Question on 2019 server with Microsoft.Azure.AzureDefenderForServers.MDE.Windows

Question

I have a question on MDE.windows extension and need help with the same :

I was reading blog post and found that the extension can even take more than 24 hours .

https://techcommunity.microsoft.com/t5/azure-security-center/announcement-azure-defender-integration-with-mde-for-windows/m-p/2159018

I have build 3 machines and all the machines have the extension "Microsoft.Azure.AzureDefenderForServers.MDE.Windows" in ready state

Vm 2012 r2
VM 2016
VM 2019

When i run the test alert from the machines

powershell.exe -NoExit -ExecutionPolicy Bypass -WindowStyle Hidden (New-Object System.Net.WebClient).DownloadFile('http://127.0.0.1/1.exe', 'C:\test-MDATP-test\invoice.exe'); Start-Process 'C:\test-MDATP-test\invoice.exe'

https://learn.microsoft.com/en-us/azure/security-center/security-center-wdatp?WT.mc_id=Portal-Microsoft_Azure_Security

If i go to security center -->security alerts .. I see the alerts being generated for 2012 r2 and 2016 .. But not from 2019 machine .

The question is why i am not seeing alert from 2019 machine ?

Answer 1

@kumar kaushal Can you confirm if you have onboarded the Server 2019 to ASC correctly as the server 2019 has a different process.
You can follow this link to perform that action : https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-server-endpoints?view=o365-worldwide#windows-server-sac-version-1803-windows-server-2019-and-windows-server-2019-core-edition

You have following multiple options to onboard, once onboarded successfully you will be able to see all alerts and recommendation :

1. Local script (used in testing scenarios)
2. Group Policy
3. Microsoft Endpoint Configuration Manager (most common implementation)
4. System Center Configuration Manager 2012 / 2012 R2 1511 / 1602
5. VDI onboarding scripts for non-persistent devices

You can read more here.

If you have onboarded them correctly and still not able to see the alerts, do let us know, this might need a deeper investigation at that point.

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Please remember to Accept Answer if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

Answer 2

@VipulSparsh-MSFT I have not followed the process as illustrated in the article . The only steps that i have implemented is :

1)Went to security center --.Upgraded the plan
2) Made sure that the below check box are enabled .

Allow Microsoft Cloud App Security to access my data. Learn more >
Allow Microsoft Defender for Endpoint to access my data

3) Auto-provisioning is enabled for the below agent .

Log Analytics agent for Azure VMs.

After this i found that MMA extension is installed within an hour . But extension Microsoft.Azure.AzureDefenderForServers.MDE.Windows took like more than 24 hours ..

My first question is why it took almost like more than 24-48 hours to install this extension ? What is it doing at the background ?

Is that after following the above step we have to follow an extra Step for 2019 registration with MDE . And that is below :
https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-endpoints-script?view=o365-worldwide

How can i download WindowsDefenderATPOnboardingPackage.zip ?

Another question i have is : once i have upgraded the plan within security center .. i should be able to access security.microsoft.com with tenant account which is GLOBAL administrator correct ?