I have Defender for Servers Plan 1 enabled on a Subscription via Defender for Cloud.
Now I'm testing the enrollment of the Windows Defender Endpoint protection software to three Linux machines (CentOS 7.9.2009) in the Azure Subscription.
According to this article - https://learn.microsoft.com/en-us/azure/defender-for-cloud/integration-defender-for-endpoint?WT.mc_id=Portal-Microsoft_Azure_Security_CloudNativeCompute&tabs=linux I need to navigate to the Microsoft Defender for Cloud Subscription settings and under "Integration" make sure that "Allow Microsoft Defender for Endpoint to access my data." option is selected, and after that - click on the "Enable for Linux machines" button. So here I encounter my first problem - the "Enable for Linux machines" button is missing.
Fine, since this was or is a preview feature - maybe something changed and now the EDR solution is being installed to Linux machines automatically without the need to enable it specifically for Linux machines, so that's what I'm currently testing. Keep in mind, that MMA agents are installed manually (automatic provisioning of the MMA agent is switched of in MS Defender for Cloud "Provisioning" settings) via Log Analytics Workspace for two Linux VMs in the environment.
As I mentioned before - I have three Linux CentOS machines in my subscription with three different configurations:
- Standalone Linux VM without a Log Analytics Workspace (so no MMA agent installed)
- Linux VM connected to a dedicated Log Analytics Workspace (let's say, named "law1") so the MMA agent is installed on the machine. Under Microsoft Defender for Cloud "Environment settings" I've disabled Defender coverage for this workspace. (Keep in mind, that when checking the Microsoft Defender for Cloud Subscription settings, under Defender for Servers enabled plan I still see that this Linux VM is being covered under the Plan 1)
- Linux VM connected to a dedicated Log Analytics Workspace (named "law2") and under Microsoft Defender for Cloud "Environment settings" I've enabled Defender coverage for this workspace.
So I've waited for more than 12 hours for the automatic enrollment to finish and all three Linux VMs do not have the EDR solution present in them. (Checked that with "mdatp health" command in Bash).
Can anyone explain to me why this is happening? I've checked the requirements for Linux hosts for this feature and my hosts should be compliant for it.
What am I missing here?
Could this be the issue with using Defender for Servers Plan 1 on the subscription? From the official MS documentation - Plan 1 comes with "Defender for Endpoint Plan 2" which supports Linux hosts - so it would be odd, if the issue is with the plan selection. I'm running out of ideas here. Any help with this would be greatly appreciated.