Defender for Endpoint server licensing

I will preface this with the ‘standard’ disclosure here that:

1. I am not a licensing expert

2. You should speak with a licensing expert to obtain clarification and verification of anything here

3. I have done my best in regards the information presented here but it may change over time, so again see point 2.

With that out of the way, a very common question I receive is around the licensing of servers with Defender for Endpoint. The summary I have found, taken from a reply from Microsoft licensing I found is the following:

In order to be eligible to purchase Microsoft Defender for Endpoint Server SKU, you must have already purchased a combined minimum of any of the following, Windows E5/A5, Microsoft 365 E5/A5 or Microsoft 365 E5 Security subscription licenses. Microsoft Defender for Endpoint Server is an add-on for customers with a combined minimum of 50 licenses of eligible Microsoft Defender for Endpoint SKUs.

Microsoft Defender for Endpoint (Server)

When you have acquired a separate Microsoft Defender for Endpoint (Server) license, you cannot assign them to a specific server or whatsoever. You need to make sure you own the number of licenses with the amount of Windows Servers you want to provision with Microsoft Defender for Endpoint (Server). If you don’t have the right amount of licenses in your Microsoft 365 tenant, then you can still roll out MDE for Server because there is no technical limitation to it, you are just not compliant at that moment in an audit.

Microsoft Defender for Cloud

If you do have not enough licenses of the products from above, you cannot license your Windows Serves with a separate MDE for Server license. Then you have to use Microsoft Defender for Cloud.

When your Windows Servers are already running within Azure, it’s just enabling the Defender Standard license and enabling your server protection. When your Windows Servers are running On-Premise (e.x. VMware ESXi/Hyper-V) you have to install the Arc Agent on your servers and then they are visible as Virtual Machines in your Microsoft Azure Portal.

Conclusion

You got two ways of licensing your Windows Servers with MDE for Servers. Through Microsoft Defender for Cloud, then you do not have to acquire at minimum 50 Windows E5/A5, Microsoft 365 E5/A5, and Microsoft 365 E5 Security User SLs licenses. Or acquire a separate MDE for Server license when you have at least 50 Windows E5/A5, Microsoft 365 E5/A5, and Microsoft 365 E5 Security User SLs licenses.

More info:

For most, this boils down to the fact that if you don’t have at least 50 x Microsoft 365 E5 (and I also assume, or Defender for Endpoint P2), then you need to purchase Microsoft Defender for Cloud using the Azure portal to cover any servers for Defender for Endpoint.

This would seem to imply that if you implement Defender for Business, when it becomes fully available, you’ll need to use Defender for Cloud even if you have 50 or more licenses. That may of course change when Defender for Business goes GA but my guess at this stage would be it won’t.

Now, even if you have 50 or more licenses of Microsoft E5 (or again I assume, or Defender for Endpoint P2), then you’ll need to purchase the Defender for Endpoint (Server) license for each server you wish to cover. That license is available in 2 versions, monthly and annually:

Monthly Billing

MS SKU = 350158A2-F253-4EA3-988E-EEF9D1B828CF
MICROSOFT CSP MICROSOFT DEFENDER FOR ENDPOINT SVR MTH SUB – AU$7.10 ex

Annual Billing

MICROSOFT CSP MICROSOFT DEFENDER FOR ENDPOINT SVR ANL SUB – AU$85.20 ex

As I also understand it, this Defender for Endpoint (Server) SKU can also only be purchased via CSP not direct. That means, it has to be purchased through a reseller not via the Microsoft 365 administration portal using just a credit card.

The more common option I suspect, given the limitations, is going to be Microsoft Defender for Cloud, which is purchased via Azure.

Which means you fire up the Azure pricing calculator and plug in the details to obtain a price. That should result in the above result of around A$21 per month, per server.

Hopefully, all this answers most questions and I’ve done my best to ensure it is correct but as always, please check for yourself. For most, the solution to licensing servers for Defender for Endpoint will mean obtaining Microsoft Defender for Cloud and the cost for that will be about A$21 per server per month.

Web filtering overview for Defender for Endpoint

I have written two articles on the web filtering options you have with Defender for Endpoint:

Custom web filtering

General web filtering

I’ve combined both of these into a video:

https://www.youtube.com/watch?v=M8sQEZDG2cA

which hopefully summarises things and let’s you see how to configure both of these.

