Endpoint Protection not installed on non-Azure servers

%3CLINGO-SUB%20id%3D%22lingo-sub-1428286%22%20slang%3D%22en-US%22%3EEndpoint%20Protection%20not%20installed%20on%20non-Azure%20servers%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1428286%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20all%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI've%20used%20the%20%22%3CSPAN%3EOnboard%20servers%20to%20Security%20Center%22%20with%20a%20workspace%20for%20our%20non%20Azure%20servers.%20The%20agent%20got%20installed%20successfully%20and%20could%20see%20the%20server%20on%20Microsoft%20Defender%20ATP%20as%20well%20as%20active.%20However%2C%20on%20the%20Azure%20Security%20Center%20dashboard%2C%20under%20recommendations%2C%20I%20see%20those%20servers%20as%20%22Endpoint%20Protection%20not%20installed%20on%20non-Azure%20servers%22.%20Have%20an%20open%20ticket%20with%20Microsoft%20for%20almost%20a%20month%20without%20any%20resolution.%20Anyone%20faced%20this%20issue%20before%20and%20found%20a%20possible%20solution%3F%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EThanks!%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1428286%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Security%20Center%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1461740%22%20slang%3D%22en-US%22%3ERe%3A%20Endpoint%20Protection%20not%20installed%20on%20non-Azure%20servers%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1461740%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F108958%22%20target%3D%22_blank%22%3E%40Ambarish%20Haridathan%3C%2FA%3E%26nbsp%3B%2C%3C%2FP%3E%0A%3CP%3EPlease%20search%20the%20Log%20Analytics%20workspace%20in%20which%20the%20machine%20is%20connected%20to%20for%20the%20ProtectionStatus%20logs.%3C%2FP%3E%0A%3CP%3EQuery%20to%20target%20your%20computer%20looks%20like%3A%3C%2FP%3E%0A%3CDIV%3E%3CPRE%20class%3D%22lia-code-sample%20language-applescript%22%3E%3CCODE%3EProtectionStatus%20%0A%7C%20where%20Computer%20has%20%22%3CYOUR%20computer%3D%22%22%20name%3D%22%22%3E%22%3C%2FYOUR%3E%3C%2FCODE%3E%3C%2FPRE%3E%3C%2FDIV%3E%0A%3CP%3Echeck%20the%26nbsp%3BProtectionStatusRank.%20Anything%20other%20than%20150%20indicate%20unhealthy%20state.%3C%2FP%3E%0A%3CP%3EIf%20no%20logs%20return%20then%20it%20might%20be%20computer%20connection%20to%20workspace%20issue%2C%20check%20the%20'Heartbeat'%20on%20the%20same%20query%20window%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1461807%22%20slang%3D%22en-US%22%3ERe%3A%20Endpoint%20Protection%20not%20installed%20on%20non-Azure%20servers%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1461807%22%20slang%3D%22en-US%22%3ENot%20Reporting%20means%20just%20that.%20How%20is%20the%20Heartbeat%3F%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1461789%22%20slang%3D%22en-US%22%3ERe%3A%20Endpoint%20Protection%20not%20installed%20on%20non-Azure%20servers%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1461789%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F212911%22%20target%3D%22_blank%22%3E%40Eli%20Sagie%3C%2FA%3E%26nbsp%3BThe%20query%20that%20shows%20that%20the%20end%20point%20not%20installed%20is%20as%20below%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E*removed%20data%20that%20are%20our%20environment%20specific.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CDIV%3E%3CDIV%3E%3CSPAN%3EProtectionStatus%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7C%20%3C%2FSPAN%3E%3CSPAN%3Ewhere%3C%2FSPAN%3E%3CSPAN%3E%20(ComputerEnvironment%20!