Enable the Defender for Endpoint integration - Microsoft Defender for Cloud (2024)

Table of Contents
In this article Prerequisites Enable the integration Windows Linux Enable the Microsoft Defender for Endpoint unified solution at scale Track MDE deployment status Access the Microsoft Defender for Endpoint portal Send a test alert Test on Windows Test on Linux Remove Defender for Endpoint from a machine Related content FAQs
  • Article

Microsoft Defender for Cloud's integration with Microsoft Defender for Endpoint, provides a cloud-based endpoint security solution that offers a wide range of features. The integration provides risk-based vulnerability management and assessment, which helps identify and prioritize vulnerabilities that need to be addressed. The solution also includes attack surface reduction, which helps minimize the attack surface of endpoints, as well as behavioral-based and cloud-powered protection to detect and respond to threats. Additionally, Microsoft Defender for Endpoint offers endpoint detection and response (EDR), automatic investigation and remediation, and managed hunting services to help organizations quickly detect, investigate, and respond to security incidents.

Prerequisites

Before you can enable the Microsoft Defender for Endpoint integration with Defender for Cloud, you must confirm that your machine meets the necessary requirements for Defender for Endpoint:

  • Ensure the machine is connected to Azure and the internet as required:

    • Azure virtual machines (Windows or Linux) - Configure the network settings described in configure device proxy and internet connectivity settings: Windows or Linux.

    • On-premises machines - Connect your target machines to Azure Arc as explained in Connect hybrid machines with Azure Arc-enabled servers.

  • Enable Microsoft Defender for Servers. See Quickstart: Enable Defender for Cloud's enhanced security features.

    Important

    Defender for Cloud's integration with Microsoft Defender for Endpoint is enabled by default. So when you enable enhanced security features, you give consent for Microsoft Defender for Servers to access the Microsoft Defender for Endpoint data related to vulnerabilities, installed software, and alerts for your endpoints.

  • For Windows servers, make sure that your servers meet the requirements for onboarding Microsoft Defender for Endpoint.

  • For Linux servers, you must have Python installed. Python 3 is recommended for all distros, but is required for RHEL 8.x and Ubuntu 20.04 or higher. If needed, see Step-by-step Instructions for Installing Python on Linux.

  • If you've moved your subscription between Azure tenants, some manual preparatory steps are also required. For details, contact Microsoft support.

Enable the integration

  • On Windows

  • On Linux

Windows

The Defender for Endpoint unified solution doesn't use or require installation of the Log Analytics agent. The unified solution is automatically deployed for Azure Windows 2012 R2 and 2016 servers, Windows servers connected through Azure Arc, and Windows multicloud servers connected through the multicloud connectors.

You'll deploy Defender for Endpoint to your Windows machines in one of two ways - depending on whether you've already deployed it to your Windows machines:

  • Users with Defender for Servers enabled and Microsoft Defender for Endpoint deployed
  • Users who never enabled the integration with Microsoft Defender for Endpoint

Users with Defender for Servers enabled and Microsoft Defender for Endpoint deployed

If you've already enabled the integration with Defender for Endpoint, you have complete control over when and whether to deploy the Defender for Endpoint unified solution to your Windows machines.

To deploy the Defender for Endpoint unified solution, you need to use the REST API call or the Azure portal:

  1. From Defender for Cloud's menu, select Environment settings and select the subscription with the Windows machines that you want to receive Defender for Endpoint.

  2. In the Monitoring coverage column of the Defender for Servers plan, select Settings.

    The status of the Endpoint protections component is Partial, meaning that not all parts of the component are enabled.

    Note

    If the status is Off, use the instructions in Users who've never enabled the integration with Microsoft Defender for Endpoint for Windows.

