Microsoft Defender for Endpoint fails policy deploy to Windows 10 Enterprise VM

Copper Contributor

We have Microsoft Defender for Cloud enabled and all of our subscriptions have a fully enabled Servers, Plan 2.

 
 

image (1).png

 

And yes, defender does automatically apply the 'MDE.Windows' extension to all of our VMs.

 

I reviewed the compatibility of Defender for Endpoint

https://learn.microsoft.com/en-us/defender-endpoint/minimum-requirements

And under 'Supported Windows versions'; 'Windows 10 Enterprise' is listed as being supported.

 

All of our VMs are Windows 10 Enterprise. For instance I have a VM created with this offering from the marketplace

            "imageReference": {
                "publisher": "MicrosoftWindowsDesktop",
                "offer": "Windows-10",
                "sku": "win10-22h2-ent-g2",
                "version": "latest",
                "exactVersion": "19045.4046.240203"

The problem is that when the VM Extension 'MDE.Windows' is automatically applied by Defender for Cloud... there is an error status message.

 
Failed to configure Microsoft Defender for Endpoint: Onboarding to MDE via Microsoft Defender for Cloud for this operating system is not supported. Read more about supported operating systems: https://docs.microsoft.com/en-us/azure/defender-for-cloud/integration-defender-for-endpoint?tabs=linux#availability

 

Digging into the logs, at C:\WindowsAzure\Logs\Plugins\Microsoft.Azure.AzureDefenderForServers.MDE.Windows\1.0.10.3on the VM for the plugin i see...

 
VERBOSE: [2024-07-24 13:46:41Z][Information] Major version: 10
VERBOSE: [2024-07-24 13:46:41Z][Information] Minor version: 0
VERBOSE: [2024-07-24 13:46:41Z][Information] Build version: 19045
VERBOSE: [2024-07-24 13:46:42Z][Information] OS Name: Microsoft Windows 10 Enterprise
VERBOSE: [2024-07-24 13:46:42Z][Information] Product type: 1
VERBOSE: [2024-07-24 13:46:42Z][Information] OperatingSystem SKU: 4

Digging into the plugin code MdeExtensionHandler.ps1 there is this line...

 

image (2).png

It appears that not ALL versions of Windows 10 Enterprise is supported.

What are my alternatives ?

1 Reply

@grbonk hello,

 

You have properly setup your Defender for Cloud environment however as you unfolded yourself at your last screenshot, Defender for Cloud deploys Microsoft Defender for Servers agent which is not supposed to be present in workstations (Windows 10 and 11 endpoints). Defender for Cloud supports only server environments including Windows Server 2016, Windows Server 2016, RHEL, Ubuntu LTS etc through Microsoft Defender for Servers.

 

cyb3rmik3_0-1722054872039.png

Reference

 

In your case, you will have to deploy the MDE agent from Defender XDR > Settings > Endpoints > Onboarding > Choose "Windows 10 and 11". If you are looking for an automation in deploying the MDE in your Windows 10 Azure VMs, you will probably have to engage with Intune.

 

If I have answered your question, please mark your post as Solved

If you like my response, please consider giving it a like