Prepare for retirement of the Log Analytics agent
The Log Analytics agent, also known as the Microsoft Monitoring Agent (MMA), is retiring in August 2024. As a result, the Defender for Servers and Defender for SQL on machines plans in Microsoft Defender for Cloud will be updated, and features that rely on the Log Analytics agent will be redesigned.
This article summarizes plans for agent retirement.
Preparing Defender for Servers
The Defender for Servers plan uses the Log Analytics agent in general availability (GA) and in AMA for some features (in preview). Here's what's happening with these features going forward:
To simplify onboarding, all Defender for Servers security features and capabilities will be provided with a single agent (Microsoft Defender for Endpoint), complemented by agentless machine scanning, without any dependency on Log Analytics agent or AMA. Note that:
- Defender for Servers features, which are based on AMA, are currently in preview and won’t be released in GA.
- Features in preview that rely on AMA remain supported until an alternate version of the feature is provided, which will rely on the Defender for Endpoint integration or the agentless machine scanning feature.
- By enabling the Defender for Endpoint integration and agentless machine scanning feature before the deprecation takes place, your Defender for Servers deployment will be up to date and supported.
Feature functionality
The following table summarizes how Defender for Servers features will be provided. Most features are already generally available using Defender for Endpoint integration or agentless machine scanning. The rest of the features will either be available in GA by the time the MMA is retired, or will be deprecated.
| Feature | Current support | New support | New experience status |
|---|---|---|---|
| Defender for Endpoint integration for down-level Windows machines (Windows Server 2016/2012 R2) | Legacy Defender for Endpoint sensor, based on the Log Analytics agent | Unified agent integration | - Functionality with the unified agent is GA. - Functionality with the legacy Defender for Endpoint sensor using the Log Analytics agent will be deprecated in August 2024. |
| OS-level threat detection | Log Analytics agent | Defender for Endpoint agent integration | Functionality with the Defender for Endpoint agent is GA. |
| Adaptive application controls | Log Analytics agent (GA), AMA (Preview) | --- | The adaptive application control feature is set to be deprecated in August 2024. |
| Endpoint protection discovery recommendations | Recommendations that are available through the Foundational Cloud Security Posture Management (CSPM) plan and Defender for Servers, using the Log Analytics agent (GA), AMA (Preview) | Agentless machine scanning | - Functionality with agentless machine scanning will be released to preview in February 2024 as part of Defender for Servers Plan 2 and the Defender CSPM plan. - Azure VMs, Google Cloud Platform (GCP) instances, and Amazon Web Services (AWS) instances will be supported. On-premises machines won’t be supported. |
| Missing OS update recommendation | Recommendations available in the Foundational CSPM and Defender for Servers plans using the Log Analytics agent. | Integration with Update Manager, Microsoft | New recommendations based on Azure Update Manager integration are GA, with no agent dependencies. |
| OS misconfigurations (Microsoft Cloud Security Benchmark) | Recommendations that are available through the Foundational CSPM and Defender for Servers plans using the Log Analytics agent, Guest Configuration agent (Preview). | Microsoft Defender Vulnerability Management premium, as part of Defender for Servers Plan 2. | - Functionality based on integration with Microsoft Defender Vulnerability Management premium will be available in preview around April 2024. - Functionality with the Log Analytics agent will be deprecated in August 2024 - Functionality with Guest Configuration agent (Preview) will deprecate when the Microsoft Defender Vulnerability Management is available. - Support of this feature for Docker-hub and Azure Virtual Machine Scale Sets will be deprecated in Aug 2024. |
| File integrity monitoring | Log Analytics agent, AMA (Preview) | Defender for Endpoint agent integration | Functionality with the Defender for Endpoint agent will be available around April 2024. - Functionality with the Log Analytics agent will be deprecated in August 2024. - Functionality with AMA will deprecate when the Defender for Endpoint integration is released. |
The 500-MB benefit for data ingestion over the defined tables remains supported via the AMA agent for the machines under subscriptions covered by Defender for Servers Plan 2. Every machine is eligible for the benefit only once, even if both Log Analytics agent and Azure Monitor agent are installed on it. Learn more about how to deploy AMA.
For SQL servers on machines, we recommend to migrate to SQL server-targeted Azure Monitoring Agent's (AMA) autoprovisioning process.
Endpoint protection recommendations experience
Endpoint discovery and recommendations are currently provided by the Defender for Cloud Foundational CSPM and the Defender for Servers plans using the Log Analytics agent in GA, or in preview via the AMA. This experience will be replaced by security recommendations that are gathered using agentless machine scanning.
Endpoint protection recommendations are constructed in two stages. The first stage is discovery of an endpoint detection and response solution. The second is assessment of the solution’s configuration. The following tables provide details of the current and new experiences for each stage.
Learn how to manage the new endpoint detection and response recommendations (agentless).
