Microsoft Defender Cloud and Defender for Endpoint confusion

Salahuddin Khatri 21 Reputation points
2021-12-20T04:08:45.147+00:00

Hi All,

I am really confused with all the settings and configuration and there is no way mentioned in more details, I have enabled Microsoft Defender for Cloud (Azure Security Centre) with Enable all Microsoft Defender for Cloud plans and Auto provisioning is enabled for Log Analytics Agent, on the integration page both check boxes are enabled, We are using Carbon as antivirus software, we have just found out that Defender ATP agent is running on all new VMs.

We are not sure why and how it is installed as we have not installed it manually, after reading lots of articles i have found out that if "Allow Microsoft Defender for Endpoint to access my data" is enabled or checked in the defender for cloud it will install the Defender ATP agent automatically is it true if yes then is it mentioned some where in the document. If it is not true then any other reason it could have been installed automatically or may be by choosing Enable all Microsoft Defender for Cloud plans it will install the Defender ATP agent on all Azure VMs?

Please let me know the meaning of this line "Threat protection for Azure VMs and non-Azure servers (including Server EDR)" does this mean it will install the Defender ATP agent on the Azure VMs.

i have also reviewed the recommendations of Defender for Cloud following are the recommendations not sure what is the difference between point 1 and point 2.

  1. Install Endpoint protection solution virtual machines (this recommendation shows 40 VMs our of 48)
  2. Endpoint protection should be installed on machines (this recommendation shows 14 unhealthy, 7 as healthy, however we have 48 VMs)

I really really need your help and support to know all of the above in more details, just one last question

Microsoft Security | Microsoft Defender | Microsoft Defender for Cloud
Microsoft Security | Intune | Configuration Manager | Other
{count} votes

2 answers

Sort by: Most helpful
  1. Andrew Blumhardt 10,051 Reputation points Microsoft Employee
    2021-12-20T13:57:53.307+00:00

    Adding to what Dev073 said. Defender for Cloud includes MDE (no additional cost). MDE is activated and deployed automatically. The deployment mechanism is an Azure policy and VM extension. You could disable to policy and remove the extension if needed. MDE uses a native client in the OS and there is no agent install for the modern OS versions. MDE provides vulnerability assessment, incident management, and automated response solutions. MDE is also directly linked to Microsoft's AV. It should work well with most 3rd party AV solutions, going automatically into a passive more. MDAV continues to receive updates and send telemetry to MDE in passive mode but will not block user activity or quarantine files. MDE also provides an optional EDR Block Mode that provides a cloud-based, post-breach response for 3rd party AV (2nd line of defense). Definitely something you will want to leverage, even if staying with Carbon. There is much to learn and configure on the MDE side including activating on-premises systems. I also recommend looking into MDI and Defender for Cloud Apps (formerly MCAS) which pair nicely with MDE.

    3 people found this answer helpful.
    0 comments No comments

  2. Devaraj G 2,096 Reputation points Volunteer Moderator
    2021-12-20T05:35:56.847+00:00

    Hi,
    My understanding :
    Yes automatic onboarding feature of Defender for Cloud enables the Defender for Endpoint sensor on all supported machines connected to Defender for Cloud. Defender for Cloud's integration with Microsoft Defender for Endpoint is enabled by default.

    Check the doc here highlighting the behavior :
    https://learn.microsoft.com/en-us/azure/defender-for-cloud/integration-defender-for-endpoint?tabs=windows#if-i-already-have-a-license-for-microsoft-defender-for-endpoint-can-i-get-a-discount-for-microsoft-defender-for-servers

    Please let me know the meaning of this line "Threat protection for Azure VMs and non-Azure servers (including Server EDR)" does this mean it will install the Defender ATP agent on the Azure VMs.
    yes if it allowed. it will be installed on supported machines.

    are you planning to leverage defender as threat solution for VMs or sticking with Carbon ?

    1 person found this answer helpful.
    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.