Defender for Server

Contributor

We are on the verge of starting a PoC with Defender for Server.
I know of this wel written blog but this blog raises some questions (https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/microsoft-defender-for-cloud-poc...)

(1) For starter we have 100 Microsoft Defender for Endpoint Server licenses. So if we enable Defender for Server via Defender for Cloud Plan we are going to pay double, via the license and the 15$ per server/month. I presume this is not the way to deploy Defender for Server right ?
(2) What is nowadays the best approach to onboard on-premises server to Defender for Server;
- is it via the (legacy) MMA agent and onboard package
- or via the (new) unified agent and onboard package
- or can we onboard the on-premises server to Azure Arc and let the unified agent be auto-deployed via Defender for Cloud but NOT enabling Defender for Server switch to ON (so enable Defender for Cloud Plan but not enable the Defender for Server toggle to ON)
(3) What is todays best apprach for configuring defender for server policies (EDR, ASR etc) , via Intune or via GPO ?

5 Replies
Hello there,
Thank you for your questions.
1. To avoid double charge in this case you need to open a support ticket as suggested in our docs: https://docs.microsoft.com/en-us/azure/defender-for-cloud/integration-defender-for-endpoint?tabs=win...
2. The preferred way of onboarding on-premise servers to Defender for Cloud is by using Azure Arc. Only in this case you will get all the features provided by Defender for Servers(e.g. integration with MDE, Vuln Assessments): https://docs.microsoft.com/en-us/azure/defender-for-cloud/quickstart-onboard-machines?pivots=azure-a...
3. Intune/MEM is going to be a better option since it can manage MDE on all platforms unlike GPO (only domain-joined windows machines).

@Stanislav Belov, Thank you so much for your response and information, this will help me and customer to make a decission of which managment method we are going to PoC.

Question that raises to my head is (4) 'Attack surface reduction' is not possible with the new MEM Security Management for MDE. How can we deploy such policies to Servers , does this mean we use GPO for ASR and we can use MEM policies for EDR and Defender AV ?

And (5) is there a table or overview which policies can and cannot be deployed by MEM to Servers ? Like for example Controlled Folder Access , Exploit Protection, Network Protection ?

And serious last question (6) for network protection we have switches 'AllowNetworkProtectionOnWinServer' and 'AllowNetworkProtectionDownLevel' what are those for and does 1 mean ENABLE and can we put there in AUDIT mode too and how?

RE: (4) 'Attack surface reduction' is not possible with the new MEM Security Management for MDE. How can we deploy such policies to Servers , does this mean we use GPO for ASR and we can use MEM policies for EDR and Defender AV ?
A: Keep an eye on the announcements here https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/bg-p/MicrosoftDefenderATPBlog
Q: And (5) is there a table or overview which policies can and cannot be deployed by MEM to Servers ? Like for example Controlled Folder Access , Exploit Protection, Network Protection ?
A: Please keep an eye on https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/security-config-management... And re-visit monthly. Thx.
Q: (6) for network protection we have switches 'AllowNetworkProtectionOnWinServer' and 'AllowNetworkProtectionDownLevel' what are those for and does 1 mean ENABLE and can we put there in AUDIT mode too and how?

A: Please review https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-server-endpoints...