Up until now, onboarding non-Azure servers to Defender for Servers required Azure Arc as a mandatory pre-requisite. With this new release, Microsoft is introducing an additional direct onboarding path for non-Azure servers that does not require Azure Arc (making it optional rather than mandatory).
With this new onboarding capability, you can deploy the MDE agent directly to your non-Azure servers and seamlessly connect them to Defender for Servers. This option is ideal for customers who want to focus on core endpoint protection while utilizing the consumption-based licensing provided by Defender for Servers.
This new capability is currently only possible tenant wide and will have impact on newly and existing onboarded servers. All windows and Linux servers operating system supported by Defender for Endpoint are supported. This capability is created for On-premises servers and multicloud VMs (limited support).
Good to know
Before you begin there are some things which are good to know and will help you with deciding if you want to leverage this new capability.
To configure this setting, you need Subscription Owner (on the chosen subscription), and AAD Global Administrator or AAD Security Administrator
Direct onboarding provides access to all Defender for Servers Plan 1 features. If you want to use Plan 2, not all features will work. This is because some features in Plan 2 still require the deployment of the Azure Monitor Agent, which is only available with Azure Arc on non-Azure machines. If you enable Plan 2 on your subscription, machines onboarded directly with Defender for Endpoint have access to all Defender for Servers Plan 1 features and the Defender Vulnerability Management Addon features included in Plan 2.
You can directly onboard VMs in AWS and GCP using the Defender for Endpoint agent. However, if you plan to simultaneously connect your AWS or GCP account to Defender for Servers using multicloud connectors, it’s currently still recommended by Microsoft to deploy Azure Arc.
Simultaneous onboarding limited support
Defender for Cloud makes a best effort to correlate servers onboarded using multiple billing methods. However, in certain server deployment use cases, there may be limitations where Defender for Cloud is unable to correlate your machines. This may result in overcharges on certain devices if direct onboarding is also enabled on your tenant. Microsoft created a good overview of the deployment use cases currently with this limitation:
|Location||Deployment use case|
|All||Windows Server (all versions)|
Azure VMs or Azure Arc machines already onboarded and billed by Defender for Servers via an Azure subscription or Log Analytics workspace, running the Defender for Endpoint agent without the MDE.Windows or MDE.Linux Azure extensions. For such machines, you can enable Defender for Cloud integration with Defender for Endpoint to deploy the extensions.
|On-premises (not running Azure Arc)||Windows Server 2019:|
Servers already onboarded and billed by Defender for Servers P2 via the Log Analytics workspace
Windows Server 2012, 2016:
Servers running the Defender for Endpoint modern unified agent, and already billed by Defender for Servers P2 via the Log Analytics workspace
|AWS, GCP (not running Azure Arc)||Windows Server 2019:|
Servers already onboarded and billed by Defender for Servers via multicloud connectors, Log Analytics workspace, or both.
Windows Server 2012, 2016:
AWS or GCP VMs using the modern unified Defender for Endpoint solution, already onboarded and billed by Defender for Servers via multicloud connectors, Log Analytics workspace, or both.
How to get started?
Enabling direct onboarding
- Go to Defender for Cloud > Environment Settings > Direct onboarding.
- Switch the Direct onboarding toggle to On.
- Select the subscription you would like to use for servers onboarded directly with Defender for Endpoint. I will advise to use a separate subscription. This subscription is only used for licensing, billing, alerts and security insights but doesn’t provide server management.
- Select Save.
Deploying Defender for Endpoint on your non-Azure servers
Before you begin your non-Azure servers need to be onboarded in Defender for Cloud. You can use the same guidance as if you would not use the defender for cloud integration. Refer to the Defender for Endpoint onboarding guide for further instructions.
Monitor the status
After you enabled the direct onboarding on your tenant level, you non-Azure machines will create a object in Defender for Cloud. You can validate this by reviewing the Inventory and filter on resource type “Servers – Defender for Endpoint”
Defender for Cloud will also provide some recommendation for your onboarded machine as you can see in the example below:
When malware is detected on the devices , an alert will be created which will be available both in the Defender for Endpoint portal as in the Defender for Cloud portal:
A list of installed applications will be available powered by Microsoft Treat and vulnerability Management.
This new onboarding capability is a nice welcomed solution. With this Microsoft created an answer for a requested solution by a lot of customers. But be aware that this is currently a tenant wide setting and it will have impact on already onboarded non-Azure servers (non Azure-ARC). If you have a mixed environment with different Defender for Servers Plans it is recommend in my opinion to work with different landing zones. I’m looking forward till more features gets supported.
Private preview – Direct Onboarding with MDE to Defender for Servers without arc Private Preview