Using Defender for Endpoint to protect your network devices

An added benefit of Defender for Endpoint is it’s ability to scan and report vulnerabilities with your network devices (routers, switches, etc). It does this by using SNMP, so the starting point is to set that up in your environment on your network devices.

Once you have onboarded Windows 10 devices to Defender for Endpoint you can use one of these to ‘scan’ your network devices via SNMP.

To do this follow the step by step process to download and install the scanner in this article:

Network device discovery and vulnerability assessments – Microsoft Tech Community

you can also refer to this documentation

Network device discovery and vulnerability management | Microsoft Docs

In short, you need to install and agent from the Defender for Endpoint console, then configure it to scan your SNMP environment and IP range. The results from this will be reported back into the Device inventory.

Interestingly, the documentation states:

The following operating systems are currently supported:

Cisco IOS, IOS-XE, NX-OS
Juniper JUNOS
HPE ArubaOS, Procurve Switch Software
Palo Alto Networks PAN-OS

but when I set this up in my environment

the Ubiquiti equipment I use was also reporting as shown above (excellent!).

I can drill into any network device and see alerts, security recommendations, etc. None to see here as my gear is up to date but this is a super handy feature when you are facing challenges like Log4j vulnerability, even in small environments.

The main thing is to get the SNMP environment set up for your network devices and then configure a Defender for Endpoint scanner in that environment. Within no time you’ll have additional network device information flowing into your Defender for Endpoint console. This is really going to help you keep your whole environment secure and make it easy to monitor from a single location.

Custom web filtering for Microsoft Defender for Endpoint

In a recent post I showed how you can enable web filtering with Defender for Endpoint using the built in blocked categories method.

Enabling web filtering with Microsoft Defender for Endpoint

The limits of this approach are that you can only use the categories that have been provided (i.e. Adult content, High bandwidth, Legal liability, Leisure and Uncategorized). An interesting omission, in my opinion, is the ability to block social networking (i.e. Twitter, Facebook, etc).

You can achieve custom web filtering with Microsoft Defender for Endpoint if you wish using the custom indicator approach.

You’ll first need to ensure that custom network indicators have been enabled in your environment. You do this by navigating to https://security.microsoft.com, scroll down the list on.the left hand side until you locate Settings, then select Endpoints.

From the menu that now appears, select Advanced features. Ensure that the Custom network indicators option is turned on as shown. Don’t forget to save any changes with the Save preferences button at the bottom of the page.

To enable a custom indicator, navigate to https://security.microsoft.com, scroll down the list on.the left hand side until you locate Settings, then select Indicators. On the right you can create an indicator as File hash, IP address, URL or Certificate. In this case, select URLs/Domains. Then select the option to Add item.

Enter the URL you wish to block and select whether you wish an expiry date for this indicator. Unfortunately, you can’t use wildcard characters here, it must be the direct URL. Press the Next button to continue.

Select the action you wish to take (Allow, Audit, Warn, Block execution). It is also recommended that you select the Generate Alert option so that information can be shared with other applications such as Azure Sentinel, which I’ll cover in an upcoming article. Also, give the alert a descriptive title (I suggest you mention the particular web site you are blocking here). Scroll down the page to continue.

Enter the Alert severity, Category as well as the Recommended actions and a Description as shown above. Press the Next button at the bottom of the page when complete.

View the summary that is now displayed and press the Save button at the bottom of the screen.

You should see your entry listed as shown above. You can edit this by simply clicking on it. You also delete the indicator once you edit it.

Also note the Import menu option that allows you to import a list of items from a CSV file.

Now according to the Microsoft documentation:

Create indicators for IPs and URLs/domains

– Classless Inter-Domain Routing (CIDR) notation for IP addresses is not supported.

– URL/IP allow and block relies on the Defender for Endpoint component Network Protection to be enabled in block mode.

– Supported on machines on Windows 10, version 1709 or later, Windows 11, Windows Server 2016, Windows Server 2012 R2, Windows Server 2019, and Windows Server 2022

– Only external IPs can be added to the indicator list. Indicators cannot be created for internal IPs.

– If there are conflicting URL indicator policies, the longer path is applied. That is, the more specific path.

– Only single IP addresses are supported (no CIDR blocks or IP ranges).

