You dont have javascript enabled! Please enable it!

Integrate Microsoft Defender for Cloud and Microsoft Defender for Endpoint

8 Min. Read

During Microsoft Ignite in November 2021, Azure Security Center and Azure Defender are now called Microsoft Defender for Cloud. They’ve also renamed Azure Defender plans to Microsoft Defender plans. For example, Azure Defender for Servers is now Microsoft Defender for Servers.

In this article, we will share with you how to integrate Microsoft Defender for Cloud (formerly Azure Security Center) and Microsoft Defender for Endpoint.

Updated – 20/06/2022 – Defender for Cloud supports Microsoft Defender for Endpoint unified solution for Windows servers 2012 R2 and Windows servers 2016.

Updated – 12/04/2022 – New Defender for Servers plans. Microsoft Defender for Servers is available in two plans.

Introduction

Microsoft Defender for Cloud (MDC) gives you complete visibility and control over the security of hybrid cloud workloads, including compute, network, storage, identity, and application workloads. Microsoft Defender for Cloud has two main value propositions: Cloud Security Posture Management (CSPM) and Cloud Workload Protection Platform (CWPP).

Within the realm of endpoint detection and response (EDR) solutions, Microsoft Defender for Cloud, and Microsoft Defender for Endpoint, I often get asked by customers the following question:

How Microsoft Defender for Cloud integrates with Microsoft Defender Advanced Threat Protection (ATP) to protect Windows server machines, do we need a separate license, do we still need access to Microsoft Defender Security Center portal?

In this article, we will clarify those frequent questions and share with you how Microsoft Defender for Cloud (MDC) integrates with Microsoft Defender for Endpoint, formerly known as Microsoft Defender Advanced Threat Protection (MDATP) so you can harness the power of both security solutions.

Microsoft Defender ATP (MDATP)

Microsoft Defender for Endpoint (formerly known as Microsoft Defender ATP) is a platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats. Microsoft Defender ATP is a full endpoint detection and response (EDR) available on a range of operating systems – Windows 11, Windows 10, macOS, Linux (in public preview), iOS, and Android (both in private preview). The platform offers preventive protection, post-breach detection, and automated investigation and response. These alerts indicate attacks, compromises, and other threat indicators which can be automatically or manually remediated.

Microsoft Defender for Endpoint provides the following capabilities:

> Advanced post-breach detection sensors: Microsoft Defender ATP sensors for Windows servers collect a vast array of behavioral signals.

> Analytics-based, cloud-powered post-breach detection: Microsoft Defender ATP quickly adapts to changing threats. It uses advanced analytics and big data. Microsoft Defender ATP is amplified by the power of the Intelligent Security Graph with signals across Windows, Azure, and Office to detect unknown threats. It provides actionable alerts and enables you to respond quickly.

> Threat intelligence: Microsoft Defender ATP generates alerts when it identifies attacker tools, techniques, and procedures. It uses data generated by Microsoft threat hunters and security teams, augmented by intelligence provided by partners.

Microsoft Defender Security Center (https://securitycenter.windows.com) is the portal where you can access Microsoft Defender Advanced Threat Protection capabilities. It gives you and your security operations teams a single pane of glass experience to help secure your networks and endpoints.

For more information about Microsoft Defender for Endpoint, please check the official Microsoft documentation.

Microsoft Defender for Cloud (MDC)

Microsoft Defender for Cloud (formerly known as Azure Security Center) gives you complete visibility and control over the security of hybrid cloud workloads, including compute, network, storage, identity, and application workloads. Azure Security Center (ASC) has two main value propositions:

1) Cloud Security Posture Management (CSPM) – Helps you prevent misconfiguration to strengthen your security posture for all different types of cloud workloads and resources in Azure (IaaS, PaaS, and SaaS).

2) Cloud Workload Protection Platform (CWPP) – Protect against threats for servers whether they are running in Azure, on-premises, or different clouds such as Amazon AWS or Google GCP, in addition to cloud-native workloads such as Web Apps, Kubernetes, Key Vaults, as well as for SQL databases (PaaS/VM) and storage accounts.

Azure Security Center is meant to be that one tool that gives you a unified overview of your hybrid cloud environment’s current security configuration and informs you about current threats and attacks against your workloads and services.

For more information about Microsoft Defender for Cloud, please check Microsoft documentation.

