Microsoft Defender for Cloud - strategy and plan towards Log Analytics Agent (MMA) deprecation

Log Analytics agent (also known as MMA) is on a deprecation path and will be retired in Aug 2024. The purpose of this blogpost is to clarify how Microsoft Defender for Cloud will align with this plan and what is the impact on customers.

There are two Defender for Cloud plans with features relying on the Log Analytics agent: Defender for Servers Plan 2 and Defender for SQL server on machines. 

In this blogpost we will explain the plan of the product capabilities that depend on the Log Analytics agent and Azure Monitoring agent for Defender for Servers plan. See here the plan for Defender for SQL server on machines features.

Defender for Servers

Toward Log Analytics Agent (MMA) retirement on Aug 2024, and as part of this updated strategy, all Defender for Servers features and capabilities will be provided through either Microsoft Defender for Endpoint (MDE) integration or agentless scanning, without dependency on Log Analytics Agent (MMA) or Azure Monitoring Agent (AMA). 

As a result, all Defender for Servers features and capabilities currently relying on Log Analytics Agent (MMA) will be deprecated in their Log Analytics version in August 2024, and delivered over the alternative infrastructures mentioned above by April 2024 in GA. 

To ensure your servers are secured, receive all the security content of Defender for Servers, verify Defender for Endpoint (MDE) integration and agentless disk scanning are enabled on your subscriptions. This will ensure you’ll seamlessly be up-to-date and receive all the alternative deliverables once they are provided. 

Defender for Servers plan 2 features plan 

The following Defender for Servers features are going to be deprecated in their Log Analytics version in August 2024. Most of the features are already available in GA through the alternative platforms (MDE/Agentless). The rest will be provided in GA by April 2024, or deprecated. 

The following list details the alternative plan for each of Defender for Servers capabilities: 

• Microsoft Defender for Endpoint (MDE) integration for Down level machines (Windows servers 2012 R2, 2016) - Unified agent integration for Windows Server 2012 R2 and Windows Server 2016 is already available today in GA. Use it to maintain MDE support and receive the full extended feature set.

• OS level alerts - All the OS level alerts are already available today in GA through MDE. 

• Detections indicate Anti-Malware activities failures (by Anti-Malware Publisher) - Detections indicating non-Microsoft's Anti-malware activities will be deprecated by January 2024. Detections indicating Microsoft’s Anti-malware activities are already available today in GA through MDE.

• Adaptive Application Controls - The Adaptive Application Controls feature as it is today will be discontinued, and new capabilities in the application control space (on top of what Defender for Endpoint and Windows Defender Application Control offer today) will be considered as part of the future Defender for Servers roadmap. The current GA version based on the Log Analytics agent and  preview version based on Azure Monitoring agent, will be deprecated in August 2024.

• Endpoint protection discovery recommendations - A new, agentless version of this recommendation will be provided for Endpoint protection discovery and configuration gaps in April 2024. As part of this upgrade, this feature will be provided as a component of Defender for Servers Plan 2 and Defender CSPM only, and won’t cover on-premises or Azure Arc-enabled servers. The preview recommendations available today based on Azure Monitor agent (AMA) will be deprecated in April 2024, when the alternative is provided via agentless disk scanning.   

• Missing OS patches (system updates) - The new version of System Update recommendations is already available in GA, and based on an integration with Azure Update Manager, relying on the native capabilities available for all Azure VMs and Azure Arc-enabled servers.

• OS misconfigurations (security baselines) - A new version will be provided based on an integration with MDVM premium capabilities in April 2024. As part of this upgrade, this feature will be provided as a component of Defender for Servers Plan 2 only. The preview version available today based on Guest Configuration agent will be deprecated in April 2024, when the alternative is provided via MDVM premium capabilities. Support of this feature for Docker-hub and VMSS will be deprecated in Aug 2024 and will be considered as part of future Defender for Servers roadmap.

• File Integrity monitoring (FIM) - In April 2024, new version will be provided over MDE, and the FIM Public Preview version based on Azure Monitor Agent (AMA), will be deprecated. 
• 500MB benefit for data ingestion over the defined tables will remain supported for AMA agent for the machines under subscriptions covered by Defender for Servers Plan 2. Every machine is eligible for the benefit only once, even if both Log Analytics agent and Azure Monitor agent are installed on it. 

