[Announcement] Azure Defender integration with MDE for Windows Server 2019

%3CLINGO-SUB%20id%3D%22lingo-sub-2159018%22%20slang%3D%22en-US%22%3E%5BAnnouncement%5D%20Azure%20Defender%20integration%20with%20MDE%20for%20Windows%20Server%202019%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2159018%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20are%20happy%20to%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsecurity-center%2Frelease-notes%23microsoft-defender-for-endpoint-integration-with-azure-defender-now-supports-windows-server-2019-and-windows-10-virtual-desktop-wvd-in-preview%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Eshare%26nbsp%3B%3C%2FA%3Ethat%20Azure%20Defender%20integration%20with%20MDE%20(Microsoft%20Defender%20for%20Endpoint)%20for%20Windows%20Server%202019%20and%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fvirtual-desktop%2Fwindows-10-multisession-faq%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EWindows%2010%20Multi-Session%3C%2FA%3E%20(formerly%20Enterprise%20for%20Virtual%20Desktops%20(EVD)%20is%20now%20available%20for%20Public%20Preview!%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EWhat%20is%20MDE%20and%20what%20does%20the%20integration%20include%20%3F%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EMicrosoft%20Defender%20for%20Endpoint%20is%20a%20holistic%2C%20cloud%20delivered%20endpoint%20security%20solution.%20Its%20main%20features%20are%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3ERisk-based%20vulnerability%20management%20and%20assessment%3C%2FLI%3E%0A%3CLI%3EAttack%20surface%20reduction%3C%2FLI%3E%0A%3CLI%3EBehavioral%20based%20and%20cloud-powered%20protection%3C%2FLI%3E%0A%3CLI%3EEndpoint%20detection%20and%20response%20(EDR)%3C%2FLI%3E%0A%3CLI%3EAutomatic%20investigation%20and%20remediation%3C%2FLI%3E%0A%3CLI%3EManaged%20hunting%20services%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3EMicrosoft%20Defender%20for%20Endpoint%20provides%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CSTRONG%3EAdvanced%20post-breach%20detection%20sensors%3C%2FSTRONG%3E.%20Defender%20for%20Endpoint's%20sensors%20for%20Windows%20machines%20collect%20a%20vast%20array%20of%20behavioral%20signals.%3C%2FLI%3E%0A%3CLI%3E%3CSTRONG%3EAnalytics-based%2C%20cloud-powered%2C%20post-breach%20detection%3C%2FSTRONG%3E.%20Defender%20for%20Endpoint%20quickly%20adapts%20to%20changing%20threats.%20It%20uses%20advanced%20analytics%20and%20big%20data.%20It's%20amplified%20by%20the%20power%20of%20the%20Intelligent%20Security%20Graph%20with%20signals%20across%20Windows%2C%20Azure%2C%20and%20Office%20to%20detect%20unknown%20threats.%20It%20provides%20actionable%20alerts%20and%20enables%20you%20to%20respond%20quickly.%3C%2FLI%3E%0A%3CLI%3E%3CSTRONG%3EThreat%20intelligence%3C%2FSTRONG%3E.%20Defender%20for%20Endpoint%20generates%20alerts%20when%20it%20identifies%20attacker%20tools%2C%20techniques%2C%20and%20procedures.%20It%20uses%20data%20generated%20by%20Microsoft%20threat%20hunters%20and%20security%20teams%2C%20augmented%20by%20intelligence%20provided%20by%20partners.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3EThe%20integration%20of%20Microsoft%20Defender%20for%20Endpoint%20with%20Security%20Center%20let%E2%80%99s%20customers%20benefit%20from%20the%20following%20additional%20capabilities%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CSTRONG%3EAutomated%20onboarding%3C%2FSTRONG%3E.%20Security%20Center%20automatically%20enables%20the%20Microsoft%20Defender%20for%20Endpoint%20sensor%20for%20all%20Windows%20servers%20monitored%20by%20Security%20Center.%3C%2FLI%3E%0A%3CLI%3E%3CSTRONG%3ESingle%20pane%20of%20glass%3C%2FSTRONG%3E.%20The%20Security%20Center%20console%20displays%20Microsoft%20Defender%20for%20Endpoint%20alerts.%20To%20investigate%20further%2C%20customers%20can%20use%20Microsoft%20Defender%20for%20Endpoint's%20own%20portal%20pages%20where%20they%20will%20see%20additional%20information%20such%20as%20the%20alert%20process%20tree%20and%20the%20incident%20graph.%20They%20can%20also%20see%20a%20detailed%20machine%20timeline%20that%20shows%20every%20behavior%20for%20a%20historical%20period%20of%20up%20to%20six%20months.%3C%2FLI%3E%0A%3C%2FUL%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2310162%22%20slang%3D%22en-US%22%3ERe%3A%20%5BAnnouncement%5D%20Azure%20Defender%20integration%20with%20MDE%20for%20Windows%20Server%202019%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2310162%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F117322%22%20target%3D%22_blank%22%3E%40Stanislav%20Belov%3C%2FA%3E%26nbsp%3BHi%20Stanislav%2C%20is%20there%20any%20information%20on%20how%20this%20(technically)%20works%3F%20What%20are%20the%20components%20communicating%3F%20What%20about%20the%20MDE.Windows%20extension%3F%20etc.%20At%20this%20moment%2C%20I%20have%20several%20Windows%20Server%202019%20with%20Azure%20Defender%20plan%20for%20Servers%20enabled.%20The%20MicrosoftMonitoringAgent%20extension%20has%20been%20rolled%20out%20automatically%20but%20the%20automatic%20onboarding%20to%20Defender%20for%20Endpoint%20doesn't%20seem%20to%20start.%20Even%20after%20waiting%2024%20hours.%20When%20I%20browse%20to%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fsecuritycenter.windows.com%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsecuritycenter.windows.com%2F%3C%2FA%3E%26nbsp%3Bit%20simply%20says%20'Your%20subscription%20has%20expired'.%20Unfortunately%2C%20with%20the%20current%20documentation%2C%20I%20can't%20tell%20where%20this%20goes%20wrong%20and%20how%20to%20troubleshoot.%20Do%20you%20have%20any%20input%20or%20guidance%20on%20this%3F%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2341433%22%20slang%3D%22en-US%22%3ERe%3A%20%5BAnnouncement%5D%20Azure%20Defender%20integration%20with%20MDE%20for%20Windows%20Server%202019%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2341433%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Gertjan%2C%3CBR%20%2F%3EFrom%20my%20experience%20once%20integration%20is%20enabled%20and%20the%20first%20server%20gets%20onboarded%20to%20ASC%2C%20the%20MDE%20tenant%20gets%20provisioned%20and%20it%20might%20take%20sometimes%20longer%20than%2024h%20before%20you%20can%20access%20the%20MDE%20portal.%20I%20have%20seen%20that%20error%20myself%20several%20times%20especially%20with%20newly%20(trial)%20created%20subscriptions.%20Just%20give%20it%20some%20more%20time.%20If%20it%20still%20does%20not%20work%20after%202-3%20days%20please%20raise%20a%20support%20ticket.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2631633%22%20slang%3D%22en-US%22%3ERe%3A%20%5BAnnouncement%5D%20Azure%20Defender%20integration%20with%20MDE%20for%20Windows%20Server%202019%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2631633%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F38941%22%20target%3D%22_blank%22%3E%40Gertjan%20Jongeneel%3C%2FA%3E%26nbsp%3B%26nbsp%3Bthis%20issue%20still%20happens%2C%20any%20news%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E
Microsoft

