In this post I want to show how we can onboard our on-premise Windows and Linux machines (bare-metal or virtual machines) to Microsoft Defender for Servers.

In order to onboard our on-premise machines to Microsoft Defender for Servers, we first need to onboard and connect them to Azure Arc as shown in my following post.



For virtual machines hosted in vSphere we can also set up Azure Arc-enabled VMware vSphere which will simplify onboarding our on-premise VMware vSphere infrastructure to Azure as shown in my following post.



Microsoft Defender for Servers extends protection to your Windows and Linux machines that run in Azure, Amazon Web Services (AWS), Google Cloud Platform (GCP), and on-premises.

Defender for Servers integrates with Microsoft Defender for Endpoint to provide endpoint detection and response (EDR) and other threat protection features.

Source: https://learn.microsoft.com/en-us/azure/defender-for-cloud/plan-defender-for-servers


Microsoft Defender for Cloud offers two paid plans for Defender for Servers.

Microsoft Defender for Servers Plan 1 is entry-level and must be enabled at the subscription level.
Microsoft Defender for Servers Plan 2 provides all features. The plan must be enabled at the subscription level and at the workspace level to get full feature coverage.

More about here https://azure.microsoft.com/en-us/pricing/details/defender-for-cloud/

Select a Defender for Servers plan
https://learn.microsoft.com/en-us/azure/defender-for-cloud/plan-defender-for-servers-select-plan


When you enable Defender for Cloud, you automatically gain access to Microsoft Defender XDR (formerly Microsoft 365 Defender).

You can learn more about the integration between Microsoft Defender for Cloud and Microsoft Defender XDR.





Introduction

Defender for Servers in Microsoft Defender for Cloud brings threat detection and advanced defenses to your Windows and Linux machines that run in Azure, Amazon Web Services (AWS), Google Cloud Platform (GCP), and on-premises environments. This plan includes the integrated license for Microsoft Defender for Endpoint, security baselines and OS level assessments, vulnerability assessment scanning, adaptive application controls (AAC), file integrity monitoring (FIM), and more.

Microsoft Defender for Servers includes an automatic, native integration with Microsoft Defender for Endpoint. Learn more, Protect your endpoints with Defender for Cloud’s integrated EDR solution: Microsoft Defender for Endpoint. With this integration enabled, you have access to the vulnerability findings from Microsoft Defender vulnerability management.

Defender for Servers offers two plan options with different levels of protection and their own cost. You can learn more about Defender for Cloud’s pricing on the pricing page.

Source: https://learn.microsoft.com/en-us/azure/defender-for-cloud/tutorial-enable-servers-plan



Prerequisites


You can enable the Defender for Servers plan on an Azure subscription, AWS account, or GCP project, the Log Analytics workspace level, or enable the plan at the resource level.

When you enable Microsoft Defender for Servers on an Azure subscription or a connected AWS account, all of the connected machines are protected by Defender for Servers. You can enable Microsoft Defender for Servers at the Log Analytics workspace level, but only servers reporting to that workspace will be protected and billed and those servers won’t receive some benefits, such as Microsoft Defender for Endpoint, vulnerability assessment, and just-in-time VM access.

Source: https://learn.microsoft.com/en-us/azure/defender-for-cloud/plan-defender-for-servers




Enable Microsoft Defender for Cloud on an Azure Subscription

You can enable the Defender for Servers plan from the Environment settings page to protect all the machines in an Azure subscription, AWS account, or GCP project.

To enable the Defender for Servers plan sign in to the Azure portal and search for Microsoft Defender for Cloud as shown below.


In the Defender for Cloud menu, select Environment settings.

Select the relevant Azure subscription, AWS account, or GCP project.

Below I will select here my Microsoft Azure Sponsorship subscription to enable a Defender for Servers plan.


As you can see below I had already enabled Defender for Servers plan 2 on this subscription. There are two plans you can choose from that offer different levels of protections for your resources.