%3D%20%3C%2FSPAN%3E%3CSPAN%3E%22Azure%22%3C%2FSPAN%3E%20%3CSPAN%3Eor%3C%2FSPAN%3E%3CSPAN%3E%20isempty(ResourceId))%20%3C%2FSPAN%3E%3CSPAN%3Eand%3C%2FSPAN%3E%3CSPAN%3E%20(TypeofProtection%20%3D%3D%20%3C%2FSPAN%3E%3CSPAN%3E%22Malicious%20Software%20Removal%20Tool%22%3C%2FSPAN%3E%20%3CSPAN%3Eor%3C%2FSPAN%3E%3CSPAN%3E%20TypeofProtection%20%3D%3D%20%3C%2FSPAN%3E%3CSPAN%3E%22No%20Anti-Malware%20Tool%20was%20detected%22%3C%2FSPAN%3E%3CSPAN%3E)%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7C%20%3C%2FSPAN%3E%3CSPAN%3Ewhere%3C%2FSPAN%3E%3CSPAN%3E%20tolower(SubscriptionId)%20in%20(%3C%2FSPAN%3E%3CSPAN%3E%22%3CSTRONG%3ESUBSCRIPTION_ID%3C%2FSTRONG%3E%22%3C%2FSPAN%3E%3CSPAN%3E)%20%3C%2FSPAN%3E%3CSPAN%3Eor%3C%2FSPAN%3E%3CSPAN%3E%20isempty(SubscriptionId)%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7C%20%3C%2FSPAN%3E%3CSPAN%3Esummarize%3C%2FSPAN%3E%3CSPAN%3E%20AggregatedValue%20%3D%20%3C%2FSPAN%3E%3CSPAN%3Ecount%3C%2FSPAN%3E%3CSPAN%3E()%20%3C%2FSPAN%3E%3CSPAN%3Eby%3C%2FSPAN%3E%3CSPAN%3E%20Computer%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7C%20%3C%2FSPAN%3E%3CSPAN%3Elimit%3C%2FSPAN%3E%20%3CSPAN%3E1000000000%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3EWith%20the%20query%20you%20gave%3A%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CTABLE%20width%3D%22534px%22%3E%3CTBODY%3E%3CTR%3E%3CTD%20width%3D%22192px%22%3E%3CSPAN%3EProtectionStatusRank%3C%2FSPAN%3E%3C%2FTD%3E%3CTD%20width%3D%22341px%22%3E450%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%20width%3D%22192px%22%3E%3CDIV%20class%3D%22grid_details_key%20transition-hover%22%3EProtectionStatus%3C%2FDIV%3E%3C%2FTD%3E%3CTD%20width%3D%22341px%22%3E%3CDIV%3ENot%20Reporting%3C%2FDIV%3E%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%20width%3D%22192px%22%3E%3CDIV%20class%3D%22grid_details_key%20transition-hover%22%3EProtectionStatusDetails%3C%2FDIV%3E%3C%2FTD%3E%3CTD%20width%3D%22341px%22%3E%3CDIV%3ENot%20reporting%20-%20Unable%20to%20collect%20data%3C%2FDIV%3E%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%20width%3D%22192px%22%3E%3CDIV%20class%3D%22grid_details_key%20transition-hover%22%3ESignatureVersion%3C%2FDIV%3E%3C%2FTD%3E%3CTD%20width%3D%22341px%22%3E%3CDIV%3EUnknown%3C%2FDIV%3E%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%20width%3D%22192px%22%3E%3CDIV%20class%3D%22grid_details_key%20transition-hover%22%3ETypeofProtection%3C%2FDIV%3E%3C%2FTD%3E%3CTD%20width%3D%22341px%22%3E%3CDIV%3EMalicious%20Software%20Removal%20Tool%3C%2FDIV%3E%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%20width%3D%22192px%22%3E%3CDIV%20class%3D%22grid_details_key%20transition-hover%22%3EComputerEnvironment%3C%2FDIV%3E%3C%2FTD%3E%3CTD%20width%3D%22341px%22%3E%3CDIV%3ENon-Azure%3C%2FDIV%3E%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%20width%3D%22192px%22%3E%3CDIV%20class%3D%22grid_details_key%20transition-hover%22%3EType%3C%2FDIV%3E%3C%2FTD%3E%3CTD%20width%3D%22341px%22%3E%3CDIV%3EProtectionStatus%3C%2FDIV%3E%3C%2FTD%3E%3C%2FTR%3E%3C%2FTBODY%3E%3C%2FTABLE%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Hi all,

 

I've used the "Onboard servers to Security Center" with a workspace for our non Azure servers. The agent got installed successfully and could see the server on Microsoft Defender ATP as well as active. However, on the Azure Security Center dashboard, under recommendations, I see those servers as "Endpoint Protection not installed on non-Azure servers". Have an open ticket with Microsoft for almost a month without any resolution. Anyone faced this issue before and found a possible solution?