Microsoft Defender for server plans

Updated – 12/04/2022 – New Defender for Servers plans. Microsoft Defender for Servers is available in two plans:

Microsoft Defender for Servers Plan 1 (new) – deploys Microsoft Defender for Endpoint to your servers and provides these capabilities:

  • Microsoft Defender for Endpoint licenses is charged per hour instead of per seat, lowering costs for protecting virtual machines only when they are in use.
  • Microsoft Defender for Endpoint deploys automatically to all cloud workloads so that you know they’re protected when they spin up.
  • Alerts and vulnerability data from Microsoft Defender for Endpoint are shown in Microsoft Defender for Cloud.

Microsoft Defender for Servers Plan 2 (formerly Defender for Servers) – includes the benefits of Plan 1 and support for all of the other Microsoft Defender for Servers features.

For pricing details in your currency of choice and according to your region, see the pricing page.

The new Microsoft Defender for Servers Plan 1 (licensed through Azure) doesn’t require E5 on clients and is probably the most cost-effective now.

Microsoft Defender for Servers provides threat detection and advanced defenses to your Windows and Linux machines whether they’re running in Azure, AWS, GCP, or on-premises.

Unified solution for Windows Servers 2012 R2 and 2016

Updated – 20/06/2022 – Microsoft aligned the integration experience between Microsoft Defender for Endpoint (MDE) and both Microsoft Defender for Servers Plans (1 and 2).

The previous integration of Windows Server 2012 R2 and Windows Server 2016 with Microsoft Defender for Server required the use of Microsoft Monitoring Agent (MMA).

The new unified solution package makes it easier to onboard servers by removing dependencies and installation steps. To enable the MDE unified solution in existing subscriptions you can opt-in on the subscription’s environment settings/integrations page as shown in the figure below.

The MDE integration is completely based on the two machine extensions MDE.Windows and MDE.Linux which are available for Azure VMs, and non-Azure machines that are connected through Azure Arc-enabled servers.

Unified solution for Windows Servers 2012 R2 and 2016
Unified solution for Windows Servers 2012 R2 and 2016

When clicking the Enable unified solution button and then Save, you will be asked to confirm deployment to all existing and future Windows Server 2012 R2 and 2016 machines as shown in the figure below.

Enable Microsoft Defender for Endpoint new solution for Windows Servers 2012 R2 and 2016
Enable Microsoft Defender for Endpoint new solution for Windows Servers 2012 R2 and 2016

Once done, Defender for Cloud will deploy the MDE.Windows extension to all Windows Server 2012 R2 and 2016 machines in that subscription. The extension will then install the MDE unified solution and connect it to your MDE backend while, at the same time, deactivating the legacy MDE sensor.

In addition, this unified solution package comes with the following major improvements:

  • Microsoft Defender Antivirus with Next-generation protection for Windows Server 2012 R2
  • Attack Surface Reduction (ASR) rules
  • Network Protection
  • Controlled Folder Access
  • Potentially Unwanted Application (PUA) blocking
  • Improved detection capabilities
  • Expanded response capabilities on devices and files
  • EDR in Block Mode
  • Live Response
  • Automated Investigation and Response (AIR)
  • Tamper Protection

Depending on the server that you’re onboarding, the unified solution installs Microsoft Defender Antivirus and/or the EDR sensor.

Learn more about the new Windows Server 2012 R2 and 2016 functionality in the modern unified solution.

Microsoft Defender for Cloud and Microsoft Defender for Endpoint integration

For Microsoft Defender for Cloud to integrate with Microsoft Defender for Endpoint, you need to make sure that:

1) Microsoft Defender for Cloud is enabled, formerly known as the Standard Tier and Azure Defender.

For Azure VMs, you need Microsoft Defender for Cloud to be enabled on the subscription level as shown in the figure below.

Integrate Microsoft Defender for Cloud and Microsoft Defender for Endpoint 1

For Non-Azure VMs (on-premises / other clouds) known as Azure Arc-enabled servers, you need to enable the Microsoft Defender for Cloud at the workspace level only as shown in the figure below. Please review the deployment options to understand the different deployment methods available for the extension on machines registered with Arc-enabled servers.

Integrate Microsoft Defender for Cloud and Microsoft Defender for Endpoint 2

2) To enable integration and data collection between ASC and MDATP, you need to allow Defender ATP to access your data in the Security Center | Pricing & Settings page under (Settings->Threat detection) as shown in the figure below. Microsoft Defender for Cloud supports Microsoft Defender for Endpoint on Linux machines as well.

Integrate Microsoft Defender for Cloud and Microsoft Defender for Endpoint 3

3) Last, you need to have the legacy Microsoft Monitoring Agent (MMA) agent, or the new Azure Monitor Agent (AMA) properly installed and configured on each server. Microsoft Defender for Endpoint in Defender for Cloud supports detection on Windows Server 2022, 2019, 2016, 2012 R2, and 2008 R2 SP1 only, as well as Linux machines. Windows Server 2019 core editions and later are also supported.