  3. Select Fix to see the components that aren't enabled.

    Enable the Defender for Endpoint integration - Microsoft Defender for Cloud (1)

  4. To enable the Unified solution for Windows Server 2012 R2 and 2016 machines, select Enable.

    Enable the Defender for Endpoint integration - Microsoft Defender for Cloud (2)

  5. To save the changes, select Save at the top of the page and then select Continue in the Settings and monitoring page.

    See Also
    Microsoft Defender for Cloud: Everything You Should KnowMicrosoft Defender for Cloud Apps | Microsoft SecurityWhat is Microsoft Defender for Cloud? - Microsoft Defender for CloudConnect your Azure subscriptions - Microsoft Defender for Cloud

Microsoft Defender for Cloud will:

  • Stop the existing Defender for Endpoint process in the Log Analytics agent that collects data for Defender for Servers.
  • Install the Defender for Endpoint unified solution for all existing and new Windows Server 2012 R2 and 2016 machines.

Microsoft Defender for Cloud will automatically onboard your machines to Microsoft Defender for Endpoint. Onboarding might take up to 12 hours. For new machines created after the integration has been enabled, onboarding takes up to an hour.

Note

If you choose not to deploy the Defender for Endpoint unified solution to your Windows 2012 R2 and 2016 servers in Defender for Servers Plan 2 and then downgrade Defender for Servers to Plan 1, the Defender for Endpoint unified solution is not deployed to those servers so that your existing deployment is not changed without your explicit consent.

Users who never enabled the integration with Microsoft Defender for Endpoint for Windows

If you've never enabled the integration for Windows, Endpoint protection enables Defender for Cloud to deploy Defender for Endpoint to both your Windows and Linux machines.

To deploy the Defender for Endpoint unified solution, you'll need to use the REST API call or the Azure portal:

  1. From Defender for Cloud's menu, select Environment settings and select the subscription with the machines that you want to receive Defender for Endpoint.

  2. In the status of the Endpoint protection component, select On to enable the integration with Microsoft Defender for Endpoint.

The Defender for Endpoint agent unified solution is deployed to all of the machines in the selected subscription.

Linux

You'll deploy Defender for Endpoint to your Linux machines in one of these ways, depending on whether you've already deployed it to your Windows machines:

  • Enable for a specific subscription in the Azure portal environment settings
    • Existing users with Defender for Cloud's enhanced security features enabled and Microsoft Defender for Endpoint for Windows
    • New users who never enabled the integration with Microsoft Defender for Endpoint for Windows
  • Enable for multiple subscriptions in the Azure portal dashboard
  • Enable for multiple subscriptions with a PowerShell script

Note

When you enable automatic deployment, Defender for Endpoint for Linux installation will abort on machines with pre-existing running services using fanotify and other services that can also cause Defender for Endpoint to malfunction or might be affected by Defender for Endpoint, such as security services.After you validate potential compatibility issues, we recommend that you manually install Defender for Endpoint on these servers.

Existing users with Defender for Cloud's enhanced security features enabled and Microsoft Defender for Endpoint for Windows

If you've already enabled the integration with Defender for Endpoint for Windows, you have complete control over when and whether to deploy Defender for Endpoint to your Linux machines.

  1. From Defender for Cloud's menu, select Environment settings and select the subscription with the Linux machines that you want to receive Defender for Endpoint.

  2. In the Monitoring coverage column of the Defender for Server plan, select Settings.

    The status of the Endpoint protections component is Partial, meaning that not all parts of the component are enabled.

    Note

    If the status is Off isn't selected, use the instructions in Users who've never enabled the integration with Microsoft Defender for Endpoint for Windows.

  3. Select Fix to see the components that aren't enabled.

    Enable the Defender for Endpoint integration - Microsoft Defender for Cloud (4)

  4. To enable deployment to Linux machines, select Enable.

    Enable the Defender for Endpoint integration - Microsoft Defender for Cloud (5)

  5. To save the changes, select Save at the top of the page and then select Continue in the Settings and monitoring page.

    Microsoft Defender for Cloud will:

    • Automatically onboard your Linux machines to Defender for Endpoint
    • Detect any previous installations of Defender for Endpoint and reconfigure them to integrate with Defender for Cloud

    Microsoft Defender for Cloud will automatically onboard your machines to Microsoft Defender for Endpoint. Onboarding might take up to 12 hours. For new machines created after the integration has been enabled, onboarding takes up to an hour.