 

Thanks!

8 Replies

@Ambarish Haridathan ,

Please search the Log Analytics workspace in which the machine is connected to for the ProtectionStatus logs.

Query to target your computer looks like:

ProtectionStatus 
| where Computer has "<your computer name>"

check the ProtectionStatusRank. Anything other than 150 indicate unhealthy state.

If no logs return then it might be computer connection to workspace issue, check the 'Heartbeat' on the same query window

@Eli Sagie The query that shows that the end point not installed is as below:

 

*removed data that are our environment specific.

 

ProtectionStatus
| where (ComputerEnvironment != "Azure" or isempty(ResourceId)) and (TypeofProtection == "Malicious Software Removal Tool" or TypeofProtection == "No Anti-Malware Tool was detected")
| where tolower(SubscriptionId) in ("SUBSCRIPTION_ID") or isempty(SubscriptionId)
| summarize AggregatedValue = count() by Computer
| limit 1000000000
 
With the query you gave:
ProtectionStatusRank450
ProtectionStatus
Not Reporting
ProtectionStatusDetails
Not reporting - Unable to collect data
SignatureVersion
Unknown
TypeofProtection
Malicious Software Removal Tool
ComputerEnvironment
Non-Azure
Type
ProtectionStatus
Not Reporting means just that. How is the Heartbeat?

@Eli Sagie I don't have much expertise on the query part, but found the query

 

Heartbeat
| where TimeGenerated > ago(1h)
 
I could see that the server in question is showing up on this list from the query
Is there anything in specific I should be looking at?

@Ambarish Haridathan log existence by itself is not enough, you need to see that it is current (at least once a day).

Please check this out for better troubleshooting:

https://docs.microsoft.com/en-us/azure/azure-monitor/platform/agent-windows-troubleshoot

 

If further help still required and if you have Microsoft Support SR# please send it over so I can internally investigate further, else please create one and refer my name (Eli Sagie) as reference.

@Eli Sagie I checked the troubleshooting steps from the link you shared and everything seems to be ok in terms of connectivity. I've messaged you the existing ticket I have with MS as well. Thank you

I got somebody from Azure Security Center (ASC) working with MDATP team via the ticket and guided me to install System Center Endpoint Protection (SCEP) client. Over the call he mentioned that the MDATP engineer said that SCEP is more compatible with 2012 R2 server and had see performance issues with MDATP agent. I asked for an official document regarding this and then they sent me the link https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/mic... that MDATP is not compatible with 2012 R2.

 

However, I found another article which shows the support for 2012 R2 https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/configure...

Not sure if this is a platform support issue and some confusions within the support team

 

 

@Eli Sagie got some updates from the Microsoft support

 

From MS Team:

As per our investigation and discussion with MDATP engineers. Windows Defender is compatible with Windows 10, Server 2016 and 2019 only. For Windows 2012 server. System Center Endpoint Protection(SCEP) is one of the compatible AV for Server 2012.

 

Referred Document:

Microsoft Defender Antivirus compatibility:

 

https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/mic...

 

 

However, I found in the link from MS that 2012 is supported 

https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/configure...

 

Another engineer from Microsoft Security team confirmed the following:

SCEP will provide all the features of MDATP. And also 2012 R2 has SCEP as its Anti Virus, Defender is just an Anti Malware Service

 

Does it mean that I can I safely assume that I manually install the SCEP client on all Windows 2012 servers along with MMA agent and consider that it gives the same protection as Defender ATP?

 

Also, I can assign the same hardening policies which I will be applying on other server versions for Defender ATP and will get in effect?

 

Please advise.