Please check the following article to learn more about how to onboard Windows server machines to Security Center.

The good news is from the virtual machine threat detection perspective, Microsoft Defender for Cloud integrates with Microsoft Defender for Endpoint, what that really means is, will deploy the Microsoft Defender for Endpoint sensor for Windows servers as part of Defender for Servers plans, so you don’t have to pay any extra license for Defender ATP, this will enable an entirely new set of capabilities from this powerful EDR solution which is based on behavioral analytics.

If the Defender ATP identifies malicious activity, it will then trigger an alert on its own, but the alert goes to the Microsoft Defender Security Center portal, and then it’s also showing in Security Center | Security alerts portal, now you can utilize the Security Center dashboard as your centralized location for the alerts triage that you usually do, so you will be able to see not only the alerts that generated by Security Center analytics but also the alerts generated by Microsoft Defender for Endpoint.

When you integrate Microsoft Defender for Cloud with Microsoft Defender for Endpoint, you have also connected to your Azure Active Directory tenant, as well as to Azure Security Center. As I mentioned above, Microsoft Defender for Endpoint gives you the alert in the Azure Security Center dashboard.

To uncover more information about a breach, you can explore the details in the interactive Investigation Path within the Security Center alerts page as shown in the figure below.

Integrate Microsoft Defender for Cloud and Microsoft Defender for Endpoint 4

But if you want to dig deeper into these alerts, then you should look at them from the Microsoft Defender Security Center portal. Here is an example of the ‘Incident graph‘ in the ATP portal to understand this suspicious activity.

Integrate Microsoft Defender for Cloud and Microsoft Defender for Endpoint 5

You can also drill further and see the ‘Alert process tree‘ in detail. This is so powerful!

Integrate Microsoft Defender for Cloud and Microsoft Defender for Endpoint 6

Please note that having access to the Security Center portal is not enough, you still should have access to the Microsoft Defender Security Center portal to be able to completely manage the virtual machine there. So, what you get with Microsoft Defender for Cloud (formerly known as Azure Security Center) is the management configuration, automated onboarding, alerts, and not the management portal.

Summary

Microsoft Defender for Endpoint and Microsoft Defender for Cloud are entirely two different products, the former is dedicated to endpoint protection and the latter is for Cloud Security Posture Management (CSPM), and Cloud Workload Protection Platform (CWPP) scenarios, however, by integrating Security Center with Microsoft Defender for Endpoint it gives you a single pane of management to monitor your servers and to respond and investigate in case of an incident.

Microsoft Defender for Cloud team works closely with the Microsoft Defender for Endpoint team for endpoint protection which is part of the ‘Azure Defender’, so when you pay $15 per server for (Defender for Servers Plan 2) or 5$ for (Defender for Servers Plan 1) to protect your virtual machines, you also get the Defender for Endpoint license activated on these machines.

Additionally, if you’ve already got a license for Microsoft Defender for Endpoint for Servers Plan 2, you won’t have to pay for that part of your Microsoft Defender for Servers license.

Microsoft Defender for Endpoint Plan 1 does NOT support servers, so if you have Microsoft Defender for Servers Plan 1, then it includes Microsoft Defender for Endpoint Plan 2.

Additional resources I highly encourage you to check:

Microsoft Defender for Cloud (MDC) harnesses the power of Microsoft Defender for Endpoint to provide improved threat detection for Windows Servers whether they are running on-premises, on Azure, or in other cloud environments. Microsoft’s vast threat intelligence enables Microsoft Defender for Endpoint to identify and notify you of attackers’ tools and techniques, so you can understand threats and respond quickly.

__
Thank you for reading my blog.

If you have any questions or feedback, please leave a comment.

-Charbel Nemnom-

Photo of author
About the Author
Charbel Nemnom
Charbel Nemnom is a Senior Cloud Architect, Swiss Certified ICT Security Expert, Certified Cloud Security Professional (CCSP), Certified Information Security Manager (CISM), Microsoft Most Valuable Professional (MVP), and Microsoft Certified Trainer (MCT). He has over 20 years of broad IT experience serving on and guiding technical teams to optimize the performance of mission-critical enterprise systems with extensive practical knowledge of complex systems build, network design, business continuity, and cloud security.

Related Posts

Previous

Enable Adaptive Application Controls in Azure Security Center

Protect Azure File Shares with Azure Defender in Azure Security Center

Next

16 thoughts on “Integrate Microsoft Defender for Cloud and Microsoft Defender for Endpoint”

Leave a comment...

