cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Updating the MDE.Windows extension

gilblumberg
Iron Contributor

‎May 21 2023 04:13 PM - edited ‎May 21 2023 05:58 PM

‎May 21 2023 04:13 PM - edited ‎May 21 2023 05:58 PM

Updating the MDE.Windows extension

We have multiple servers running in Azure Arc onboarded into MDE using the MDE.Windows extension.

 

Just our luck to discover that Microsoft's documentation shows that that automatic extension upgrades are not available for this particular extension - https://learn.microsoft.com/en-gb/azure/azure-arc/servers/manage-automatic-vm-extension-upgrade?tabs...

 

Disappointing that this has to be performed manually. What method are others using to be alerted when an update is available and how are you updating it?

 

Assuming Azure Monitor for alerts and Powershell/Runbook for updating?

1,418 Views
0 Likes
6 Replies
Reply
6 Replies
gilblumberg

‎Jun 08 2023 12:34 AM

‎Jun 08 2023 12:34 AM

Re: Updating the MDE.Windows extension

UPDATE:

It's taken quite a bit of back and forth with Microsoft support, and this is basically a summary:

  • Once on-boarded, the extension is not used or required to maintain MDE functionalities

  • Updating the extension in Azure Arc serves no purpose

  • When deleting the MDE.Windows/MDE.Linux extension, there is no impact to the Sensor software on the server

  • If integration with Microsoft Defender for Endpoint is enabled, and the extension is deleted, it will be promptly installed again.

This last point I thought is particularly relevant (but not documented), as for for many organisations which have strict change-control procedures. The re-installation of the Sensor is effectively making a change on the server.

In my case, not taking any action. If not for any other reason, keeping the integration enabled.

(I submitted the bullet points above as feedback on the product page, so with any luck they'll agree it needs this key information)

0 Likes
Reply
Jonhed

‎Jun 08 2023 05:05 AM - edited ‎Jun 08 2023 05:11 AM

‎Jun 08 2023 05:05 AM - edited ‎Jun 08 2023 05:11 AM

Re: Updating the MDE.Windows extension

Yes, the extension is pretty much there just to push the MDE onboarding package to the server.
Past that, it is just a regular MDE and MDAV installation.

Pattern updates, engine updates as well as platform updates are managed by MDAV.
https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/manage-protection-updates...

As for MDE itself, it depends on the version.
Windows Server 2019 and above come with the MDE sensor integrated in the OS, so MDE sensor updates are included in the OS security updates.
Windows 2012 R2 and 2016 get the MDE sensor through a separate installation (MDE unified package), and requires updates via Windows Update, WSUS etc.
https://support.microsoft.com/en-us/topic/microsoft-defender-for-endpoint-update-for-edr-sensor-f8f6...

2 Likes
Reply
Jonhed

‎Jun 08 2023 05:17 AM

‎Jun 08 2023 05:17 AM

Re: Updating the MDE.Windows extension

I am not quite sure if updating the MDE.windows extension itself actually has any use, since it only deploys MDE and does nothing past that.
As far as I know, any integration between MDE and defender for cloud past that happens through the APIs directly between the services, rather than through the extension.
1 Like
Reply
gilblumberg

‎Jun 08 2023 02:40 PM

‎Jun 08 2023 02:40 PM

Re: Updating the MDE.Windows extension

All of this is unfortunately not well articulated, if at all, in the documentation. With reference to my post, none of those 4 bullet points are covered. All very important in my opinion.

1 Like
Reply
gilblumberg

‎Jun 08 2023 02:42 PM

‎Jun 08 2023 02:42 PM

Re: Updating the MDE.Windows extension

Microsoft support that updating it serves no purpose whatsoever.
0 Likes
Reply
Jonhed

‎Jun 09 2023 07:47 PM

‎Jun 09 2023 07:47 PM

Re: Updating the MDE.Windows extension

>When deleting the MDE.Windows/MDE.Linux extension, there is no impact to the Sensor software on the server
The point about deletion not having any effect on the sensor is covered below, but yes I do agree the relation between the extension and the MDE software in general is not covered much.
https://learn.microsoft.com/en-us/azure/defender-for-cloud/integration-defender-for-endpoint

>If integration with Microsoft Defender for Endpoint is enabled, and the extension is deleted, it will be promptly installed again.
If you check that box for MDE integration, this is indeed true.
The defender for servers plan will charge you for any server present anyways though.
Onboarding scope can be managed with Azure Policy if you uncheck that box, but you would still be charged.
Hoping to see some scoping for the actual Defender for Servers plan some time.
0 Likes
Reply