Forum Discussion
Onboard servers to Defender in Servers in passive mode using MDC?
Is it possible to utilise the deployment of Defender for Servers in Defender for Cloud - (ie you enable Defender for Servers on the subscription level to trigger the deployment of the MDE.Windows ext...
I have seen exactly this behavior!
It was several months back, but I think whenever I was looking into it - the Defender for Cloud configuration was ignoring the ForceDefenderPassive mode registry key.
In fact, it was deleting it.
I believe that ultimately what was happening is that the Policy was pushing by default with no FORCEPASSIVE, and that since FORCEPASSIVE was not explicitly set, the Defender configurations were clearing the registry keys for Defender before Deploying the new config to onboard to.
This is normal, since you COULD have been onboarded to a DIFFERENT tenant for DIFFERENT Defender before - so it's trying to wipe the old identity and use the one related to YOUR configurations Onboarding Blob.
I cannot find any specific detail for HOW to enable Defender for Servers with Passive mode, but the most that I have seen is there are options for Manual installation. https://learn.microsoft.com/en-us/azure/defender-for-cloud/plan-defender-for-servers-agents#provisioning-considerations and several examples of when you should OPT-OUT of the Auto Provisioning.
It was several months back, but I think whenever I was looking into it - the Defender for Cloud configuration was ignoring the ForceDefenderPassive mode registry key.
In fact, it was deleting it.
I believe that ultimately what was happening is that the Policy was pushing by default with no FORCEPASSIVE, and that since FORCEPASSIVE was not explicitly set, the Defender configurations were clearing the registry keys for Defender before Deploying the new config to onboard to.
This is normal, since you COULD have been onboarded to a DIFFERENT tenant for DIFFERENT Defender before - so it's trying to wipe the old identity and use the one related to YOUR configurations Onboarding Blob.
I cannot find any specific detail for HOW to enable Defender for Servers with Passive mode, but the most that I have seen is there are options for Manual installation. https://learn.microsoft.com/en-us/azure/defender-for-cloud/plan-defender-for-servers-agents#provisioning-considerations and several examples of when you should OPT-OUT of the Auto Provisioning.