  1. Hi,
    thanks for this really good article, it explained few things to me (I am new to ATP & Azure Security center).
    Still, I have few questions regarding this topic:
    1.) I don’t understand pricing/licensing for it. For example if I have 50 on-prem Win2016 servers, how would pricing go? All of my users have M365 E5 or E3 licenses.
    2.) In what situations its better to use Azure Security center and when should I use ATP, in terms of using dashboards?
    3.) I understand that ATP gives me options for reporting, investigating etc… threats, but do I get Defender options from ATP or Security center?
    4.) I know there are 3 options to onboard device to ATP, but how should I choose which one is most appropriate one for my environment?

    Thats it for now, if I think of anything else, will write it here. :)
    Kr,
    Dino

  2. Hello Dino,
    Thank you for the comment.
    Please find my answers to your questions below:
    1.) I don’t understand pricing/licensing for it. For example if I have 50 on-premises Win2016 servers, how would pricing go? All of my users have M365 E5 or E3 licenses. Please note that you pay only $15 per server to protect your Windows Server 2016 in Azure Security Center, you also get the Micrsoft Defender for Endpoint (MDE formerly known as ATP) license activated on these machines. So one agent and one license. You should not pay double.
    2.) In what situations its better to use Azure Security center and when should I use ATP, in terms of using dashboards? If you have integrated, MDE (ATP) with Azure Security Center (ASC), I recommend using ASC dashbaord, and if you need to investigate an incident/alert, Azure Security Center will add a deep link directly in the incident page where you can browse to (MDE/ATP) for more detailed investigation.
    3.) I understand that ATP gives me options for reporting, investigating etc… threats, but do I get Defender options from ATP or Security center? I recommend using Azure Security Center for Windows Servers and ATP (Microsoft Defender for Endpoint) on Windows 10 machines. Then you get all the reporting and deep investigation in ASC for Windows Servers and ATP for Windows Clients.
    4.) I know there are 3 options to onboard device to ATP, but how should I choose which one is most appropriate one for my environment? If you want to onboard a large number of devices to ATP, I highly recommend to automate that task with PowerShell (Scripting) or with Microsoft Intune. To onboard to Azure Security Center, you can also automate the provisioning of the agent if your servers are on-premises.
    Hope this helps!

  3. About Licensing: You can license Windows defender for endpoint for Windows servers as wel. Price is around $5 per month.
    So the question is is ASC for on prem servers worth the extra 10$/month/server ? In my opinion that is a lot of money for a limite amount of extra level of protection.
    off course automatic onboarding is very nice, but that doesn’t work for Windows server 2019 at this moment.
    So if you have a lot of (2019) on prem servers? –> Go with Defender for endpoint only
    If you have most of your servers running in Azure –> ASC is the way to go.

  4. Thank you Rick for the comment! Yes, you are right about this question. I totally agree that 15$/month/server is expensive whether the server is deployed in the cloud or on-premises. However, the extra 10$/month/server will cover additional levels of protection such as Adaptive Application Controls, File Integrity Monitoring (FIM), and Vulnerability Assessment. Every organization and every industry has different requirements. So if you have a lot of (2016/2019) on-premises servers and you want to track changes (files/registry) and those servers are deployed in a highly regulated environment, then you need to go with full protection ($15), if not, then Defender for endpoint only might be enough for you with ($5).

  5. You didn’t mention Azure Arc as a conduit to onboard Defender for Endpoint, and onboard to ASC. Is there a link here, and how can it be done? The intent should be that you deploy Arc for non-Azure systems, and this automatically deploys MDE onto the server hosts.
    I can’t find any documentation on this link.

  6. Hello Ivan, thank you for the comment!
    Please note that I have updated the article to clarify Azure Arc as a conduit to onboard Microsoft Defender for Endpoint (MDE) to Microsoft Defender for Cloud (formerly known as Azure Security Center).
    Hopefully, it’s clear now.

  7. Hi,
    We have the Windows Defender Advanced Threat Protection service installed
    it was installed by default on our Windows 10 Enterprise computers.
    The service is stopped and on manual start, we do not have any E5 or M5 licenses and have not bought the product MS ATP.
    Are there any licensing issues with the fact that the ATP is present but not running or has been used?

  8. Hello Keld, thanks for the comment!
    From my experience, I don’t see any licensing issues with the fact that the ATP is present but not running or has been used.
    Please note that even if you have the agent present or running, you don’t get the protection of Microsoft Defender for Endpoint (MDE), because it’s an online service and you don’t have the license for it.
    The agent alone on the machine is not enough. I am not a licensing person. I would always recommend checking with a Microsoft sales representative.
    Hope this helps!

