Today, we're excited to announce the release of Microsoft Defender for Endpoint’s unified agent integration with Microsoft Defender for Servers Plan 2. With this release, we align the integration experience between Microsoft Defender for Endpoint and both Microsoft Defender for Servers Plans.
In April 2022, we introduced Microsoft Defender for Servers Plan 1 as an entry-level SKU that offers Cloud Security Posture Management (CSPM) capabilities such as Secure Score and security recommendations in addition to integration with Microsoft Defender for Endpoint. With its release, we also introduced integration with the Defender for Endpoint unified solution that allows us to remove dependency with Log Analytics Agent and the workspace solution to deploy Defender for Endpoint to down-level Windows operating systems. With today’s change, the Defender for Endpoint integration is completely based on the two machine extensions MDE.Windows and MDE.Linux which are available for Azure VMs, and non-Azure machines that are connected through Azure Arc-enabled servers.
To enable the Defender for Endpoint unified solution in existing subscriptions you can opt-in on the subscription’s environment settings/integrations page.
When clicking the Enable unified solution button, you will be asked to confirm deployment to all existing and future Windows Server 2012 R2 and 2016 machines. Once done, Defender for Cloud will deploy the MDE.Windows extension to all Windows Server 2012 R2 and 2016 machines in that subscription. The extension will then install the Defender for Endpoint unified solution and connect it to your Defender for Endpoint backend while, at the same time, deactivating the legacy Defender for Endpoint sensor.
Frequently asked questions
Please see below answers to questions related to integration with the Defender for Endpoint unified solution.
What happens when the Defender for Endpoint unified solution is deployed to a machine that already had the integration enabled?
Once the MDE.Windows extension is deployed to a machine, it will try to install the Defender for Endpoint unified solution. Once the installation successfully completed, it will stop and disable the Defender for Endpoint process in Log Analytics agent.
What are the prerequisites to enable the Defender for Endpoint unified solution?
You need to enable one of the Defender for Servers plans and Defender for Endpoint integration with Defender for Cloud. Also, make sure your machines meet the networking requirements. For a list of system prerequisites, please see this documentation.
Will I lose access to a machine’s protection history in Defender for Endpoint by upgrading to the unified solution?
No, the unified solution will replace the legacy sensor using the same resource information in Defender for Endpoint. It will be a transparent change on the Defender for Endpoint side.
What are the benefits of upgrading to the new Defender for Endpoint unified solution?
The new Defender for Endpoint unified solution adds a variety of improvements over the legacy solution, such as Tamper Protection, EDR in block mode, improved detection capabilities, and more. For a full list of improvements, see this documentation. In addition, the new unified solution package removes all dependencies to Log Analytics agent for onboarding and integrating into Defender for Cloud.
Will I be forced to use the unified solution on my legacy Windows machines?
No, we do not force you to leverage the Defender for Endpoint unified solution. However, since it comes with several major improvements (see above), we encourage you to enable it.
I don't see the Enable Unified Solution button. What could be the reason?
With this latest release, Defender for Endpoint integration with Defender for Servers P2 will by default deploy and integrate the Defender for Endpoint unified solution. The button only exists on subscriptions, that
- have already existed before June 20th 2022
- had Defender for Servers P2 enabled before that date
- had the Defender for Endpoint integration enabled before that date
All other subscriptions, for example, when upgrading from Defender for Servers P1 to P2, when enabling the Defender for Endpoint integration after June 20th 2022, or when creating new subscription, will not have this button because the Defender for Endpoint unified solution is automatically the default on those.
How can I enable integration with the new unified solution at scale?
You can use the Microsoft.Security/settings REST API to programmatically enable the Defender for Endpoint unified solution on a subscription.
| Parameter | Value |
| API call | PUT |
| API URI | |
| API version | 2022-05-01 |
| JSON body | |
Is the unified solution available on multicloud connectors?
Yes, the new Defender for Endpoint unified solution can be deployed to Azure VMs and non-Azure machines connected through Azure Arc. In addition it is automatically deployed when enabling any Defender for Servers plan on our multicloud connectors. To learn more about Defender for Cloud's multicloud capabilities, please see https://aka.ms/mdcmc.
What happens in case a machine has the Microsoft Antimalware (SCEP) extension deployed?
Before deploying the Defender for Endpoint unified solution, Microsoft Antimalware (also known as System Center Endpoint Protection, SCEP) needs to be removed from the machine. The MDE.Windows extension will automatically take care of removing SCEP when deploying the Defender for Endpoint unified solution to your machines.
Now, it’s your turn: go ahead, check it out, and let us know what you think about the new onboarding experience for Defender for Endpoint in Microsoft Defender for Servers.
Acknowledgements
Special thanks to Netta Norman and Erel Hansav for the great partnership and technical review.