Microsoft Defender for Servers offers you a capability for Azure VMs to help detect threat and to add additional defense. Currently it is supported on both Windows and Linux.
In this article, let’s quickly check if we can deploy the MDE agent via Azure ARM template.
If you already know about MDE and want to test immediately, use the template from here https://github.com/azsec/scaf-azure-arm-templates/tree/master/VirtualMachine/vm-with-mde
Why?
Undoubtedly endpoint protection and vulnerability assessment are required by InfoSec. It appears to be happening in every organization. Moreover if you work with Microsoft Defender for Cloud (formerly Azure Security Center) recommendation you’d probably know about A vulnerability assessment solution should be enabled on your virtual machines. To improve your secure score you’d need to install a vulnerability assessment solution on Azure VM. MDE is one of the solutions Microsoft Defender for Cloud gives credit to.
ARM template
Windows
For Windows, use the extension below:
{ "comments": "Deploy Microsoft Defender for Windows VM", "type": "Microsoft.Compute/virtualMachines/extensions", "apiVersion": "2021-03-01", "location": "[parameters('location')]", "name": "[concat(variables('vmName'),'/MDE.Windows')]", "dependsOn": [ "[resourceId('Microsoft.Compute/virtualMachines', variables('vmName'))]", ], "properties": { "autoUpgradeMinorVersion": true, "publisher": "Microsoft.Azure.AzureDefenderForServers", "type": "MDE.Windows", "typeHandlerVersion": "1.0", "settings": { "azureResourceId": "[resourceId('Microsoft.Compute/virtualMachines',variables('vmName'))]", "defenderForServersWorkspaceId": "[parameters('monitoringWorkspaceId')", "forceReOnboarding": false } } }
Linux
For Linux, use the extension below:
{ "comments": "Deploy Microsoft Defender for Linux VM", "type": "Microsoft.Compute/virtualMachines/extensions", "apiVersion": "2021-03-01", "location": "[parameters('location')]", "name": "[concat(variables('vmName'),'/MDE.Linux')]", "dependsOn": [ "[resourceId('Microsoft.Compute/virtualMachines', variables('vmName'))]" ], "properties": { "autoUpgradeMinorVersion": true, "publisher": "Microsoft.Azure.AzureDefenderForServers", "type": "MDE.Linux", "typeHandlerVersion": "1.0", "settings": { "azureResourceId": "[resourceId('Microsoft.Compute/virtualMachines',variables('vmName'))]", "defenderForServersWorkspaceId": "[parameters('monitoringWorkspaceId')", "forceReOnboarding": false } } }
You need the following paremeters:
- azureResourceId: the resource Id of the Azure VM. It can be referenced using resourceId()
- defenderForServersWorkspaceId: it is the Log Analytics workspace that Azure Security Center is currently connected to
- forceReOnboarding: indicate whether you would like to automatically re-onboard VM if it is disconnected from the defender workspace.
Now you can give it a try.
Hi, thank you for this great article.
The ARM template works when deploying the Windows extension but fails when deploying the Linux extension. The error message is:
VM has reported a failure when processing extension ‘MDE.Linux’. Error message: “Failed to configure Microsoft Defender for Endpoint: argument of type ‘NoneType’ is not iterable ResourceId: /subscriptions//resourceGroups//providers/Microsoft.Compute/virtualMachines/azsec-redhat-vm”
Having done some troubleshooting on the Linux VM, it appears the issue is caused by the “protectedSettings” property not being set in the ARM template.
When this extension (MDE.Linux) is deployed via remediating an Advisors recommendation, the “protectedSettings” property is populated with a base64 encoded encrypted string which is read, decoded and decrypted by the extension’s installation script.
Please advise if this is a known issue and how the MDE.Linux extension should be deployed via an arbitrary ARM template.
Hi Mark,
Thanks for your feedback. Could you please create a GitHub issue here https://github.com/azsec/scaf-azure-arm-templates/issues so we can keep track and discuss with possible mitigation approaches.
In the meantime I will plan to check and will get back to you soon.
Thank you very much!
Thanks, I have created an issue on the GitHub repo.
https://github.com/azsec/scaf-azure-arm-templates/issues/2
Hi, I am trying to use the arm template to deploy it to a windows vm and I get the following error:
##[error]VMExtensionProvisioningError: VM has reported a failure when processing extension ‘MDE.Windows’. Error message: “Failed to configure Microsoft Defender for Endpoint: You cannot call a method on a null-valued expression.
Any idea what could I be missing. I have made sure I am using the exact above template.
Hi Vin,
Could you create a new issue here https://github.com/azsec/scaf-azure-arm-templates/issues and post your template?
We could discuss and keep track in GitHub then. That would also help me update the template if there is a defect.
Thank you
Thanks azsec. Created issue here : https://github.com/azsec/scaf-azure-arm-templates/issues/3
Hello,
Could you please look at the issue I opened?
https://github.com/azsec/scaf-azure-arm-templates/issues/6
I’m having an issue with installing the extension on Windows VM and it was also reported by one other user in a closed issue.