Deploy Microsoft Defender for Servers via VM ARM template

Posted on 11/11/2021 by azsec

Microsoft Defender for Servers  offers you a capability for Azure VMs to help detect threat and to add additional defense. Currently it is supported on both Windows and Linux.

In this article, let’s quickly check if we can deploy the MDE agent via Azure ARM template.

If you already know about MDE and want to test immediately, use the template from here https://github.com/azsec/scaf-azure-arm-templates/tree/master/VirtualMachine/vm-with-mde

Why?

Undoubtedly endpoint protection and vulnerability assessment are required by InfoSec. It appears to be happening in every organization. Moreover if you work with Microsoft Defender for Cloud (formerly Azure Security Center) recommendation you’d probably know about A vulnerability assessment solution should be enabled on your virtual machines. To improve your secure score you’d need to install a vulnerability assessment solution on Azure VM. MDE is one of the solutions Microsoft Defender for Cloud gives credit to.

ARM template

Windows

For Windows, use the extension below:

{
  "comments": "Deploy Microsoft Defender for Windows VM",
  "type": "Microsoft.Compute/virtualMachines/extensions",
  "apiVersion": "2021-03-01",
  "location": "[parameters('location')]",
  "name": "[concat(variables('vmName'),'/MDE.Windows')]",
  "dependsOn": [
    "[resourceId('Microsoft.Compute/virtualMachines', variables('vmName'))]",
  ],
  "properties": {
    "autoUpgradeMinorVersion": true,
    "publisher": "Microsoft.Azure.AzureDefenderForServers",
    "type": "MDE.Windows",
    "typeHandlerVersion": "1.0",
    "settings": {
      "azureResourceId": "[resourceId('Microsoft.Compute/virtualMachines',variables('vmName'))]",
      "defenderForServersWorkspaceId": "[parameters('monitoringWorkspaceId')",
      "forceReOnboarding": false
    }
  }
}

Linux

For Linux, use the extension below:

{
  "comments": "Deploy Microsoft Defender for Linux VM",
  "type": "Microsoft.Compute/virtualMachines/extensions",
  "apiVersion": "2021-03-01",
  "location": "[parameters('location')]",
  "name": "[concat(variables('vmName'),'/MDE.Linux')]",
  "dependsOn": [
    "[resourceId('Microsoft.Compute/virtualMachines', variables('vmName'))]"
  ],
  "properties": {
    "autoUpgradeMinorVersion": true,
    "publisher": "Microsoft.Azure.AzureDefenderForServers",
    "type": "MDE.Linux",
    "typeHandlerVersion": "1.0",
    "settings": {
      "azureResourceId": "[resourceId('Microsoft.Compute/virtualMachines',variables('vmName'))]",
      "defenderForServersWorkspaceId": "[parameters('monitoringWorkspaceId')",
      "forceReOnboarding": false
    }
  }
}

You need the following paremeters:

  • azureResourceId: the resource Id of the Azure VM. It can be referenced using resourceId()
  • defenderForServersWorkspaceId: it is the Log Analytics workspace that Azure Security Center is currently connected to
  • forceReOnboarding: indicate whether you would like to automatically re-onboard VM if it is disconnected from the defender workspace.

Now you can give it a try.

This entry was posted in Security Automation, Security Operation and tagged . Bookmark the permalink.

7 Responses to Deploy Microsoft Defender for Servers via VM ARM template

  1. Mark says:
    12/01/2021 at 3:11 PM

    Hi, thank you for this great article.

    The ARM template works when deploying the Windows extension but fails when deploying the Linux extension. The error message is:
    VM has reported a failure when processing extension ‘MDE.Linux’. Error message: “Failed to configure Microsoft Defender for Endpoint: argument of type ‘NoneType’ is not iterable ResourceId: /subscriptions//resourceGroups//providers/Microsoft.Compute/virtualMachines/azsec-redhat-vm”

    Having done some troubleshooting on the Linux VM, it appears the issue is caused by the “protectedSettings” property not being set in the ARM template.

    When this extension (MDE.Linux) is deployed via remediating an Advisors recommendation, the “protectedSettings” property is populated with a base64 encoded encrypted string which is read, decoded and decrypted by the extension’s installation script.

    Please advise if this is a known issue and how the MDE.Linux extension should be deployed via an arbitrary ARM template.

    Reply
  2. Vin says:
    12/10/2021 at 1:49 AM

    Hi, I am trying to use the arm template to deploy it to a windows vm and I get the following error:

    ##[error]VMExtensionProvisioningError: VM has reported a failure when processing extension ‘MDE.Windows’. Error message: “Failed to configure Microsoft Defender for Endpoint: You cannot call a method on a null-valued expression.

    Any idea what could I be missing. I have made sure I am using the exact above template.

    Reply
  3. Ruslan says:
    02/04/2022 at 2:19 PM

    Hello,

    Could you please look at the issue I opened?
    https://github.com/azsec/scaf-azure-arm-templates/issues/6

    I’m having an issue with installing the extension on Windows VM and it was also reported by one other user in a closed issue.

    Reply

Leave a Reply

Your email address will not be published.