This post has been republished via RSS; it originally appeared at: New blog articles in Microsoft Community Hub.
Log Analytics agent (also known as MMA) is on a deprecation path and will be retired in Aug 2024. The purpose of this blogpost is to clarify how Microsoft Defender for Cloud will align with this plan and its impact on customers.
There are two Defender for Cloud plans with features relying on the Log Analytics agent: Defender for Servers Plan 2 and Defender for SQL server on machines.
As part of an updated strategy, Azure monitoring Agent (also known as AMA), won’t be a requirement as part of our Defender for Servers offering, but will remain required as part of Defender for SQL server on machines. As a result, Defender for Servers’ features and capabilities outlined below, as well as the auto-provisioning process that provides the installation and configuration of both agents (MMA/AMA), will be adjusted accordingly.
In this blogpost we will explain the deprecation/replacement plan of the features and product capabilities that depend on the Log Analytics agent and Azure Monitoring agent for each of the Defender for Cloud plans.
Defender for Servers Plan 2 features
The following content features are going to be deprecated in their Log Analytics version in Aug 2024 and will be delivered over a new alternative infrastructure before the deprecation date.
The following list details how each capability will be provided after Log Analytics Agent retirement:
- Microsoft Defender for Endpoint (MDE) integration for Down level machines (Windows servers 2012 R2, 2016)- Defender for Endpoint integration in Defender for Servers that relies on the legacy MDE sensor and Log Analytics agent will be deprecated in Aug 2024. Unified agent integration for Windows Server 2012 R2 and Windows Server 2016 is already available today in GA and required in order to maintain MDE support and receive full extended feature set.
- OS level detections – All the OS level detections will be provided by MDE and already available today in GA. The detections based on the Log Analytics agent will be deprecated in August 2024. The full list of deprecated alerts will be shared soon.
- Detections indicate Anti-Malware activities failures (by Anti-Malware Publisher)- Detections indicating non-Microsoft's Anti-malware activities will be deprecated by the end of calendrer year of 2023. Detections indicating Microsoft’s Anti-malware activities will be provided by MDE.
- Adaptive Application Controls - The current GA version based on Log Analytics agent will be deprecated in August 2024, as well as the preview version based on Azure monitoring agent. The next generation of this feature is currently under evaluation, further information will be provided soon.
- Endpoint protection discovery recommendations – The current GA and preview recommendations to install endpoint protection and fix health issues in the detected solutions will be deprecated in August 2024. A new agentless version will be provided for discovery and configuration gaps by April 2024. As part of this upgrade, this feature will be provided as a component of Defender for Servers plan 2 and Defender for CSPM, and won’t cover on-premises or Azure Arc-enabled servers.
- Missing OS patches (system updates) – The GA System Update recommendations based on Log Analytics agent will be deprecated in August 2024. A new version is already available in GA, and based on an integration with Update Management Center, relying on the native capabilities available for all Azure VMs and Azure Arc-enabled servers.
- OS misconfigurations (security baselines) – Current GA version based on Log Analytics agent will be deprecated in August 2024. A new version will be provided based on an integration with MDVM premium capabilities by April 2024. As part of this upgrade, this feature will be provided as a component of Defender for Servers plan 2. The preview version available today over Guest Configuration agent will be deprecated when the alternative is provided over MDVM premium capabilities.
- File Integrity monitoring (FIM) - The Current GA version based on Log Analytics agent, will be deprecated in August 2024, and a new version will be provided agent-based or agentless by April 2024.
- 500MB benefit for data ingestion over the defined tables will remain supported over AMA agent for the machines under subscriptions covered by Defender for Servers P2. Every machine is eligible for the benefit only once, even if both Log Analytics agent and Azure Monitor agent are installed on it.
Note: Except for the 500MB benefit for data ingestion mentioned above, Azure monitoring Agent (also known as AMA), won’t be required anymore to receive all Defender for Servers offering.