After enabling the plan, you have the ability to configure the features of the plan to suit your needs. When you enable Defender for Servers on a subscription, it doesn’t extend that coverage to an attached workspace. You need to enable Defender for Servers on the Log Analytics workspace level.

Source: https://learn.microsoft.com/en-us/azure/defender-for-cloud/tutorial-enable-servers-plan#enable-on-an-azure-subscription-aws-account-or-gcp-project


From now on all connected machines within my Microsoft Azure Sponsorship subscription are protected by Defender for Servers.

When you enable Microsoft Defender for Servers on an Azure subscription or a connected AWS account, all of the connected machines are protected by Defender for Servers. You can enable Microsoft Defender for Servers at the Log Analytics workspace level, but only servers reporting to that workspace will be protected and billed and those servers won’t receive some benefits, such as Microsoft Defender for Endpoint, vulnerability assessment, and just-in-time VM access.

Source: https://learn.microsoft.com/en-us/azure/defender-for-cloud/plan-defender-for-servers#deployment-overview


Defender for Cloud provides you with the ability to check if your resources have Defender for Cloud enabled on them.

Below you will see for example three native Azure virtual machines (the first three) and a few of my on-premises machines which are connected through Azure Arc and protected by Defender for Cloud resp. Defender for Servers.

Defender for Server’s settings for each resource are inherited by the subscription-level settings by default. Once you change settings at the resource level, the resource will no longer inherit settings from its parent subscription unless you delete the settings you configured.

Source: https://learn.microsoft.com/en-us/azure/defender-for-cloud/configure-servers-coverage#defender-for-servers-feature-status


When clicking on one of them we can check its resource health state and will also get some recommendations we should configure for.


We can change the Defender for Server’s settings directly on the Defender plans as shown below. Select the Servers Plan and click on Settings.




Disable Defender for Servers plan

To disable The Defender for Servers plan or any of the features of the plan, navigate to the Environment settings page of the relevant subscription or workspace and toggle the relevant switch to Off.

When you disable the Defender for Servers plan on a subscription, it doesn’t disable it on a workspace. To disable the plan on a workspace, you must navigate to the plans page for the workspace and toggle the switch to Off.

Source: https://learn.microsoft.com/en-us/azure/defender-for-cloud/configure-servers-coverage#disable-defender-for-servers-plan-or-features




Microsoft Defender XDR Portal Integration

When you enable Defender for Cloud, Defender for Cloud’s alerts are automatically integrated into the Microsoft Defender Portal. No further steps are needed.

The integration between Microsoft Defender for Cloud and Microsoft Defender XDR brings your cloud environments into Microsoft Defender XDR. With Defender for Cloud’s alerts and cloud correlations integrated into Microsoft Defender XDR, SOC teams can now access all security information from a single interface.

Source: https://learn.microsoft.com/en-us/azure/defender-for-cloud/quickstart-onboard-machines#integrate-with-microsoft-defender-xdr


For newly onboarded devices it can take 24-48 hours for the devices to shown up on the Defender Portal.

https://security.microsoft.com -> Assets -> Devices




Determine the Antimalware status directly on the Computer

We can use the Get-MpComputerStatus cmdlet gets the status of antimalware software installed on the computer.

More about under https://learn.microsoft.com/en-us/powershell/module/defender/get-mpcomputerstatus?view=windowsserver2022-ps&viewFallbackFrom=win10-ps.


To check the preferences for the Windows Defender scans and updates we can use the Get-MpPreference cmdlet.

More about under https://learn.microsoft.com/en-us/powershell/module/defender/get-mppreference?view=windowsserver2022-ps.


Use PowerShell to check the status of Microsoft Defender Antivirus

Get-MpComputerStatus | ft AMRunningMode
  • Normal means Microsoft Defender Antivirus is running in active mode.
  • Passive mode means Microsoft Defender Antivirus running, but is not the primary antivirus/antimalware product on your device. Passive mode is only available for devices that are onboarded to Microsoft Defender for Endpoint and that meet certain requirements. To learn more, see Requirements for Microsoft Defender Antivirus to run in passive mode.
  • EDR Block Mode means Microsoft Defender Antivirus is running and Endpoint detection and response (EDR) in block mode, a capability in Microsoft Defender for Endpoint, is enabled. Check the ForceDefenderPassiveMode registry key. If its value is 0, it is running in normal mode; otherwise, it is running in passive mode.
  • SxS Passive Mode means Microsoft Defender Antivirus is running alongside another antivirus/antimalware product, and limited periodic scanning is used.