Log analytics & Azure Monitor agent Auto Provisioning experience

The current provisioning process that provides the installation and configuration of both agents (MMA/AMA), will be adjusted according to the plan mentioned above: 

1. MMA auto-provisioning mechanism and its related policy initiative will remain optional and supported until August 2024 through MDC platform.   
2. In October 2023: 
   • The current shared ‘Log Analytics agent’/’Azure Monitor agent’ auto-provisioning mechanism in MDC platform will be updated and applied to ‘Log Analytics agent’ only.
   • ‘Azure Monitor agent’ (AMA) related Public Preview policy initiatives will be deprecated and replaced with New auto-provisioning process for Azure Monitor agent (AMA), targeting only Azure registered SQL servers (SQL Server on Azure VM/ Arc-enabled SQL Server). 
3. Current customers with AMA with the Public Preview policy initiative enabled will still be supported but are recommended to migrate to the new policy. 

Agents' migration planning 

All Defender for Servers customers are advised to enable Defender for Endpoint integration and agentless disk scanning as part of the Defender for Servers offering, at no additional cost. This will ensure you are automatically covered with the new alternative deliverables, with no additional onboarding required.   

Following that, we recommend plan your migration plan according to your organization requirements: 

Q&A

What should I do next?

As mentioned, we advise Defender for Servers customers to enable Defender for Endpoint integration and agentless disk scanning as part of the Defender for Servers offering, at no additional cost, to automatically get the new alternative deliverables with no additional onboarding required. Following that, plan your migration according to your organization's requirements: 

Customers with Log analytics Agent (MMA) enabled 

• If the following features are required in your organization: File Integrity Monitoring (FIM), Endpoint Protection recommendations, OS misconfigurations (security baselines recommendations), you can start retiring from MMA in April 2024 when an alternative will be delivered in GA (preview versions will be available earlier). 

• If the features mentioned above are required in your organization, and Azure Monitor agent (AMA) is required for other services as well, you can start migrating from MMA to AMA in April 2024. Alternatively, use both MMA and AMA to get all GA features, then remove MMA in April 2024. 

• If the features mentioned above are not required, and Azure Monitor agent (AMA) is required for other services, you can start migrating from MMA to AMA now. However, note that the preview Defender for Servers capabilities over AMA will be deprecated in April 2024. 

Customers with Azure Monitor agent (AMA) enabled 

• No action is required from your end. 

• You’ll receive all Defender for Servers GA capabilities through Agentless and Defender for Endpoint. The following features will be available in GA in April 2024: File Integrity Monitoring (FIM), Endpoint Protection recommendations, OS misconfigurations (security baselines recommendations). The preview Defender for Servers capabilities based on AMA will be deprecated in April 2024. 

Can I migrate from MMA to AMA?  

Yes, you can migrate to AMA. Please note that the following Defender for Servers features are not going to be GA on top of it: File Integrity Monitoring (FIM), Endpoint Protection recommendations, OS misconfigurations (security baselines recommendations). Those remain available over MMA and will be provided over alternative infrastructures in April 2024.

Can I run MMA and AMA side by side? what is the impact of that?

You can run both the Log Analytics and Azure Monitor Agents on the same machine. Each machine is billed once in Defender for Cloud. In cases both agents are running on the machines, we recommend to avoid collecting duplicate data by sending the data to different workspaces or alternatively disable security event data collection by MMA. For further information please see the migration guide and the Impact of running both agents.

What happens to my machines using MMA after it is depreciated?

After MMA deprecation in August 2024, Microsoft will no longer provide any support for the Log Analytics agent. Therefore, Defender for Servers customers need to fully onboard to Defender for Endpoint integration within Defender for Servers, as well as agentless disk scanning, prior to the deprecation date in order to receive all the security capabilities. 

Do my machines using AMA remain secure? What should I do with my machines that have AMA installed?

Machines with AMA installed will remain protected with Defender for Servers features that are based on AMA public preview. These features will remain supported in public preview until an alternative version is provided based on Defender for Endpoint (MDE) integration or Agentless disk scanning platform. We recommend ensuring these capabilities are enabled as part of Defender for Servers plans to be fully secured. Timelines regarding each feature’s availability in the new alternative infrastructure will be shared soon.

How do I make sure my down-level machines (Windows Server 2012 R2 and Windows Server 2016) remain fully protected?

Unified agent integration for Windows Server 2012 R2 and Windows Server 2016 is already available today in GA. We recommend enabling the unified solution integration as soon as possible, as it removes all dependencies from Log Analytics agent for onboarding and integrating into Defender for Cloud. In addition, the new Defender for Endpoint unified solution adds a variety of improvements over the legacy solution, such as Tamper Protection, EDR in block mode, improved detection capabilities, and more. For a full list of improvements, see this documentation.