  9. Hi Charbel,
    Defender for Server plan 2 in Microsoft Defender for Cloud supports MDE,
    How does it help? does it help by fetching Intel from machines onboarded via MDE?
    Also, how shall I leverage ASR Rules if any are enabled on MDE?

  10. Hello Vipul, thanks for the comment!
    Yes, Microsoft Defender for Servers Plan 2 and Microsoft Defender for Servers Plan 1 in Microsoft Defender for Cloud (MDC) support Microsoft Defender for Endpoint (MDE).
    Then, you need to make sure to Allow Microsoft Defender for Endpoint to access your data under the Integrations page in MDC.
    Microsoft Defender for Endpoint Plan 2 protects your Windows and Linux machines in various different ways:
    1) Defender for Endpoint’s sensors collect a vast array of behavioral signals from your machines.
    2) Vulnerability assessment from the Microsoft threat and vulnerability management solution (TVM).
    3) Defender for Endpoint generates alerts when it identifies attacker tools, techniques, and procedures.
    4) It provides actionable alerts and enables you to respond quickly.
    Yes, you can use attack surface reduction (ASR) rules for Servers that are enabled for MDE in Defender for Cloud.
    You need to use Microsoft Defender for Endpoint’s own portal pages (https://securitycenter.windows.com/) where you can configure and deploy ASR rules.
    Please check this deployment guide for more information.
    Hope it helps!

  11. Hi Charbel,

    I have just created a New Windows Virtual Machine on Azure Cloud, and have enabled Auto Provisioning.
    Will this Machine be Visible in the MDE portal under Device Automatically if I Enable Integration for MDE in MDC?
    If yes, do I still need to Onboard this Windows Virtual Machine on MDE.. or i can readily deploy the ASR rules on it?

    Thanks
    Vipul Dabhi

  12. Hello Vipul,
    Please note that you also need to enable the Defender plan for Servers (Plan 2) in MDC.
    Yes, the machine will be visible in the MDE portal under Device Automatically if you enable Integration.
    No, you don’t need to Onboard this new Windows Virtual Machine again in MDE, you can start deploying ASR rules on it.
    Let me know if it works for you.

  13. Hi Charbel,

    We are having some trouble understanding how to deploy ASR rules to Servers.
    We have our on-premises servers enrolled in ARC. We want to deploy ASR rules on a scale since we have multiple on-premises domains. Have looked and tried a lot, but no clear answer from MS.

  14. Hello Mark, thanks for the comment!
    Please note that according to Microsoft documentation, you can use any of the following methods to deploy ASR rules to Servers at scale:

  15. Microsoft Intune.
  16. Mobile Device Management (MDM).
  17. Microsoft Endpoint Configuration Manager.
  18. Group Policy.
  19. PowerShell.
  20. Worst case if you can’t use any of the platforms noted above, you could create a script looping through all servers running a PowerShell script to enable all the ASR rules server by server.
    Hope it helps!

  21. Hi Charbel,

    Looking to understand if the Azure Machine will get Automatically onboarded to MDE (as the agent will configure it as we have Server Plan 2).
    Now, The telemetry data from Azure VM/Server will travel via the “Internet” or it communicates over the Microsoft Backbone network?

    Please revert.

  22. Hello Vipul, your understanding is correct.
    Azure Virtual Machine will get automatically onboarded to Microsoft Defender for Endpoint (MDE) if you have enabled Azure Monitor agent (AMA) to be installed and auto-provisioned.
    This option is available now under Environment settings > Subscription > Defender Plans > Settings & monitoring.
    Since you are using Server Plan 2, make sure also you have the integration enabled to Allow Microsoft Defender for Endpoint to access my data.
    Now regarding telemetry data from Azure VM/Server, it will travel and communicate with Microsoft directly via the Internet.
    Microsoft Defender for Endpoint (MDE) is a Microsoft 365 Defender solution and not specific to Microsoft Azure. It requires communication via the Internet (online or in offline mode).
    The defender for the Endpoint sensor connects from the system context, so anonymous traffic must be permitted.
    You can refer to the following document that illustrates how to configure device Proxy and Internet connectivity settings for MDE.
    The Defender for Endpoint sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and communicate with the Defender for Endpoint service.
    You can also onboard servers without Internet access to Microsoft Defender for Endpoint.
    Hope it helps!

Let me know what you think, or ask a question...

error: Alert: The content of this website is copyrighted from being plagiarized! You can copy from the \'Code Blocks\' in \'Black\' by selecting the Code. Thank You!