Forum Discussion
Re-install MDE.Windows extension
Huge apologies for not posting sooner. I did not end up testing this out in my tenant as planned, but here it as provided by the Microsoft engineer. Hope it works!
Step 1
$vm = Get-AzConnectedMachine -ResourceGroupName <Your RG name> -Name <Your VM name>
Step 2
$mdePackage = Invoke-AzRestMethod -Uri https://management.azure.com/subscriptions/$($vm.id.split('/')[2])/providers/Microsoft.Security/mdeOnboardings/?api-version=2021-10-01-preview
Step 3
$protectedSetting = @{
"defenderForEndpointOnboardingScript" = ($mdePackage.content | ConvertFrom-Json).value.properties.onboardingPackageWindows
}
/home/xxx> $Setting = @{
"azureResourceId" = $vm.Id
"vNextEnabled" = $true
}Step 4
New-AzConnectedMachineExtension -Name 'MDE.Windows' -ExtensionType 'MDE.Windows' -ResourceGroupName $vm.ResourceGroupName -MachineName $vm.Name -Location $vm.Location -Publisher 'Microsoft.Azure.AzureDefenderForServers' -Settings $Setting -ProtectedSetting $protectedSetting -AutoUpgradeMinorVersion -TypeHandlerVersion '1.0'
I had the same issue.
In my case mostly downlevel os servers were affected. I had to fix those manually (see https://github.com/microsoft/mdefordownlevelserver).
Would be great to have an automated way to fix this (e.g. via Azure Arc extension or maybe via Azure Policy (?))
Regards,
Phil
- By doing this manually, my understanding is that although they will be onboarded, Azure Arc won't recognise this and the MDE.Windows extension won't show as being installed for that server.
Was that your experience too?- Indeed, in my case after a while (can't say how long it really took) after the manual onboarding the MDE.Windows extension was shown again in the Azure Arc | Servers view.