We are happy to share that Azure Defender integration with MDE (Microsoft Defender for Endpoint) for Windows Server 2019 and Windows 10 Multi-Session (formerly Enterprise for Virtual Desktops (EVD) is now available for Public Preview!

 

What is MDE and what does the integration include ?

Microsoft Defender for Endpoint is a holistic, cloud delivered endpoint security solution. Its main features are:

  • Risk-based vulnerability management and assessment
  • Attack surface reduction
  • Behavioral based and cloud-powered protection
  • Endpoint detection and response (EDR)
  • Automatic investigation and remediation
  • Managed hunting services

Microsoft Defender for Endpoint provides:

  • Advanced post-breach detection sensors. Defender for Endpoint's sensors for Windows machines collect a vast array of behavioral signals.
  • Analytics-based, cloud-powered, post-breach detection. Defender for Endpoint quickly adapts to changing threats. It uses advanced analytics and big data. It's amplified by the power of the Intelligent Security Graph with signals across Windows, Azure, and Office to detect unknown threats. It provides actionable alerts and enables you to respond quickly.
  • Threat intelligence. Defender for Endpoint generates alerts when it identifies attacker tools, techniques, and procedures. It uses data generated by Microsoft threat hunters and security teams, augmented by intelligence provided by partners.

The integration of Microsoft Defender for Endpoint with Security Center let’s customers benefit from the following additional capabilities:

  • Automated onboarding. Security Center automatically enables the Microsoft Defender for Endpoint sensor for all Windows servers monitored by Security Center.
  • Single pane of glass. The Security Center console displays Microsoft Defender for Endpoint alerts. To investigate further, customers can use Microsoft Defender for Endpoint's own portal pages where they will see additional information such as the alert process tree and the incident graph. They can also see a detailed machine timeline that shows every behavior for a historical period of up to six months.
3 Replies

@Stanislav Belov Hi Stanislav, is there any information on how this (technically) works? What are the components communicating? What about the MDE.Windows extension? etc. At this moment, I have several Windows Server 2019 with Azure Defender plan for Servers enabled. The MicrosoftMonitoringAgent extension has been rolled out automatically but the automatic onboarding to Defender for Endpoint doesn't seem to start. Even after waiting 24 hours. When I browse to https://securitycenter.windows.com/ it simply says 'Your subscription has expired'. Unfortunately, with the current documentation, I can't tell where this goes wrong and how to troubleshoot. Do you have any input or guidance on this?     

Hi Gertjan,
From my experience once integration is enabled and the first server gets onboarded to ASC, the MDE tenant gets provisioned and it might take sometimes longer than 24h before you can access the MDE portal. I have seen that error myself several times especially with newly (trial) created subscriptions. Just give it some more time. If it still does not work after 2-3 days please raise a support ticket.