block much. That is still "Active" or "AMRunningMode: Normal" - but just not set for Blocking much. It just feeds back to Defender Portal and alerts on stuff.
And I know this wasn't the question, but I've got started so... This is still VERY different from PASSIVE Mode!
Think of the difference like a Security checkpoint scanning people as they go into a concert or large event:
Passive Mode: A security guard looking at the Scanner screens, maybe seeing someone holding a dangerous item, and writing down what he see's, but just turning in the list of issues.
Active Mode: A security guard making people dump out there bags, looking for dangerous items, pulling aside people that look suspicious, and MUCH more.
Active Mode is undoubtedly MUCH more secure, but Passive mode keeps the line flowing a lot better, particularly if there is other security software running too.
Even if you put the Active mode guard on the machine, he might look for things by default, but unless you gave him authority to BLOCK things (Like if you were in an Alert/Investigation, or Popup from Defender and selected the "Quarantine" or "Remediate" option!) they won't ACT on much by default.