Source: https://learn.microsoft.com/en-us/defender-endpoint/microsoft-defender-antivirus-windows#use-powershell-to-check-the-status-of-microsoft-defender-antivirus



Determine if the Server is onboarded to Defender for Endpoint directly on the Server

As mentioned to the beginning, Microsoft Defender for Servers includes an automatic, native integration with Microsoft Defender for Endpoint.

To determine if the server is onboarded to Microsoft Defender for Endpoint directly on the server itself, you can check the following registry entry on the server:

ComputerHKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Advanced Threat ProtectionStatusOnboardingState

If the value is 1 the server is onboarded to Microsoft Defender for Endpoint.


We can also determine if the server are onboarded successfully to Microsoft Defender for Endpoint by executing a PowerShell scipt within an elevated command-line prompt or the EICAR anti-virus test file as shown here https://blog.matrixpost.net/set-up-microsoft-defender-for-endpoint/#verify_onboarding.

In both cases if our server is onboarded successfully to Microsoft Defender for Endpoint, an alert should show up in Microsoft Defender for Endpoint under Incidents & alerts -> Incidents or Alerts as shown below.

Incidents are groups of related alerts that together create an actionable incident that you can investigate and resolve.





Security baselines assessment

Instead of running never-ending compliance scans, security baselines assessment helps you to continuously and effortlessly monitor your organization’s security baselines compliance and identify changes in real time.

A security baseline profile is a customized profile that you can create to assess and monitor endpoints in your organization against industry security benchmarks. When you create a security baseline profile, you’re creating a template that consists of multiple device configuration settings and a base benchmark to compare against.

Security baselines provide support for Center for Internet Security (CIS) benchmarks for Windows 10, Windows 11, and Windows Server 2008 R2 and above, as well as Security Technical Implementation Guides (STIG) benchmarks for Windows 10 and Windows Server 2019.

The benchmarks currently only support Group Policy Object (GPO) configurations and not Microsoft Configuration Manager (Intune).

To use this feature you’ll require Microsoft Defender Vulnerability Management Standalone or if you’re already a Microsoft Defender for Endpoint Plan 2 customer, the Defender Vulnerability Management add-on.

Source: https://learn.microsoft.com/en-us/defender-vulnerability-management/tvm-security-baselines


Go to Vulnerability management > Baselines assessment in the Microsoft Defender portal.

Select the Profiles tab at the top, then select the Create profile button.


Enter a name and description for your security baselines profile and select Next.


On the Baseline profile scope page set the profile settings such as software, base benchmark (CIS or STIG), and the compliance level and select Next.


Select the compliance level.



Select the configurations you want to include in the profile.


Select Customize if you want to change the threshold configuration value for your organization.


Select Next to choose the device groups and device tags you want to include in the baseline profile. The profile will be automatically applied to devices added to these groups in the future.


Select Submit to create your profile.



More about Security baselines assessment you will find in the following article https://learn.microsoft.com/en-us/defender-vulnerability-management/tvm-security-baselines.





Links

Deploy Defender for Servers
https://learn.microsoft.com/en-us/azure/defender-for-cloud/tutorial-enable-servers-plan

Plan your Defender for Servers deployment
https://learn.microsoft.com/en-us/azure/defender-for-cloud/plan-defender-for-servers

Select a Defender for Servers plan
https://learn.microsoft.com/en-us/azure/defender-for-cloud/plan-defender-for-servers-select-plan

Azure Monitor Agent overview
https://learn.microsoft.com/en-us/azure/azure-monitor/agents/agents-overview