Azure Virtual Machines
An Azure service that is used to provision Windows and Linux virtual machines.
7,994 questions
MDE not recognized has EDR by MDC
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(57.599999999999994, 81%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDF%3C/text%3E%3C/svg%3E)
Dufour, Francois
46
Reputation points
Hi,
My Windows VMs are onboarded in MDE but MDC reports them in the "EDR solution should be installed on Virtual Machines" recommandation as "Not applicable resources" and the reason given is "VM is missing data or not supported". Looked for "VM is missing data or not supported" in search engines and 0 results.
Any ideas ?
Best regards,
François
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(300.8, 3%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESK%3C/text%3E%3C/svg%3E)
Sai Krishna Katakam 700 Reputation points Microsoft Vendor2024-09-13T20:58:20.9066667+00:00 Hi Dufour, Francois,
Welcome to the Microsoft Q&A Platform! Thank you for asking your question here.
The issue you're seeing ("VM is missing data or not supported") usually happens due to missing or incorrect data being passed from Microsoft Defender for Endpoint (MDE) to Microsoft Defender for Cloud (MDC). Here's what to check:
VM Compatibility make sure the VMs are running supported OS versions and have the MDE agent installed properly.
Verify that the integration between MDE and MDC is correctly set up, and MDE is configured as the active EDR solution.
Data Collection make sure the Microsoft Monitoring Agent (MMA) is installed and working to send data from the VMs to MDC.
Please check the VMs have the correct licenses for both MDE and MDC.
For more details, you can refer to this Enable the Defender for Endpoint integration.If you have any further queries, do let us know. If the comment is helpful, please click "Upvote".
-
Dufour, Francois 46 Reputation points
2024-09-16T09:55:54.4566667+00:00 Hi, thanks for your answer, here are my inputs to your points:
VM Compatibility make sure the VMs are running supported OS versions and have the MDE agent installed properly: only Windows Server 2019 and 2022
Verify that the integration between MDE and MDC is correctly set up, and MDE is configured as the active EDR solution: MDC is configured to install AMA on servers, Endpoint Protection status is ON and servers are correctly onboarded and appear in the security portal.
Data Collection make sure the Microsoft Monitoring Agent (MMA) is installed and working to send data from the VMs to MDC: I'm not totally sure what I have to check here, isn't the MMA agent supposed to be deprecated (or almost) ? we are using the Azure Monitor Agent (AMA), it's sending data to a workspace, maybe there are some tables I'm supposed to find in the workspace to check it's correctly sending data ? I see also some default security DCR that is applied to my VMs
Please check the VMs have the correct licenses for both MDE and MDC: using MDC P2 so MDE for servers is included
-
Sai Krishna Katakam 700 Reputation points Microsoft Vendor
2024-09-16T21:10:22.68+00:00 Hi Dufour, Francois,
VM Compatibility, Your VMs (Windows Server 2019 and 2022) are fully supported by both Microsoft Defender for Endpoint (MDE) and Microsoft Defender for Cloud (MDC), so compatibility is not an issue.
Integration Between MDE and MDC, Since MDC is set up with Azure Monitor Agent (AMA) and Endpoint Protection is enabled, the integration should be working as expected. We can now focus on data collection to ensure proper synchronization.
Data Collection (AMA vs MMA), You’re correct that Microsoft is transitioning from Microsoft Monitoring Agent (MMA) to Azure Monitor Agent (AMA). Since AMA is being used:
- Confirm the Security Monitoring Data Collection Rule (DCR) is correctly applied to your VMs. This ensures that security-related data is being collected.
- In your Log Analytics workspace, check the following tables:
Heartbeat: Verifies that the VMs are online and sending data. SecurityAlert and SecurityEvent: These tables track security events and alerts from your VMs.
If these tables have up-to-date data, then AMA is functioning correctly.
Licensing since you’re using Microsoft Defender for Cloud P2, which includes MDE for servers, licensing is correct, so that is not the issue.