    Note

    See Also
    Common questions - General questions - Microsoft Defender for Cloud

    The next time you return to this page of the Azure portal, the Enable for Linux machines button won't be shown. To disable the integration for Linux, you'll need to disable it for Windows too by turning the toggle off in Endpoint Protection, and selecting Continue.

  6. To verify installation of Defender for Endpoint on a Linux machine, run the following shell command on your machines:

    mdatp health

    If Microsoft Defender for Endpoint is installed, you'll see its health status:

    healthy : true

    licensed: true

    Also, in the Azure portal you'll see a new Azure extension on your machines called MDE.Linux.

New users who never enabled the integration with Microsoft Defender for Endpoint for Windows

If you've never enabled the integration for Windows, endpoint protection enables Defender for Cloud to deploy Defender for Endpoint to both your Windows and Linux machines.

  1. From Defender for Cloud's menu, select Environment settings and select the subscription with the Linux machines that you want to receive Defender for Endpoint.

  2. In the Monitoring coverage column of the Defender for Server plan, select Settings.

  3. In the status of the Endpoint protection component, select On to enable the integration with Microsoft Defender for Endpoint.

    Microsoft Defender for Cloud will:

    • Automatically onboard your Windows and Linux machines to Defender for Endpoint
    • Detect any previous installations of Defender for Endpoint and reconfigure them to integrate with Defender for Cloud

    Onboarding might take up to 1 hour.

  4. Select Continue and Save to save your settings.

  5. To verify installation of Defender for Endpoint on a Linux machine, run the following shell command on your machines:

    mdatp health

    If Microsoft Defender for Endpoint is installed, you'll see its health status:

    healthy : true

    licensed: true

    In addition, in the Azure portal you'll see a new Azure extension on your machines called MDE.Linux.

Enable on multiple subscriptions in the Azure portal dashboard

If one or more of your subscriptions don't have Endpoint protections enabled for Linux machines, you'll see an insight panel in the Defender for Cloud dashboard. The insight panel tells you about subscriptions that have Defender for Endpoint integration enabled for Windows machines, but not for Linux machines. You can use the insight panel to see the affected subscriptions with the number of affected resources in each subscription. Subscriptions that don't have Linux machines show no affected resources. You can then select the subscriptions to enable endpoint protection for Linux integration.

After you select Enable in the insight panel, Defender for Cloud:

  • Automatically onboards your Linux machines to Defender for Endpoint in the selected subscriptions.
  • Detects any previous installations of Defender for Endpoint and reconfigure them to integrate with Defender for Cloud.

Use the Defender for Endpoint status workbook to verify installation and deployment status of Defender for Endpoint on a Linux machine.

Enable on multiple subscriptions with a PowerShell script

Use our PowerShell script from the Defender for Cloud GitHub repository to enable endpoint protection on Linux machines that are in multiple subscriptions.

Manage automatic updates configuration for Linux

In Windows, Defender for Endpoint version updates are provided via continuous knowledge base updates; in Linux you need to update the Defender for Endpoint package. When you use Defender for Servers with the MDE.Linux extension, automatic updates for Microsoft Defender for Endpoint are enabled by default. If you wish to manage the Defender for Endpoint version updates manually, you can disable automatic updates on your machines. To do so, add the following tag for machines onboarded with the MDE.Linux extension.

  • Tag name: 'ExcludeMdeAutoUpdate'
  • Tag value: 'true'

This configuration is supported for Azure VMs and Azure Arc machines, where the MDE.Linux extension initiates auto-update.

Enable the Microsoft Defender for Endpoint unified solution at scale

You can also enable the Defender for Endpoint unified solution at scale through the supplied REST API version 2022-05-01. For full details, see the API documentation.

Here's an example request body for the PUT request to enable the Defender for Endpoint unified solution:

URI: https://management.azure.com/subscriptions/<subscriptionId>/providers/Microsoft.Security/settings/WDATP?api-version=2022-05-01

{ "name": "WDATP", "type": "Microsoft.Security/settings", "kind": "DataExportSettings", "properties": { "enabled": true }}

Track MDE deployment status

You can use the Defender for Endpoint deployment status workbook to track the Defender for Endpoint deployment status on your Azure VMs and non-Azure machines that are connected via Azure Arc. The interactive workbook provides an overview of machines in your environment showing their Microsoft Defender for Endpoint extension deployment status.

