Remediate EDR solution recommendations

Microsoft Defender for Cloud includes endpoint detection and response (EDR) capabilities to improve security posture for supported machines. Defender for Cloud:

Based on EDR solution findings, Defender for Cloud provides recommendations to ensure that EDR solutions are installed and running correctly on machines. This article describes how to remediate those recommendations.

Note

  • Defender for Cloud uses agentless scanning to assess EDR settings.
  • Agentless scanning replaces the Log Analytics agent (also known as the Microsoft Monitoring Agent (MMA)), which was previously used to collect machine data.
  • Scanning using the MMA will be deprecated in November 2024.

Prerequisites

Requirement Details
Plan Defender for Cloud must be available in the Azure subscription and one of these plans must be enabled:

- Defender for Servers Plan 2
- Defender Cloud Security Posture Management (CSPM)
Gentles scanning Agentless scanning for machines must be turned on. It's enabled by default in the plans, but if you need to turn it on manually, follow these instructions.

Investigate EDR solution recommendations

  1. In Defender for Cloud > Recommendations.

  2. Search for and select one of the following recommendations:

    • EDR solution should be installed on Virtual Machines
    • EDR solution should be installed on EC2s
    • EDR solution should be installed on Virtual Machines (GCP)
  3. In the recommendation details, select the Healthy resources tab.

  4. The EDR solution deployed on the machine is displayed in the Discovered EDRs column.

    Screenshot of the Healthy resources tab, which shows where you can see which endpoint detection and response solution is enabled on your machine.

Remediate EDR solution recommendations

  1. Select the relevant recommendation.

    Screenshot of the recommendations page showing the identified endpoint solution recommendations.

  2. Select the relevant action to see the remediation steps.

Enable Defender for Endpoint integration

This recommended action is available when Defender for Endpoint can be installed on a machine, and a supported non-Microsoft EDR solution isn't detected on the machine.

Enable Defender for Endpoint on the machine as follows:

  1. Select the affected machine. You can also select multiple machines with the Enable Microsoft Defender for Endpoint integration recommended action.

  2. Select Fix.

    Screenshot that shows where the fix button is located.

  3. In Enable EDR solution, select Enable. With this setting enabled, the Defender for Endpoint sensor is automatically installed on all Windows and Linux servers in the subscription.

    After the process is completed, it can take up to 24 hours until your machine appears in the Healthy resources tab.

    Screenshot that shows the pop-up window from which to enable the Defender for Endpoint integration on.

Turn on a plan

This recommended action is available when:

  • A supported non-Microsoft EDR solution isn't detected on the machine.
  • A required Defender for Cloud plan (Defender for Servers Plan 2 or Defender CSPM) isn't enabled for the machine.

Fix the recommendation as follows:

  1. Select the affected machine. You can also select multiple machines with the Upgrade Defender plan recommended action.

  2. Select Fix.

    Screenshot that shows where the fix button is located on the screen.

  3. In Enable EDR solution, select a plan in the dropdown menu. Each plan comes with a cost.Learn more about pricing.

  4. Select Enable.

    Screenshot that shows the pop-up window that allows you to select which Defender for Servers plan to enable on your subscription.

After the process is completed, it can take up to 24 hours until your machine appears on the Healthy resources tab.

Troubleshoot Defender for Endpoint onboarding

This recommended action is available when Defender for Endpoint is detected on a machine but wasn't onboarded properly.

  1. Select the affected VM.

  2. Select Remediation steps.

    Screenshot that shows where the remediation steps are located in the recommendation.

  3. Follow the instructions to troubleshoot onboarding issues for Windows or Linux.

After the process is completed, it can take up to 24 hours until your machine appears in the Healthy resources tab.