Today, we're excited to announce the release of Microsoft Defender for Endpoint’s unified agent integration with Microsoft Defender for Servers Plan 2. With this release, we align the integration experience between Microsoft Defender for Endpoint (MDE) and both Microsoft Defender for Servers Plans.
In April 2022, we introduced Microsoft Defender for Servers Plan 1 as an entry-level SKU that offers Cloud Security Posture Management (CSPM) capabilities such as Secure Score and security recommendations in addition to integration with Microsoft Defender for Endpoint. With its release, we also introduced integration with MDE’s unified solution that allows us to remove dependency with Log Analytics Agent and the workspace solution to deploy MDE to down-level Windows operating systems. With today’s change, MDE integration is completely based on the two machine extensions MDE.Windows and MDE.Linux which are available for Azure VMs, and non-Azure machines that are connected through Azure Arc-enabled servers.
To enable the MDE unified solution in existing subscriptions you can opt-in on the subscription’s environment settings/integrations page.
Enable MDE unified solution integration with Microsoft Defender for Cloud on an Azure subscription
When clicking the Enable unified solution button, you will be asked to confirm deployment to all existing and future Windows Server 2012 R2 and 2016 machines. Once done, Defender for Cloud will deploy the MDE.Windows extension to all Windows Server 2012 R2 and 2016 machines in that subscription. The extension will then install the MDE unified solution and connect it to your MDE backend while, at the same time, deactivating the legacy MDE sensor.
Frequently asked questions
Please see below answers to questions related to integration with the MDE unified solution.
What happens when the MDE unified solution is deployed to a machine that already had MDE integration enabled?
Once the MDE.Windows extension is deployed to a machine, it will try to install the MDE unified solution. Once the installation successfully completed, it will stop and disable the MDE process in Log Analytics agent.
What are the prerequisites to enable the MDE unified solution?
Will I lose access to a machine’s protection history in MDE by upgrading to the unified solution?
No, the unified solution will replace the legacy sensor using the same resource information in MDE. It will be a transparent change from an MDE perspective.
What are the benefits of upgrading to the new MDE unified solution?
The new MDE unified solution adds a variety of improvements over the legacy solution, such as Tamper Protection, EDR in block mode, improved detection capabilities, and more. For a full list of improvements, see this documentation. In addition, the new unified solution package removes all dependencies to Log Analytics agent for onboarding and integrating into Defender for Cloud.
Will I be forced to use the unified solution on my legacy Windows machines?
No, we do not force you to leverage the MDE unified solution. However, since it comes with several major improvements (see above), we encourage you to enable it.
I don't see the Enable Unified Solution button. What could be the reason?
With this latest release, MDE integration with Defender for Servers P2 will by default deploy and integrate MDE's unified solution. The button only exists on subscriptions, that
have already existed before June 20th 2022
had Defender for Servers P2 enabled before that date
had MDE integration enabled before that date
All other subscriptions, for example, when upgrading from Defender for Servers P1 to P2, when enabling MDE integration after June 20th 2022, or when creating new subscription, will not have this button because MDE unified solution is automatically the default on those.
How can I enable integration with the new unified solution at scale?
You can use the Microsoft.Security/settings REST API to programmatically enable the MDE unified solution on a subscription.
Is the unified solution available on multicloud connectors?
Yes, the new MDE unified solution can be deployed to Azure VMs and non-Azure machines connected through Azure Arc. In addition it is automatically deployed when enabling any Defender for Servers plan on our multicloud connectors. To learn more about Defender for Cloud's multicloud capabilities, please see https://aka.ms/mdcmc.
What happens in case a machine has the Microsoft Antimalware (SCEP) extension deployed?
Before deploying the MDE unified solution, Microsoft Antimalware (also known as System Center Endpoint Protection, SCEP) needs to be removed from the machine. The MDE.Windows extension will automatically take care of removing SCEP when deploying the MDE unified solution to your machines.
Now, it’s your turn: go ahead, check it out, and let us know what you think about the new onboarding experience for MDE in Microsoft Defender for Servers.
Special thanks to Netta Norman and Erel Hansav for the great partnership and technical review.