Access the Microsoft Defender for Endpoint portal

  1. Ensure the user account has the necessary permissions. Learn more in Assign user access to Microsoft Defender Security Center.

  2. Check whether you have a proxy or firewall that is blocking anonymous traffic. The Defender for Endpoint sensor connects from the system context, so anonymous traffic must be permitted. To ensure unhindered access to the Defender for Endpoint portal, follow the instructions in Enable access to service URLs in the proxy server.

  3. Open the Microsoft Defender Portal. Learn about Microsoft Defender for Endpoint in Microsoft Defender XDR.

Send a test alert

To generate a benign test alert from Defender for Endpoint, select the tab for the relevant operating system of your endpoint:

  • Test on Windows

  • Test on Linux

Test on Windows

For endpoints running Windows:

  1. Create a folder 'C:\test-MDATP-test'.

  2. Use Remote Desktop to access your machine.

  3. Open a command-line window.

  4. At the prompt, copy and run the following command. The command prompt window will close automatically.

    powershell.exe -NoExit -ExecutionPolicy Bypass -WindowStyle Hidden (New-Object System.Net.WebClient).DownloadFile('http://127.0.0.1/1.exe', 'C:\\test-MDATP-test\\invoice.exe'); Start-Process 'C:\\test-MDATP-test\\invoice.exe'

    Enable the Defender for Endpoint integration - Microsoft Defender for Cloud (7)

    If the command is successful, you'll see a new alert on the workload protection dashboard and the Microsoft Defender for Endpoint portal. This alert might take a few minutes to appear.

  5. To review the alert in Defender for Cloud, go to Security alerts > Suspicious PowerShell CommandLine.

  6. From the investigation window, select the link to go to the Microsoft Defender for Endpoint portal.

    Tip

    The alert is triggered with Informational severity.

Test on Linux

For endpoints running Linux:

  1. Download the test alert tool from: https://aka.ms/LinuxDIY

  2. Extract the contents of the zip file and execute this shell script:

    ./mde_linux_edr_diy

    If the command is successful, you'll see a new alert on the workload protection dashboard and the Microsoft Defender for Endpoint portal. This alert might take a few minutes to appear.

  3. To review the alert in Defender for Cloud, go to Security alerts > Enumeration of files with sensitive data.

  4. From the investigation window, select the link to go to the Microsoft Defender for Endpoint portal.

    Tip

    The alert is triggered with Low severity.

Remove Defender for Endpoint from a machine

To remove the Defender for Endpoint solution from your machines:

  1. Disable the integration:

    1. From Defender for Cloud's menu, select Environment settings and select the subscription with the relevant machines.
    2. In the Defender plans page, select Settings & Monitoring.
    3. In the status of the Endpoint protection component, select Off to disable the integration with Microsoft Defender for Endpoint.
    4. Select Continue and Save to save your settings.

  2. Remove the MDE.Windows/MDE.Linux extension from the machine.

  3. Follow the steps in Offboard devices from the Microsoft Defender for Endpoint service from the Defender for Endpoint documentation.

Related content

  • Platforms and features supported by Microsoft Defender for Cloud
  • Learn how recommendations help you protect your Azure resources
  • View common question about the Defender for Cloud integration with Microsoft Defender for Endpoint
Enable the Defender for Endpoint integration - Microsoft Defender for Cloud (2024)

FAQs

Enable the Defender for Endpoint integration - Microsoft Defender for Cloud? ›

From Defender for Cloud's menu, select Environment settings and select the subscription with the machines that you want to receive Defender for Endpoint. In the status of the Endpoint protection component, select On to enable the integration with Microsoft Defender for Endpoint.

Read On
Does Defender for Cloud include Defender for Endpoint? ›

Defender for Cloud automatically enables the Defender for Endpoint sensor on all supported machines connected to Defender for Cloud. Single pane of glass. The Defender for Cloud portal pages displays Defender for Endpoint alerts.

