Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

[Announcement] Azure Defender integration with MDE for Windows Server 2019

Microsoft

We are happy to share that Azure Defender integration with MDE (Microsoft Defender for Endpoint) for Windows Server 2019 and Windows 10 Multi-Session (formerly Enterprise for Virtual Desktops (EVD) is now available for Public Preview!

 

What is MDE and what does the integration include ?

Microsoft Defender for Endpoint is a holistic, cloud delivered endpoint security solution. Its main features are:

  • Risk-based vulnerability management and assessment
  • Attack surface reduction
  • Behavioral based and cloud-powered protection
  • Endpoint detection and response (EDR)
  • Automatic investigation and remediation
  • Managed hunting services

Microsoft Defender for Endpoint provides:

  • Advanced post-breach detection sensors. Defender for Endpoint's sensors for Windows machines collect a vast array of behavioral signals.
  • Analytics-based, cloud-powered, post-breach detection. Defender for Endpoint quickly adapts to changing threats. It uses advanced analytics and big data. It's amplified by the power of the Intelligent Security Graph with signals across Windows, Azure, and Office to detect unknown threats. It provides actionable alerts and enables you to respond quickly.
  • Threat intelligence. Defender for Endpoint generates alerts when it identifies attacker tools, techniques, and procedures. It uses data generated by Microsoft threat hunters and security teams, augmented by intelligence provided by partners.

The integration of Microsoft Defender for Endpoint with Security Center let’s customers benefit from the following additional capabilities:

  • Automated onboarding. Security Center automatically enables the Microsoft Defender for Endpoint sensor for all Windows servers monitored by Security Center.
  • Single pane of glass. The Security Center console displays Microsoft Defender for Endpoint alerts. To investigate further, customers can use Microsoft Defender for Endpoint's own portal pages where they will see additional information such as the alert process tree and the incident graph. They can also see a detailed machine timeline that shows every behavior for a historical period of up to six months.
12 Replies

@Stanislav Belov Hi Stanislav, is there any information on how this (technically) works? What are the components communicating? What about the MDE.Windows extension? etc. At this moment, I have several Windows Server 2019 with Azure Defender plan for Servers enabled. The MicrosoftMonitoringAgent extension has been rolled out automatically but the automatic onboarding to Defender for Endpoint doesn't seem to start. Even after waiting 24 hours. When I browse to https://securitycenter.windows.com/ it simply says 'Your subscription has expired'. Unfortunately, with the current documentation, I can't tell where this goes wrong and how to troubleshoot. Do you have any input or guidance on this?     

Hi Gertjan,
From my experience once integration is enabled and the first server gets onboarded to ASC, the MDE tenant gets provisioned and it might take sometimes longer than 24h before you can access the MDE portal. I have seen that error myself several times especially with newly (trial) created subscriptions. Just give it some more time. If it still does not work after 2-3 days please raise a support ticket.

Hey@Stanislav Belov 

 

Is there a way of improving the visibility into the timing of the onboarding process?  Turning it on and just waiting for an unknown period of time isn't a great experience; particularly in scenarios where MDE is being rolled out in anger to respond to security incidents.

Hi Ru,
Recently we significantly improved the onboarding process and under normal condition the onboarding should happen within 1-2h (after the server is onboarded to Defender for Cloud), if this take longer than 12h - something is wrong with communications and i would suggest engaging our support.
As far as tracking the process, you can monitor Device Inventory dashboard in the M365 defender portal.

Appreciate the update. I'll monitor this for some new deployments I have coming up. Earlier this week when piloting a Windows Server 2019 onboarding using Microsoft Defender for cloud, it took about three days. I will see how the wider rollout goes. Thanks!

@Stanislav Belov 
Hi, I find out that when we deploy  Windows 10 virtual desktop from Microsoft image plan 20h2-ent, the virtual machine doesn't have the MDE.Windows extension installed.

However, if we deploy another new Virtual machine using copied OS disk from previous VM, this new VM has an MDE.Windows extension installed, but it has error status:


The provisioning of machine xxxxx failed.
Failed to configure Microsoft Defender for Endpoint: Onboarding to MDE via Microsoft Defender for Cloud for this operating system is not supported


I don't understand how does this MDE.Windows extension got installed on the new VM, but not installed on first VM.

Please open a support ticket to verify supportability of your scenario.

Thank you Stanislav,
Does Monitoring Agent and Log Analytics Workspace still required for Defender for Cloud? for Azure and non-Azure Servers?

Yes, it is required in order to collect information (events, logs, etc) from the OS. Many Defender for Servers (one of the Defender for Cloud plans) features rely on this collection.

@kelvinxjh  is your issue resolved i am facing the similar error.

We are also running into the same issue with this.