Forum Discussion

PJR_CDF's avatar
PJR_CDF
Iron Contributor
Jul 19, 2023

Onboard servers to Defender in Servers in passive mode using MDC?

Is it possible to utilise the deployment of Defender for Servers in Defender for Cloud - (ie you enable Defender for Servers on the subscription level to trigger the deployment of the MDE.Windows ext...
BillClarksonAntill's avatar
BillClarksonAntill
Iron Contributor
Sep 15, 2023
So the approach when deploying defender out onto a server happens in 2 parts

Onboarding the agent - (if it shows active it doesn't break anything)
Enrollment - (based on config this will start doing stuff)

When you onboard the agent, it will show as active on the server, but won't take any action if it see's any malicious activity this is essentially passive / onboarding mode. This phase is to make your server ready and to apply exclusions if you need too etc.

For Enrolling the Server, you first need to define policy either in intune/GPO/MDE etc. and push out the policy to the server that's been onboarded. MDE will recieve the policy and apply the appropriate security controls based on the configuration

To summarize, onboarding the agent doesn't do a thing, enrollment (push policy) this does stuff. Make sure before you transition from onboarding to enrollment that you monitor the servers for exclusions and add them into the policy appropriately

Hope this helps
PJR_CDF's avatar
PJR_CDF
Iron Contributor
Sep 28, 2023
Do you have any link to documentation to back that up?

I've never heard of this 2 stage approach for servers as you have outlined and have searched extensively. It sounds like you are describing passive/EDR block mode and Active mode using your own terminology?
  • Kevin_Crouch's avatar
    Kevin_Crouch
    Brass Contributor
    Jul 25, 2024

    PJR_CDF I know this is a late response, but believe this is a bit of a misconception and I wanted to outline it more fully for anyone else who might find this. 

     

    I would say there are a few parts to "Putting Defender on a Machine", so to speak, and the best way to think about them is for a 1-off installation via Local Script, since most of the other methods kind of combine these in the background

     

    - Installation: Actually INSTALLING the services that are needed for Defender to run (on some varieties of Windows Server, you might need to install the Defender for Endpoint, on some it will already be included) 

     

    - Onboarding: Defender services start, and get an Onboarding Blob, I believe always from the Registry. This might be put in the Registry as an "OnboardingBlob" through one of several methods, though like Group Policy, Intune/MDM Policy, or by the Local Script. (Intune and Defender for Cloud pushing Defender for Servers, for example all lump "Onboarding" to "Install the software, get it configured to talk to Defender, and make sure it's set to be running" 

    Once Defender services start, it will use that onboarding blob, and the Azure AD Joined identity to ACTUALLY ONBOARD itself to Defender, and establish communications with Defender. 

    Now, at this point, your machine MAY have installed to passive (because of that Registry Key, for example, or because it detected another AV and went into Passive mode) or it may be showing as active. 

     

    In all likelihood, if you are JUST STARTING setting up your Defender environment, at this point there won't be any Configurations applying, so there won't be much to Block - but many forms of SCANNING (and reporting to the portal security.microsoft.com will likely be active, unless it receives a configuration that specifically DISABLED them from Defender. Which brings us to the next step...

     

    - Configuration: If your setup has policies which would apply configurations to your machines, it may CHANGE things, and start managing things like "Enable Network Scanning" or "Realtime Protection Disabled" or "Enable Tamper Protection" 

    Be default, I believe that several of the capabilities will be monitoring things, but won't be set to Block much. That is still "Active" or "AMRunningMode: Normal" - but just not set for Blocking much. It just feeds back to Defender Portal and alerts on stuff. 

     

    And I know this wasn't the question, but I've got started so... This is still VERY different from PASSIVE Mode! 

    Think of the difference like a Security checkpoint scanning people as they go into a concert or large event: 

    Passive Mode: A security guard looking at the Scanner screens, maybe seeing someone holding a dangerous item, and writing down what he see's, but just turning in the list of issues. 

    Active Mode: A security guard making people dump out there bags, looking for dangerous items, pulling aside people that look suspicious, and MUCH more. 

     

    Active Mode is undoubtedly MUCH more secure, but Passive mode keeps the line flowing a lot better, particularly if there is other security software running too. 

    Even if you put the Active mode guard on the machine, he might look for things by default, but unless you gave him authority to BLOCK things (Like if you were in an Alert/Investigation, or Popup from Defender and selected the "Quarantine" or "Remediate" option!) they won't ACT on much by default. 

Resources