question

kumarkaushal-1277 avatar image
0 Votes"
kumarkaushal-1277 asked AnshulKumarMINDTREELIMITED-5501 commented

Question on 2019 server with Microsoft.Azure.AzureDefenderForServers.MDE.Windows

I have a question on MDE.windows extension and need help with the same :

I was reading blog post and found that the extension can even take more than 24 hours .

https://techcommunity.microsoft.com/t5/azure-security-center/announcement-azure-defender-integration-with-mde-for-windows/m-p/2159018

I have build 3 machines and all the machines have the extension "Microsoft.Azure.AzureDefenderForServers.MDE.Windows" in ready state

Vm 2012 r2
VM 2016
VM 2019

When i run the test alert from the machines

powershell.exe -NoExit -ExecutionPolicy Bypass -WindowStyle Hidden (New-Object System.Net.WebClient).DownloadFile('http://127.0.0.1/1.exe', 'C:\\test-MDATP-test\\invoice.exe'); Start-Process 'C:\\test-MDATP-test\\invoice.exe'

https://docs.microsoft.com/en-us/azure/security-center/security-center-wdatp?WT.mc_id=Portal-Microsoft_Azure_Security

If i go to security center -->security alerts .. I see the alerts being generated for 2012 r2 and 2016 .. But not from 2019 machine .

The question is why i am not seeing alert from 2019 machine ?

azure-security-center
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi, if the posted answer resolves your question, please mark it as the answer by clicking the check mark. Doing so helps others find answers to their questions.

0 Votes 0 ·
vipulsparsh-MSFT avatar image
0 Votes"
vipulsparsh-MSFT answered

@kumarkaushal-1277 Can you confirm if you have onboarded the Server 2019 to ASC correctly as the server 2019 has a different process.
You can follow this link to perform that action : https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-server-endpoints?view=o365-worldwide#windows-server-sac-version-1803-windows-server-2019-and-windows-server-2019-core-edition

You have following multiple options to onboard, once onboarded successfully you will be able to see all alerts and recommendation :
1) Local script (used in testing scenarios)
2) Group Policy
3) Microsoft Endpoint Configuration Manager (most common implementation)
4) System Center Configuration Manager 2012 / 2012 R2 1511 / 1602
5) VDI onboarding scripts for non-persistent devices

You can read more here.

If you have onboarded them correctly and still not able to see the alerts, do let us know, this might need a deeper investigation at that point.




Please remember to Accept Answer if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

kumarkaushal-1277 avatar image
0 Votes"
kumarkaushal-1277 answered

@vipulsparsh-MSFT I have not followed the process as illustrated in the article . The only steps that i have implemented is :


1)Went to security center --.Upgraded the plan
2) Made sure that the below check box are enabled .

Allow Microsoft Cloud App Security to access my data. Learn more >
Allow Microsoft Defender for Endpoint to access my data

3) Auto-provisioning is enabled for the below agent .

Log Analytics agent for Azure VMs.

After this i found that MMA extension is installed within an hour . But extension Microsoft.Azure.AzureDefenderForServers.MDE.Windows took like more than 24 hours ..

My first question is why it took almost like more than 24-48 hours to install this extension ? What is it doing at the background ?

Is that after following the above step we have to follow an extra Step for 2019 registration with MDE . And that is below :
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-endpoints-script?view=o365-worldwide

How can i download WindowsDefenderATPOnboardingPackage.zip ?

Another question i have is : once i have upgraded the plan within security center .. i should be able to access security.microsoft.com with tenant account which is GLOBAL administrator correct ?

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.