For more info, please refer: Azure Monitor Agent overview, Standard columns in Azure Monitor Logs, Collect data with Azure Monitor Agent.
If you have any further queries, do let us know. If the comment is helpful, please click "Upvote".
-
Dufour, Francois 46 Reputation points
2024-09-17T08:04:27.3466667+00:00 Thank you for your answer Sai,
I just checked, the security DCR is applied on all the machines, Heartbeat is "fresh", I've got lots of data in the SecurityEvent table. I don't have any SecurityAlert table but I guess it just mean I don't have any alerts here ? So my understanding here is that AMA side is OK
So to sum up, Integration is ok, licensing is ok, VMs are compatible and data collection is ok. What am I missing ? :(
Best regards,
François
-
Sai Krishna Katakam 700 Reputation points Microsoft Vendor
2024-09-17T20:14:41.1733333+00:00 Hi Dufour, Francois,
It seems like everything is set up correctly integration, licensing, VM compatibility and data collection are all good. Here are a few additional things to check:
Make sure Microsoft Defender for Servers is enabled for your subscription and resource groups. To verify:
Go to Microsoft Defender for Cloud > Environment settings and check if the plan is enabled for your subscription.
Ensure that MDE is selected as the active Endpoint Detection and Response (EDR) solution in the Microsoft Defender for Cloud settings.
If you don't see data in the SecurityAlert table, it likely means no alerts have been triggered, which is normal if there haven't been any security incidents. However, ensure that Defender for Servers is properly configured to surface alerts.
- Check that there are no policy violations for security monitoring or EDR solutions in Azure Policy that might affect the VMs.
For more details, you can refer to: Microsoft Defender for Servers.
If you have any further queries, do let us know. If the comment is helpful, please click "Upvote".
-
Dufour, Francois 46 Reputation points
2024-09-18T09:07:47.88+00:00 Thanks for your answer, here are my inputs:
Go to Microsoft Defender for Cloud > Environment settings and check if the plan is enabled for your subscription: it is On
Ensure that MDE is selected as the active Endpoint Detection and Response (EDR) solution in the Microsoft Defender for Cloud settings: I didn't know it had to be done manually ? I thought there were a bunch of validated EDRs that MDC was able to detect, where is that setting ?
However, ensure that Defender for Servers is properly configured to surface alerts: where should I check that configuration ?
Check that there are no policy violations for security monitoring or EDR solutions in Azure Policy that might affect the VMs: I guess there are not...
Best regards,
François
-
Sai Krishna Katakam 700 Reputation points Microsoft Vendor
2024-09-18T20:18:17.04+00:00 Hi Dufour, Francois,
To ensure that MDE is selected as the active Endpoint Detection and Response (EDR) solution in Microsoft Defender for Cloud settings, follow these steps:
- Navigate to Microsoft Defender for Cloud.
- Go to Environment settings.
- Select the relevant subscription.
- Under Defender plans, ensure that the toggle for Microsoft Defender for Endpoint is turned on.
For detailed instructions, refer to the Enable the Defender for Endpoint integration.
To ensure that Defender for Servers is properly configured to surface alerts, you need to:
- Navigate to Microsoft Defender for Cloud.
- Go to Environment settings.
- Select the relevant subscription.
- On the Defender plans page, toggle the Servers switch to On.
For detailed instructions, refer to the Deploy Defender for Servers.
If you have any further queries, do let us know. If the comment is helpful, please click "Upvote".
-
Sai Krishna Katakam 700 Reputation points Microsoft Vendor
2024-09-19T18:34:33.28+00:00 Hi Dufour, Francois,
Just checking in to see if you had a chance to review my comment on your question. Please let us know if it was helpful and feel free to reach out if you have any further queries.
If you found the information useful, please click "Upvote" on the post to let us know.
Thank You.
-
Dufour, Francois 46 Reputation points
2024-09-20T07:55:29.8466667+00:00 Hi Sai, I'm still at the same point. I will try to contact MS Support I guess.
Sign in to comment
Sign in to answer