By using Microsoft Defender for Endpoint (MDE) to protect your Windows Server, you can safeguard your organization’s critical data, applications, and services from a wide range of cyber threats, while streamlining security management and ensuring compliance with industry regulations.
In this guide, I’ll demonstrate how to install Microsoft Defender for Endpoint (MDE) on your on-premises Windows Server. Please note that there’s no longer a straightforward installation method for the agent, as the “Defender for Endpoint for server” license has been discontinued.
First for enterprises with existing licenses, you can utilize your existing licenses, or second, you can use Azure Arc and Defender for Cloud, which I’ll cover in this post.
Small and medium-sized businesses (SMBs) still have the option to use Microsoft Defender for Business servers to protect their infrastructure.
Why you should protect your systems with MDE
Protecting your Windows Server with MDE is important to ensure the security and integrity of your IT infrastructure.
Advantages of using MDE:
- Advanced threat protection: MDE provides comprehensive protection against known and unknown threats, including malware, ransomware and other advanced attacks. Its cloud-powered analytics and machine learning capabilities enable it to identify and block threats that traditional antivirus solutions might miss.
- Endpoint detection and response (EDR): MDE offers EDR capabilities that allow you to detect, investigate, and respond to threats in real-time. This helps minimize the potential damage from security incidents by providing rapid response and remediation capabilities.
- Integration with Microsoft 365: MDE is an integral part of the Microsoft 365 security ecosystem. This integration provides a unified security management experience, allowing you to leverage other Microsoft security products and services more effectively.
- Simplified management: MDE is easy to deploy, configure, and manage. The centralized management console allows you to monitor and control your organization’s security posture, and the automated updates ensure that your protection is always up-to-date.
- Comprehensive visibility: With MDE you gain visibility into your entire network, including endpoints, servers, and cloud workloads. This allows you to detect and respond to threats more effectively, as well as identify and address potential vulnerabilities in your environment.
- Regulatory compliance: Many industries and organizations require compliance with specific security standards and regulations. MDE helps you meet these requirements by providing advanced security features and comprehensive reporting capabilities.
- Cost-effective solution: Compared to other endpoint security solutions, MDE offers a competitive and cost-effective way to protect your Windows Server infrastructure without compromising on security features or performance.
Azure Arc advantages and disadvantages
Azure Arc is a service offered by Microsoft that enables users to manage, govern, and secure their resources across on-premises, multi-cloud and edge environments. It provides a unified management experience for Azure and non-Azure resources.
Advantages:
- Unified management: Azure Arc simplifies the management of resources across different environments by providing a single control plane for managing and monitoring resources, regardless of where they are located.
- Consistent governance: Azure Arc enables you to apply consistent governance and compliance policies across your entire infrastructure. This ensures that resources in different environments adhere to the same policies, helping you maintain a standardized and secure environment.
- Enhanced security: Azure Arc extends Azure security features, such as Azure Policy and Azure Security Center, to non-Azure resources. This allows you to benefit from Azure’s security capabilities, even if your resources are hosted on-premises or in other clouds.
- Hybrid and multi-cloud flexibility: Azure Arc provides flexibility in deploying and managing resources across on-premises, multi-cloud and edge environments. This enables you to choose the best environment for your workloads based on factors such as performance, cost, and compliance requirements.
Disadvantages:
- Additional complexity: Azure Arc introduces an additional layer of complexity to your infrastructure management, as you will need to learn and adapt to new concepts and tools associated with it.
- Dependency on Azure: Although Azure Arc supports multi-cloud and on-premises environments, it is still a Microsoft product, and organizations using it may become more dependent on the Azure ecosystem.
- Cost: Azure Arc comes with additional costs for certain services and features. Depending on your organization’s requirements, these costs may be significant, especially if you manage a large number of resources across multiple environments. (If you only use the onboarding, it is free to use!)
- Limited support for non-Azure resources: While Azure Arc enables you to manage resources in other clouds and on-premises, the level of integration and support for non-Azure resources might not be as comprehensive as that for native Azure resources. This may result in limitations in terms of available features and management capabilities.
In summary, Azure Arc offers a unified and consistent management experience across different environments, enabling organizations to apply consistent governance, enhance security and modernize applications. However, it also introduces additional complexity, dependency on Azure and potential costs. Organizations should carefully assess their requirements and weigh the advantages and disadvantages before adopting Azure Arc.
General
To begin, let’s assume you have an Active Directory domain with servers integrated into it. If your servers cannot access the required Microsoft sites for communication, you should configure firewall rules or a proxy. To manage settings with Intune, your servers must be synchronized to Azure AD as Hybrid Azure AD joined. If this is not the case, you’ll need to use Group Policy Objects (GPOs) for configuration management.
