Welcome to our multi-part series!
Have you read all the docs only to find yourself overwhelmed by all the features and agents available and need help deciding which to onboard? Do you need help with the nuances of setting up Private Link for Azure Arc? Are you using SCOM to onboard MMA to your servers still and unsure of the path forward to AMA? Then look no further! With this multi-part series, we will guide you through the decision process to find the best path on your monitoring and endpoint protection journey with the end goal being successfully deployment of Defender for Servers.
Link to Part 2 (focuses on Arc Agent Deployment)
Link to Part 3 (focuses on Defender for Servers at Scale Deployment)
What’s in this blog:
What’s not in this blog:
Detailed deployment of Microsoft Defender for Endpoint
If you’d like a refresher on successfully migrating from a 3rd party EDR solution and onboarding to Defender for Endpoint, see here: David McWee - MDE Get Healthy with MDfS Driven Migration
Do we even need the Azure Arc agent or the Azure Monitor Agent?
The question of the decade…and the answer is now ‘it depends!' As it stands, The Defender for Servers Product Team is de-prioritizing the Arc Agent and Azure Monitoring Agent as requirements for the deployment of Defender for Servers. Let’s first consider a scenario where you will benefit with the new Direct Onboarding feature and may not need to add one or both of the abovementioned agents.
|
Defender for Servers P1 |
Defender for Servers P2 |
Update Management, Azure Policy, Change Tracking etc.1 |
Non-Azure server |
Arc not required with Direct onboarding, AMA not required |
Arc required, AMA required (FIM2) |
Arc required, AMA required |
Azure server |
Arc not required, AMA not required |
Arc not required, AMA required |
Arc not required, AMA required for some features |
1 Full overview of features and benefits of Arc
Scenario 1: Direct Onboarding Defender for Servers P1 w/o Azure Agents
Review this QuickStart on Direct Onboarding as a starting point.
Scenario:
This deployment scenario is designed for organizations and users that want to monitor and alert on Defender for Endpoint-enabled servers in Defender for Cloud, but are not ready to roll out Azure agents to their workloads. To clarify, direct onboarding does not require the Azure Arc agent or the Azure Monitor Agent. For example, you may have a mix of Azure servers, as well as on-premises machines. You have potentially onboarded a portion, if not all, to Defender for Endpoint. The long-term plan for you is to onboard all of your digital estate to Defender for Endpoint as your EDR solution, and you would like to be able to see the alerts from MDE in Defender for Cloud in a single pane of glass. Alternatively, you could be using another product as your EDR and AV solution, but you would like to leverage Defender for Vulnerability Management and see vulnerability assessment results in Defender for Cloud.
Outcomes:
Impact:
The Direct Onboarding option will tie all your mssense agents (extension for MDE) to an Entra tenant and connect them to a specified Azure Subscription; when you view your alerts in Defender for Cloud, you will need to filter to that subscription to see data from MDE on those servers. This deployment method may complicate billing as it will ultimately bill the licensing for the associated products to a singular chosen subscription. See the note on billing further below.
To turn on Direct Onboarding, in Defender for Cloud, navigate to Defender for Servers => Environment Settings.
Select Direct Onboarding => Toggle to ON => Select or create a subscription for all your objects.
If the designated subscription is a newly created subscription, don’t worry about the “Missing plan” message that you may receive next to the subscription name, as Defender for Servers P1 will be automatically enabled.
When complete, make sure to click “Save” at the top left. It could take up to 24 hours before all resources populate in your panel. Navigate back to this pane and click Resource Inventory to ensure there are no missing objects.
NOTE:
In this pane you will notice that you are onboarding non-Azure servers to Defender for Servers only using the Defender for Endpoint agent and no other agent is required.
All MDE agents under this tenant will now be billed in a singular subscription you choose in a Defender for Servers P1 state. Unfortunately, at the time of article publication, you cannot select multiple subscriptions. The billing is supposed to be automatic but it is prudent to put in a CSS (Support) request for billing after enablement to ensure you move from licensing to per server per user Azure Consumption.
Scenario 2: Defenders for Servers with Azure Arc Enablement
Scenario:
This is ideal for organizations with a hybrid cloud environment with servers running on-premises and in the cloud. You want all the server management and automation capabilities that Arc enables for you in Azure, while ensuring that all servers are protected against cyber threats and comply with security standards. Furthermore, you are looking to use Arc as an orchestration agent to help push other agents/extensions to your non-Azure servers. In this deployment option, you first onboard all applicable servers to Arc, and then simply enable your desired Defender for Servers plan in Defender for Cloud Environment Settings.
Outcomes & Impact:
Azure Monitor Agent vs. Microsoft Monitoring Agent
There is now no requirement to have monitoring agents deployed to enable Defender for Servers nor does Azure Arc have a dependency on the Azure Monitor Agent or the legacy Microsoft Monitoring Agent.
NOTE: The legacy Microsoft Monitoring Agent will be retired on 31 August, 2024. If you are using the Microsoft Monitoring Agent in your any of your scenarios, we recommend that you start planning your migration to the Azure Monitor Agent (AMA): Migrate from legacy agents to Azure Monitor Agent.
Azure Monitor Agent (AMA), Microsoft Monitoring Agent (MMA), Azure Arc AND System Center Orchestration Manager (SCOM)
Azure Arc and Azure Monitoring agent (AMA) can be run in parallel with your Microsoft Monitoring Agent (MMA)/System Center Orchestrator Manager (SCOM): Running SCOM agent in parallel with MMA and/or AMA. This scenario applies to customers running System Center Orchestration Manager on-premises that have either deployed the SCOM agent to forward data to Log Analytics workspace (LAW) or the SCOM agent with Microsoft Monitoring Agent (MMA) to forward to LAW.
In this configuration, pictured below, the MMA/SCOM maintains its connection to SCOM while the AMA with Data Collection Rules (DCR) is allowed to process logs to different locations in Azure, while allowing for the enablement of Update Management and other Automation features. The process is to disconnect (DO NOT delete) the Microsoft Monitoring Agent from Log Analytics.
Considerations for File Integrity Monitoring
With File Integrity Monitoring, you can monitor critical files and directories for changes, and receive alerts when changes are detected. You can also view detailed information about the changes, such as who made the change and when it was made. FIM through Defender for Servers currently depends on the Microsoft Monitoring Agent or the Azure Monitor Agent, as well as the Change Tracking extension.
Considerations for Microsoft Defender Vulnerability Management
For vulnerability assessment on machines enrolled in Defender for Servers, the Qualys scanner option is being deprecated, and the way forward is leveraging the MDVM (Defender Vulnerability Management) component of Defender for Endpoint (MDE). To review the options for deploying a vulnerability assessment solution to your servers, please see the screenshot below:
Are you using a third-party EDR/AV solution, but still want to take advantage of all the features of Defender for Servers and leverage MDVM for vulnerability assessments?
For on-premises servers, you will currently need to onboard them to MDE to get the MDVM capability; thus, it is recommended you add Defender into the exclusions of your third-party product and make sure MDAV (Defender Antivirus) is in passive mode if you are planning to use the third-party AV.
On Windows Server 2019, Windows Server, version 1803 or newer, Windows Server 2016, or Windows Server 2012 R2, Microsoft Defender Antivirus (MDAV) doesn't enter passive mode automatically so you will need to set it manually using a registry key. For all other servers, MDAV should go into passive mode automatically after detection of third-party products.
Link to Part 2 (focuses on Arc Agent Deployment)
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.