Endpoint detection and response solution - discovery
| Area | Current experience (based on AMA/MMA) | New experience (based on agentless machine scanning) |
|---|---|---|
| What's needed to classify a resource as healthy? | An anti-virus is in place. | An endpoint detection and response solution is in place. |
| What's needed to get the recommendation? | Log Analytics agent | Agentless machine scanning |
| What plans are supported? | - Foundational CSPM (free) - Defender for Servers Plan 1 and Plan 2 |
- Defender CSPM - Defender for Servers Plan 2 |
| What fix is available? | Install Microsoft anti-malware. | Install Defender for Endpoint on selected machines/subscriptions. |
Endpoint detection and response solution - configuration assessment
| Area | Current experience (based on AMA/MMA) | New experience (based on agentless machine scanning) |
|---|---|---|
| Resources are classified as unhealthy if one or more of the security checks aren’t healthy. | Three security checks: - Real time protection is off - Signatures are out of date. - Both quick scan and full scan aren't run for seven days. |
Three security checks: - Anti-virus is off or partially configured - Signatures are out of date - Both quick scan and full scan aren't run for seven days. |
| Prerequisites to get the recommendation | An anti-malware solution in place | An endpoint detection and response solution in place. |
Which recommendations are being deprecated?
The following table summarizes the timetable for recommendations being deprecated and replaced.
The new recommendations experience based on agentless machine scanning support both Windows and Linux OS across multicloud machines.
How will the replacement work?
- Current recommendations provided by the Log Analytics Agent or the AMA will be deprecated over time.
- Some of these existing recommendations will be replaced by new recommendations based on agentless machine scanning.
- Recommendations currently in GA remain in place until the Log Analytics agent retires.
- Recommendations that are currently in preview will be replaced when the new recommendation is available in preview.
What's happening with secure score?
- Recommendations that are currently in GA will continue to affect secure score.
- Current and upcoming new recommendations are located under the same Microsoft Cloud Security Benchmark control, ensuring that there’s no duplicate impact on secure score.
How do I prepare for the new recommendations?
- Ensure that agentless machine scanning is enabled as part of Defender for Servers Plan 2 or Defender CSPM.
- If suitable for your environment, for best experience we recommend that you remove deprecated recommendations when the replacement GA recommendation becomes available. To do that, disable the recommendation in the built-in Defender for Cloud initiative in Azure Policy.
Preparing Defender for SQL on Machines
You can learn more about the Defender for SQL Server on machines Log Analytics agent's deprecation plan.
If you're using the current Log Analytics agent/Azure Monitor agent autoprovisioning process, you should migrate to the new Azure Monitoring Agent for SQL Server on machines autoprovisioning process. The migration process is seamless and provides continuous protection for all machines.
Migrate to the SQL server-targeted AMA autoprovisioning process
Sign in to the Azure portal.
Search for and select Microsoft Defender for Cloud.
In the Defender for Cloud menu, select Environment settings.
Select the relevant subscription.
Under the Databases plan, select Action required.
In the pop-up window, select Enable.
Select Save.
Once the SQL server-targeted AMA autoprovisioning process is enabled, you should disable the Log Analytics agent/Azure Monitor agent autoprovisioning process and uninstall the MMA on all SQL servers:
To disable the Log Analytics agent:
Sign in to the Azure portal.
Search for and select Microsoft Defender for Cloud.
In the Defender for Cloud menu, select Environment settings.
Select the relevant subscription.
Under the Database plan, select Settings.
Toggle the Log Analytics agent to Off.
Select Continue.
Select Save.
Migration planning
We recommend you plan agent migration in accordance with your business requirements. The table summarizes our guidance.
| Are you using Defender for Servers? | Are these Defender for Servers features required in GA: file integrity monitoring, endpoint protection recommendations, security baseline recommendations? | Are you using Defender for SQL servers on machines or AMA log collection? | Migration plan |
|---|---|---|---|
| Yes | Yes | No | 1. Enable Defender for Endpoint integration and agentless machine scanning. 2. Wait for GA of all features with the alternative's platform (you can use preview version earlier). 3. Once features are GA, disable the Log Analytics agent. |
| No | --- | No | You can remove the Log Analytics agent now. |
| No | --- | Yes | 1. You can migrate to SQL autoprovisioning for AMA now. 2. Disable Log Analytics/Azure Monitor Agent. |
| Yes | Yes | Yes | 1. Enable Defender for Endpoint integration and agentless machine scanning. 2. You can use the Log Analytics agent and AMA side-by-side to get all features in GA. Learn more about running agents side-by-side. 3. Migrate to SQL autoprovisioning for AMA in Defender for SQL on machines. Alternatively, start the migration from Log Analytics agent to AMA in April 2024. 4. Once the migration is finished, disable the Log Analytics agent. |
| Yes | No | Yes | 1. Enable Defender for Endpoint integration and agentless machine scanning. 2. You can migrate to SQL autoprovisioning for AMA in Defender for SQL on machines now. 3. Disable the Log Analytics agent. |
Next step
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for