Azure Arc preparation
In my case the AD is separated into different tiering levels, which I will also use in my Azure Arc environment. To get the most granular solution, I will create different Azure subscriptions to separate the servers:
Later, I can set specific rights on these subscriptions and use PIM to regulate the access.
If you have the needed subscription(s), create a resource group inside and choose your desired region. If I create the resource group inside Azure Arc, it will be in East US always. In my case, I want every data (even meta data) to be in Germany West Central:
After you created the resource group, change to Azure Arc service:
Select „Servers“ and then „Add” to onboard the servers:
To use a group policy, select the “Generate script” under “Add multiple servers”:
Click „Next“:
Set the correct subscription, resource group, region and operating system. If your servers connect through a proxy, select the option “Proxy server” like me. Otherwise, select “Public endpoint”:
If you have no service principal, create one to use it for authentication:
In the new window, create a new service principal by clicking on “Add”:
If you don’t select „Add” but click in the middle of the window to create a new service principal, you will not have the option to choose “Custom” as expiration date.
Be aware of choosing the right information (subscription, resource group) for your environment. For the secret, I choose “Custom” for a late expiration. Otherwise, I have to change the secret that the GPO will use quite often. As the role select “Azure Connected Machine Onboarding”:
After you clicked „Create“, download the secret! This will be your only chance to do so. Copy the information in a document to use it later.
Switch back to Azure Arc:
Now choose below „Authentication“ under “Service principal” the service principal you just created:
Set the tags to match your environment:
Now, for the deployment method, choose “Group Policy”:
The first part is done. Keep the site open, because we will prepare the other prerequisites:
Download the installer package of Azure Arc and go to the next section.
File share preparation
For the deployment of the Azure Arc agent, it is needed to prepare a file share for the files. The following entities need “Change” permission on this file share: “Domain Admins”, “Domain Controllers” and “Domain Computers”. Decide on which computer and file structure you want to create the share and follow the steps.
At first, create a folder, share the folder and add permissions:
Search for the needed groups and add them:
Give every group the “Change” permission and click “OK”:
Copy the downloaded “AzureConnectedMachineAgent.msi” file and put it in the shared folder:
Note the file share name inside the document, where you wrote down the secret for the service principal. Also note the server name in lower case:
($env:computername + “.” + $env:userdnsdomain).ToLower()
After you did this, go back to Azure Arc portal and “Download files from Github”:
Copy the “zip” to your computer, where you are doing the changes, extract it and open an administrative PowerShell. Switch with the PowerShell inside the extracted directory. I created for every tiering level a separate folder, because files in this folder will be altered, if you run the PowerShell script later:
Azure Arc script
Switch back to Azure Arc and enter the saved information:
Use for “Domain name” and “Report server domain name” only lowercase characters. If you use a proxy, the proxy switch in PowerShell command is still in “[“ brackets. Be sure to delete this before using. “Copy to clipboard” the output and switch back to your system in which you opened the PowerShell.
You have to set the “$ServicePrincipalSecret” variable to use in the copied command.
Declare it inside the PowerShell:
$ServicePrincipalSecret = „THIS_MUST_BE_THE_SECRET”
Now use the „.\DeployGPO.ps1“ command:
GPO distribution
The script will create a GPO:
Rename it and link it to your OU. The server will deploy it after GPO refresh.
Review the Azure Arc portal to see, if the servers get onboarded. If there is a problem, a file will be created under “AzureArcLogging” in your shared folder:
Furthermore, you can delete “AzureConnectedMachineAgent.msi” in this root. It got copied into “AzureArcDeploy”.
Defender for Cloud setup
Navigate to “Microsoft Defender for Cloud” inside Azure portal and click on “Environment settings”:
Expand the management group and select the correct subscription:
Activate the “Servers” plan and click on “Change plan”:
Make sure that the correct plan is selected. In my case, I primarily want to deploy Defender for Endpoint:
Check in ”Settings & monitoring” that “Endpoint protection” is enabled:
Save it:
Check onboarding
The installation of the Microsoft Defender for Endpoint (MDE) agent may take some time. Monitor Azure Arc to ensure servers are being onboarded. Regularly check the M365 Defender portal for any server deployments.
With this setup, you can efficiently deploy Azure Arc and Defender for Endpoint on a large scale for your servers. No need to worry about new server onboardings and you can even manage settings through Intune if desired. MDE offers additional features and supports Windows clients, macOS, Linux, Android, and iOS. If you’d like to see an article on a specific topic, please let me know.
If you encounter any issues or have questions, feel free to reach out to me. Connect with me on LinkedIn, Twitter, and Mastodon. Thank you for reading and sharing! 😊
Be First to Comment