– Encrypted URLs (full path) can only be blocked on first party browsers (Internet Explorer, Edge)

–
Encrypted URLS (FQDN only) can be blocked outside of first party browsers (Internet Explorer, Edge)

– Full URL path blocks can be applied on the domain level and all unencrypted URLs

– There may be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked. My personal experience is around 45 minutes.

Enforced result on Edge. If you use third party browsers, and the site is encrypted (i.e. uses https) it will not be blocked as mentioned above.

Adding indicators using the web and even importing using a CSV is somewhat time consuming and cumbersome, especially if you have a standard set you wish to block. I’ll show you how to add indicators using a script and API calls in an upcoming post. so stay tuned for that.

Remember, that you can use these indicators to not only block but also warn and audit if you wish. You can also have a number of different indicators and types. I’d also recommend you take a look at this article from Microsoft:

Best practices for optimizing custom indicators

when you start creating these custom indicators.

Enabling web filtering with Microsoft Defender for Endpoint

One of ‘bonuses’ of Microsoft Defender for Endpoint is the inclusion of web filtering. This means that you can block a range of pre-configured sites as well as custom ones if needed. This article will cover how to set up this capability for pre-configured sites.

To get web filtering working you’ll basically need:

– Windows 10/11 devices onboarded to Defender for Endpoint

– Windows Defender Smartscreen and Network Protection enabled.

Web filtering for other platforms, like iOS and Android, is on the roadmap.

Please note that the options that appear may differ based on what version of Defender for Endpoint you are using (P2, P1 or Business)

Navigate to https://security.microsoft.com and scroll down the menu options on the left and select Settings. From the options that appear on the right select Endpoints.

Locate the Web content filtering option from the menu that now appears, and select + Add item on the right as shown above.

From the dialog that appears from the right, give the policy a name (here, Default) and select the Next button.

Select the Block categories required. You can expand the headings and select individual items insides these. Also note, that you can block both Newly registered domains and Parked domains.

Press the Next button when you have made you choices.

You can target this policy at specific Defender for Endpoint groups if you wish, depending on the version of Defender for Endpoint you use. In this case, no groups have been created, so All devices will be targeted. Note, that Device Groups does not currently appear with Defender for Business and thus all policies there will be scoped to all devices by default.

Press the Next button to continue.

Review the policy summary and select the Save button to complete the creation process.

In my experience it takes around 40 – 45 minutes for this policy to be applied to Windows 10/11 device endpoints, so be patient.

When a restricted site is visited using a Microsoft browser like Edge, you’ll very briefly see the restricted website flash up and then almost immediately be replaced with the content blocked message shown above.

If you use a non-Microsoft browser, Brave in this case, then you will see a message saying that access is denied and you’ll also receive a Windows Security message as shown in the bottom right above.

If you wish to remove or edit a web filtering policy, simply navigate back to the web filtering option in the security console. Changes, including policy deletions, again take about 40 or so minutes to become evident on endpoint devices.

What’s covered here is just the basics. Look out for future article where I cover off how to filter custom sites and locations. You’ll also find lots more details in the Microsoft documentation here:

Web content filtering

At this stage (January 2022), as I said earlier, web filtering is only available on Windows 10/11 devices but more options are coming in the very near future.

Incident overview with Defender for Business

https://www.youtube.com/watch?v=vTPXei_0l6k

When incidents occur on device endpoints you can view and manage these using the Defender for Endpoint tools in the Microsoft 365 Security Center. This video provided an overview of what happens when incidents are created and how to view their details and manage them from the administration console.

You will find the PowerShell scripts used to generate the device incidents here – https://github.com/directorcia/office365

Offboarding Windows 10 devices methods with Defender for Business

I’ve done this summary video of the different methods for offboarding Windows 10 devices from Defender for Endpoint.

https://www.youtube.com/watch?v=eqnqcVzTqns

The summary of all these processes plus the resources can be found here:

Troubleshooting Defender for Business

I wanted to create a single point, that I will aim to maintain over time, that provides a repository of troubleshooting tips, links and information on Microsoft Defender for Business.

[Updated 1 February 2022]

Information

– Microsoft Defender for Business documentation

Microsoft Defender is subset of the capabilities of Microsoft Defender for Endpoint.