To ensure your servers are secured, receive all the security content of Defender for Servers, and up-to-date with the alternative deliverables, verify Defender for Endpoint (MDE) integration and agentless disk scanning are enabled on your subscriptions.
See here more information about MDE integration enablement and here information about Agentless scanning enablement.
Log analytics & Azure Monitoring agents Auto Provisioning experience
- MMA auto-provisioning mechanism and its’ related policy initiative will remain optional until August 2024.
- In October 2023, the current shared ‘Log Analytics agent’/’Azure Monitor agent’ auto-provisioning mechanism will be updated and applied to ‘Log Analytics agent’ only. ‘Azure Monitor agent’ related (Public Preview) policy initiatives will be deprecated.
- The AMA auto-provisioning mechanism will still serve current customers with the (Public Preview) policy initiative enabled, but they will not be legible for support. To disable ’Azure Monitor agent’ provisioning, you should manually remove the policy initiative.
- In cases where MMA auto-provisioning enabled and AMA agents are already installed on the machines, MMA won’t be provisioned, and AMA will remain functional.
What should I do next?
For Defender for Servers customers, we advise enabling Defender for Endpoint integration and agentless disk scanning as part of Defender for Servers offering, at no additional cost. This will ensure your servers are fully secured, leveraging all the relevant security content and up-to-date with the new alternative deliverables.
What happens to my machines using MMA after it is depreciated?
After MMA deprecation in August 2024, Microsoft will no longer provide any support for the Log Analytics agent. Therefore, Defender for Servers customers are encouraged to ensure they are protected with Defender for Endpoint integration within Defender for Servers, as well as agentless disk scanning, prior to the deprecation date.
Should I migrate from MMA to AMA?
For Defender for Servers offering, we do not recommend migrating to AMA as the plans’ features and capabilities are not going to be GA on top of it; We recommend sticking with MMA for Defender for Servers features until they are provided over the alternative infrastructures. For capabilities other than Defender for server, deploy AMA as additional agent.
Can I run MMA and AMA side by side? what is the impact of that?
You can run both the Log Analytics and Azure Monitor Agents on the same machine. Each machine is billed once in Defender for Cloud, but notice that this may result in certain recommendations or alerts being duplicated. In cases both agents are running on the machines, we recommend to avoid collecting duplicate data by sending the data to different workspaces or alternatively disable security event data collection by MMA. For further information please see the migration guide and the Impact of running both agents.
Do my machines using AMA remain secure? What should I do with my machines that have AMA installed?
Machines with AMA installed will remain protected with Defender for Servers features that are based on AMA public preview. These features will remain supported until an alternative version is provided based on Defender for Endpoint (MDE) integration or Agentless disk scanning platform. We recommend ensuring these capabilities are enabled as part of Defender for Servers plans to be fully secured. Timelines regarding each feature’s availability in the new alternative infrastructure will be shared soon.
What happens to current Defender for Servers customers using the shared MMA/AMA auto-provisioning process after it is deprecated?
Auto Provisioning of Azure Monitoring Agent will no longer be available for Defender for Servers customers starting October 2023. After that, only MMA auto-provisioning will be available for machines through MDC portal. Existing Defender for Servers customers that have the ‘Azure Monitor agent’ related preview policy initiatives configured, remain supported till August 2024. To disable ’Azure Monitor agent’ provisioning, you should manually remove the policy initiative.
How do I make sure my down-level machines (Windows Server 2012 R2 and Windows Server 2016) remain fully protected?
Unified agent integration for Windows Server 2012 R2 and Windows Server 2016 is already available today in GA. We recommend enabling the unified solution integration as soon as possible, as it removes all dependencies from Log Analytics agent for onboarding and integrating into Defender for Cloud. In addition, the new Defender for Endpoint unified solution adds a variety of improvements over the legacy solution, such as Tamper Protection, EDR in block mode, improved detection capabilities, and more. For a full list of improvements, see this documentation.