Welcome to the last blog in our three-part series! In Part 3 we will show you how to leverage Azure Policy to deploy Defender for Servers at scale across your environments and workloads, as well as share some tips and tricks on troubleshooting Arc + Defender for Servers deployments.
Link to Part 1
What’s in this document:
- Leveraging Azure Policy to deploy at scale
- Common errors and issues encountered when setting up or using Azure Arc with Defender for Servers
Leveraging Azure Policy to deploy Defender for Servers at scale
Ultimately, the challenge is how to deploy Defender for Servers at scale in the most efficient method. If you already have a robust Azure environment with multiple Subscriptions built out according to the Cloud Adoption Framework, how can you scale this operation?
The answer is found in Azure Policies. There are specific policies you can use even for the most unique and complex of scenarios.
Deploy Defender for Servers at scale with no additional considerations or conditions
First, to simply enable Microsoft Defender for Servers, the policy you can deploy at your desired scope is: ‘Configure Microsoft Defender for Servers plan.’ This policy will deploy Microsoft Defender for Servers at scale.
In the Parameters section, once you uncheck the ‘Only show parameters that need input or review’ box, you will see an option for Defender for Servers plan, Agentless VM scanning, and MDE Designated Subscription.
This will also deploy Defender for Servers with Microsoft Defender for Endpoint at scale.
What if your organization has special considerations? What if you have multiple EDR solutions and allow your customers to choose?
If there is a Management Group, Subscription, or Resource Group with resources that you need to exclude at that control plane level, you can leverage the ‘Configure Azure Defender for Servers Policy to be disabled for All resources (resource level)’ policy.
This policy changes the pricing tier for all virtual machines, virtual machine scale-sets, and hybrid machines to Free. This ensures they are excluded from the Defender for Servers configuration.
What if you have a mixed population of Plan 1 enablement and/or Plan 2?
You have two options in this instance. You could decide to apply the policy ‘Configure Azure Defender for Servers to be enabled (with 'P1' subplan) for all resources (resource level).’
With this policy you can pick a Management Group, Subscription, or Resource Group. You should designate a Subscription that hosts the Plan 1 servers and enable the policy so that the charge model reflects properly. This is great for onboarding Azure Arc and then migrating servers to the level of protection you want.
What if there is a charge back challenge?
Scenario:
Your organization charges back based on Subscription Resource Groups but even within that, you may want to mix Plan 1 and Plan 2 in your own business units and workloads. How do you achieve this?
In these scenarios, tagging will be your tool of choice. You can add a tag to resources for which you either wish to disable Defender for Servers entirely or enable ONLY Plan 1.
- Configure Azure Defender for Servers to be enabled ('P1' subplan) for all resources (resource level) with the selected tag
- Configure Azure Defender for Servers to be disabled for resources (resource level) with the selected tag
There is no Microsoft specified tag that should be used, and you will need to create your own tag name and value. This allows you to use the flexibility of your organizational tagging convention to control the Defender for Servers roll-out.
Considerations: This policy should also be accompanied by the ‘Configure multiple Microsoft Defender for Endpoint integration settings with Microsoft Defender for Cloud’ initiative (see below). This will help resolve some of the issues with toggle actions and UI enablement that were demonstrated in Part 1 of this blog series.
Policies deployed with this initiative:
- Configure Microsoft Defender for Endpoint integration settings with Microsoft Defender for Cloud (WDATP_EXCLUDE_LINUX…)
- Configure Microsoft Defender for Endpoint integration settings with Microsoft Defender for Cloud (WDATP)
- Configure Microsoft Defender for Endpoint integration settings with Microsoft Defender for Cloud (WDATP_UNIFIED_SOLUTION)
Common errors and issues encountered when setting up or using Azure Arc with Defender for Servers
Onboarding Issues: Sometimes, there can be problems when onboarding Azure Arc-enabled servers to Microsoft Defender for Cloud and Defender for Servers.
- Solution: Ensure you have the correct Azure Service Principal with the Contributor role and that you’ve followed the onboarding guide accurately
Onboarding Issues to Defender for Endpoint: Sometimes, there can be problems when onboarding Azure Arc-enabled servers to Defender for Servers, and MDE can fail to onboard properly on your endpoints.
- Solution: If you are running certain flavors of Windows (i.e. 2012 R2, 2016, 2019, and others), please check out the specific pre-requisites that must first be met for proper MDE installation:
- Onboard Windows servers to the Microsoft Defender for Endpoint service | Microsoft Learn
Agent Deployment Errors: The Azure Connected Machine agent may fail to install or connect properly.
- Solution: Verify the agent’s prerequisites are met, check network connectivity, and ensure that the agent version is up to date.
Configuration Problems: Misconfigurations can occur when setting up Defender for Servers, especially regarding security policies.
- Solution: Review and apply the recommended configurations and security policies provided by Defender for Cloud.
Integration Challenges with Azure Defender: Integrating Azure Arc-enabled servers with Azure Defender might not work as expected.
- Solution: Confirm that the integration steps have been followed correctly, including setting up a Log Analytics workspace and assigning default security policies.
Direct Onboarding Confusion: With the introduction of Direct Onboarding, it may be unclear whether the Azure Arc agent or the Azure Monitor Agent is required.
- Solution: Determine if your scenario benefits from Direct Onboarding and follow the QuickStart guide if Azure agents are not needed (see Part 1 of blog series).
Thank you for reading! We hope this helps in your Defender for Servers journey.