– Microsoft Defender for Endpoint

– Microsoft Defender for Endpoint documentation

– What’s new in Microsoft Defender for Endpoint

– Minimum requirements for Microsoft Defender for Endpoint

Onboarding

Onboarding to the Microsoft Defender for Endpoint service

Onboarding using a local script

Onboarding using Intune device configuration policy

Onboarding using an Endpoint Security policy

– Most of the required files are in a directory:

C:\Program Files\Windows Defender Advanced Threat Protection

which is already present on Windows Pro and Enterprise devices.

– Look for events from WDATPonboarding in the Application logs in the Event viewer.

These event IDs are specific to the onboarding script only.

– Troubleshooting onboarding issues using Microsoft Intune

View the MDM event logs to troubleshoot issues that might arise during onboarding:

Log name: Microsoft\Windows\DeviceManagement-EnterpriseDiagnostics-Provider

– View agent onboarding errors in the device event log

Applications and Services Logs > Microsoft > Windows > SENSE

– Make sure that the diagnostic data service is enabled on all devices in your organization

– The Microsoft Defender for Endpoint sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and communicate with the Microsoft Defender for Endpoint service.

– Services that should be running for Windows 10/11 device:

C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2111.5-0\MsMpEng.exe”

Service name = Microsoft Defender Antivirus Service

Service = WinDefend

C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2111.5-0\NisSrv.exe

Service name = Microsoft Defender Antivirus Network Inspection Service

Service = WdNisSvc

C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe”

Service name = Windows Defender Advanced Threat Protection Service

Service = Sense

Note – SENSE is the internal name used to refer to the behavioral sensor that powers Microsoft Defender for Endpoint.

When the SENSE service starts for the first time, it writes onboarding status to the registry location HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status

C:\WINDOWS\system32\svchost.exe -k LocalServiceNoNetworkFirewall –p

Service name = Windows Defender Firewall

Service = mpssvc

– It may take up to one (1) hour for the onboarded device to appear in Device Inventory

– The status of the device will be switched to inactive after 7 days of failed contact

– Troubleshoot Microsoft Defender for Endpoint onboarding issues

Offboarding

Offboarding from the Defender for Endpoint service

Offboarding using a local script

Offboarding using Intune device configuration profile

Offboarding using an API and PowerShell

Offboarding using Power Automate

– If the device was offboarded, it will still appear in devices list. After seven (7) days, the device health state should change to inactive.

– Offboarded devices’ data (such as Timeline, Alerts, Vulnerabilities, etc.) will remain in the portal until the configured retention period expires.

– The device’s profile (without data) will remain in the Devices List for no longer than 180 days.

– Any device that is not in use for more than seven (7) days will retain ‘Inactive’ status in the portal.

– A new device entity is generated in Microsoft 365 Defender for reinstalled or renamed devices. The previous device entity remains, with an ‘Inactive’ status in the portal. If you reinstalled a device and deployed the Defender for Endpoint package, search for the new device name to verify that the device is reporting normally.

– Offboarding a device causes the devices to stop sending data to Defender for Business (preview). However, data received prior to offboarding is retained for up to six (6) months.

– Threat Vulnerability Management (TVM) will only collect and process information from active devices.

Connectivity

– Verify client connectivity to Microsoft Defender for Endpoint service URLs

– Defender for Endpoint Connectivity analyzer – https://aka.ms/mdeanalyzer

– The Connectivity Analyzer tool cloud connectivity checks are not compatible with Attack Surface Reduction rule Block process creations originating from PSExec and WMI commands. You will need to temporarily disable this rule to run the connectivity tool. Alternatively, you can temporarily add ASR exclusions when running the analyzer.

– When the TelemetryProxyServer is set, in Registry or via Group Policy, Defender for Endpoint will fall back to direct if it can’t access the defined proxy.

Review event logs and error codes to troubleshoot issues with Microsoft Defender Antivirus – Microsoft Defender Antivirus event IDs and error codes | Microsoft Docs

To generate the support information, type

MpCmdRun.exe -getfiles

After a while, several logs will be packaged into an archive (MpSupportFiles.cab) and made available in

C:\ProgramData\Microsoft\Windows Defender\Support

Extract that archive and you will have many files available for troubleshooting purposes.

The most relevant files are:

MPOperationalEvents.txt – This file contains same level of information found in Event Viewer for Windows Defender’s Operational log.

MPRegistry.txt – In this file you will be able to analyze all the current Windows Defender configurations, from the moment the support logs were captured.