Discover More Details
How to integrate Defender for Cloud apps with Defender for Identity? ›

Open Microsoft Defender portal > More resources > Microsoft Defender for Cloud Apps. 2. Click the gear in the top right corner > Settings > Microsoft Defender for Identity. Check the Enable Microsoft Defender for Identity integration.

Continue Reading
How do I enable Microsoft Defender for cloud apps? ›

Enable Microsoft Defender for Cloud Apps in Microsoft Defender for Endpoint
  1. In the navigation pane, select Preferences setup > Advanced features.
  2. Select Microsoft Defender for Cloud Apps and switch the toggle to On.
  3. Click Save preferences.
Apr 24, 2024

See Details
How do I enable Defender Cloud protection? ›

Select the Virus & threat protection tile (or the shield icon on the left menu bar), and then, under Virus & threat protection settings, select Manage settings. Confirm that Cloud-based Protection and Automatic sample submission are switched to On.

Find Out More
How do I enable Defender for Endpoint integration Defender for Cloud? ›

From Defender for Cloud's menu, select Environment settings and select the subscription with the machines that you want to receive Defender for Endpoint. In the status of the Endpoint protection component, select On to enable the integration with Microsoft Defender for Endpoint.

Tell Me More
How to check if Defender for Cloud is enabled? ›

To check, go to Environment settings on the Defender for Cloud left menu, select the connector, and then select Settings. If no standards are assigned, select the three dots to check if you have permissions to assign standards.

Show Me More
What is the difference between defender and Defender for Cloud Apps? ›

Office 365 Cloud App Security is a subset of Microsoft Defender for Cloud Apps, and therefore Microsoft 365 Defender, which provides enhanced visibility and control for Office 365. The main difference between Microsoft Defender and Office 365 Cloud App Security is the number of cloud apps available.

Explore More
How do I enable Defender for Cloud policy? ›

Search for and select Microsoft Defender for Cloud. In the Defender for Cloud menu, select Environment settings. Select the subscription or workspace that you want to protect. Select Enable all to enable all of the plans for Defender for Cloud.

Continue Reading
What are the prerequisites for Defender for Cloud Apps? ›

Prerequisites. To set up Defender for Cloud Apps, you must at least be a Security Administrator in Microsoft Entra ID or Microsoft 365. Users with admin roles have the same admin permissions across any cloud apps your organization is subscribed to, regardless of where you've assigned the role.

Show Me More

How do I enforce app access in Defender for Cloud Apps? ›

Enable cloud app blocking with Defender for Endpoint

In the Microsoft Defender Portal, select Settings. Then choose Cloud Apps. Under Cloud Discovery, select Microsoft Defender for Endpoint, and then select Enforce app access. It can take up to 30 minutes for this setting to take effect.

Read The Full Story
What is the new name for Microsoft Defender for Cloud Apps? ›

As of June 2024, all customers using the classic Defender for Cloud Apps portal are automatically redirected to Microsoft Defender XDR, with no option to revert back to the classic portal. For more information, see Microsoft Defender for Cloud Apps in Microsoft Defender XDR.

See Details
How do I allow apps through Microsoft Defender? ›

Select the Start menu, type Allow an app through Windows Firewall, and select it from the list of results. Select Change settings. You might be asked for an administrator password or to confirm your choice. To add an app, select the check box next to the app, or select Allow another app and enter the path for the app.

Get More Info Here
How do I turn off Microsoft Defender for cloud apps? ›

For a tenant-wide disable, navigate to MDE > Defender for Cloud Apps > Discovery > Discovered Apps and set the specific app to "Sanctioned".

Continue Reading
What is Connected Apps Defender for Cloud? ›

In the Microsoft Defender Portal, select Settings. Then choose Cloud Apps. Under Connected Apps, select App Connectors. Select the +Connect an app to add an app and then select an app.

View More
What plans include Defender for Endpoint? ›

Microsoft Defender for Endpoint is available in two plans, Endpoint Plan 1 and Endpoint Plan 2, which are available either as standalone services or a part of Microsoft 365.

View Details
Which licenses include Defender for Endpoint? ›

Licensing model: Defender for Endpoint can be found in several subscriptions, such as: Microsoft 365 E5/A5/G5. Microsoft 365 E5/A5/G5/F5 Security Add-on. Microsoft 365 F5 Security & Compliance.

See More
What is the difference between defender for cloud and defender for Office 365? ›

The main difference between Microsoft Defender and Office 365 Cloud App Security is the number of cloud apps available. Office 365 Cloud App Security gives access to 750+ cloud apps with similar functionality to Office 365 compared to 25,000+ cloud apps for Microsoft Defender for Cloud Apps.

Learn More
What is the difference between defender and Defender for Endpoint? ›

Microsoft Defender for Office 365 is a cloud-based product offering protection against email threats and safeguarding files stored in the cloud. Microsoft Defender for Endpoint provides cybersecurity against malware, spyware and other malicious software.

Discover More Details
Top Articles
Shop Canadian $5 coins
Minecraft Avatar Legends DLC out now - Game Freaks 365
AMC Theatre - Rent A Private Theatre (Up to 20 Guests) From $99+ (Select Theaters)
Directions To Franklin Mills Mall
Katmoie
Math Playground Protractor
Martha's Vineyard Ferry Schedules 2024
Draconic Treatise On Mining
Spelunking The Den Wow
10 Great Things You Might Know Troy McClure From | Topless Robot
Ukraine-Russia war: Latest updates
George The Animal Steele Gif
Mini Handy 2024: Die besten Mini Smartphones | Purdroid.de
Fairy Liquid Near Me
Baywatch 2017 123Movies
History of Osceola County
Rachel Griffin Bikini
Spider-Man: Across The Spider-Verse Showtimes Near Marcus Bay Park Cinema
Jbf Wichita Falls
Craigslist Pinellas County Rentals
Project Reeducation Gamcore
Chamberlain College of Nursing | Tuition & Acceptance Rates 2024
Foodsmart Jonesboro Ar Weekly Ad
Craigslist Hunting Land For Lease In Ga
JVID Rina sauce set1
Coindraw App
Barbie Showtimes Near Lucas Cinemas Albertville
Craigslist Middletown Ohio
APUSH Unit 6 Practice DBQ Prompt Answers & Feedback | AP US History Class Notes | Fiveable
Warren County Skyward
Jeep Cherokee For Sale By Owner Craigslist
Swgoh Boba Fett Counter
Kattis-Solutions
UPS Drop Off Location Finder
Kstate Qualtrics
Hattie Bartons Brownie Recipe
Devin Mansen Obituary
Etowah County Sheriff Dept
Omnistorm Necro Diablo 4
Umiami Sorority Rankings
Metro Pcs Forest City Iowa
Big Reactors Best Coolant
Crystal Glassware Ebay
Conan Exiles Colored Crystal
Dancing Bear - House Party! ID ? Brunette in hardcore action
Leland Westerlund
1990 cold case: Who killed Cheryl Henry and Andy Atkinson on Lovers Lane in west Houston?
St Als Elm Clinic
Wild Fork Foods Login
Uno Grade Scale
Otter Bustr
Myhrkohls.con
Latest Posts
How to detect if an ethereum address is an ERC20 token contract
Mainnet Swap | Binance Academy
Article information

Author: Saturnina Altenwerth DVM

Last Updated:

Views: 6132

Rating: 4.3 / 5 (64 voted)

Reviews: 87% of readers found this page helpful

Author information

Name: Saturnina Altenwerth DVM

Birthday: 1992-08-21

Address: Apt. 237 662 Haag Mills, East Verenaport, MO 57071-5493

Phone: +331850833384

Job: District Real-Estate Architect

Hobby: Skateboarding, Taxidermy, Air sports, Painting, Knife making, Letterboxing, Inline skating

Introduction: My name is Saturnina Altenwerth DVM, I am a witty, perfect, combative, beautiful, determined, fancy, determined person who loves writing and wants to share my knowledge and understanding with you.