Search
StarWind is a hyperconverged (HCI) vendor with focus on Enterprise ROBO, SMB & Edge

Windows Defender for Endpoint without Azure Arc with Direct Onboarding

  • July 11, 2023
  • 15 min read
Cloud and Virtualization Architect. Brandon has over 20 years of experience across multiple sectors. He is responsible for the creative and technical content direction at virtualizationhowto.com
Cloud and Virtualization Architect. Brandon has over 20 years of experience across multiple sectors. He is responsible for the creative and technical content direction at virtualizationhowto.com


Microsoft has introduced a new and exciting feature for using Defender for Endpoint – Direct Onboarding for Defender for Endpoint. This feature simplifies onboarding hybrid servers by eliminating the need for Azure Arc.

Why is Hybrid Management of Endpoints Necessary?

Before delving into the specific benefits of Windows Defender for Endpoint, it’s important to understand why hybrid endpoint management is essential in today’s cloud-centric infrastructure. During digital transformation, businesses increasingly adopt hybrid environments where resources span both on-premises and cloud platforms. It requires hybrid management of endpoints for several reasons.

First, it is vital to maintain a unified security posture. It involves enforcing consistent security policies across all endpoints, regardless of location. This approach helps reduce security gaps that adversaries could exploit when workers are not working on-premises, helping to strengthen an organization’s overall security stance.

Second, hybrid management enhances visibility and operational efficiency. By managing all endpoints from a single platform, IT teams gain a comprehensive view of all devices within the organization’s network, simplifying asset tracking and threat detection. It also streamlines processes such as updates and policy enforcement, leading to significant time and cost savings.

Lastly, a hybrid approach ensures the flexibility and scalability to adapt and grow with organizational needs. This aspect is crucial in today’s dynamic work environments, characterized by trends such as remote work and Bring Your Own Device (BYOD) policies.

What is Microsoft Defender for Endpoint?

Microsoft Defender for Endpoint is a holistic, cloud-delivered endpoint security solution that includes risk-based vulnerability management and assessment, attack surface reduction, behavioral-based next-generation protection, rich APIs, and unified security management.

Microsoft Defender for EndpointMicrosoft Defender for Endpoint

It provides preventative protection, post-breach detection, automated investigation, and response capabilities. It leverages the power of the Microsoft Intelligent Security Graph to assist enterprises in defending against threats. This platform is designed to help security teams prevent, detect, investigate, and respond to advanced threats, and it is a key component of Microsoft’s overall security solutions.

What is Azure Arc?

Azure Arc is a service from Microsoft Azure that enables users to manage and govern across on-premises, edge locations, and multi-cloud environments. It provides a single control plane to manage resources, regardless of location.

Azure Arc allows you to extend Azure management and Azure services anywhere. With Azure Arc, you can manage Windows and Linux machines hosted outside of Azure, on your corporate network, or another cloud provider, similar to how you manage native Azure virtual machines. When a hybrid machine is connected to Azure, it becomes a connected machine and is treated as a resource in Azure.

Microsoft Azure Arc provides an entire suite of tools to manage resources across your hybrid cloudsMicrosoft Azure Arc provides an entire suite of tools to manage resources across your hybrid clouds

What new feature is being introduced?

Before this update, onboarding hybrid servers to Defender for Servers with Microsoft Defender for Endpoint (MDE) required Azure Arc as a prerequisite for deployment. However, Azure Arc introduces complexities such as additional management, maintenance, and auditing, which some organizations might find unnecessary or cumbersome.

To address this, Microsoft developed the Direct Onboarding feature, which allows organizations to onboard on-premises Windows and Linux servers to Defender for Servers without Azure Arc​​.

How Direct Onboarding Works

Direct Onboarding is an opt-in feature you can enable at the tenant level. Once enabled, it affects existing and new servers onboarded to the Defender for Endpoint tenants. This process allows for seamless integration between Defender for Endpoint and Defender for Cloud without the need for additional deployment of agents. Once the Direct Onboarding feature is enabled, the machines part of Defender for Endpoint is synced to Defender for Cloud inventory in a designated Azure Subscription​​.

Enabling Direct Onboarding

To enable Direct Onboarding, go to the Defender for Cloud portal, select Environment Settings, and switch the Direct Onboarding toggle to On. After that, you must choose the Azure subscription you’d like to use for servers onboarded directly with Defender for Endpoint. After this process, it may take up to 24 hours to see your non-Azure servers in your designated subscription​.

Below is the Direct Onboarding button in the Environment settings for Microsoft Defender for Cloud.

Configuring Direct OnboardingConfiguring Direct Onboarding

Toggle on the Direct onboarding option and select the designated subscription.

Toggle on the Direct onboarding option and select the designated subscription

Benefits of Direct Onboarding

The Direct Onboarding feature is ideal for customers with mixed and hybrid server estates who wish to consolidate server protection under Defender for Servers. It supports the same degree of data integration between Microsoft Defender for Cloud (MDC) and MDE as the Azure Arc/Defender for Servers method.

Importantly, it does not require additional software deployment on your servers, and it automatically shows your non-Azure server devices onboarded to Defender for Endpoint in Defender for Cloud under a designated Azure Subscription you configure​.

Limitations of Direct Onboarding

While Direct Onboarding offers several benefits, it’s important to note its limitations. For instance, certain Defender for Servers Plan 2 features still require the Azure Monitor Agent deployment, which is only available with Azure Arc on non-Azure machines.

In addition, while it is possible to directly onboard VMs in AWS and GCP using the Defender for Endpoint agent, if you plan to simultaneously connect your AWS or GCP account to Defender for Servers using multi-cloud connectors, it’s currently still recommended to deploy Azure Arc. Lastly, there may be limitations in certain server deployment use cases where Defender for Cloud cannot correlate your machines, which might result in overcharges on specific devices if direct onboarding is also enabled on your tenant.

Learn more about the limitations and other considerations here: Onboard non-Azure machines with Defender for Endpoint | Microsoft Learn.

Frequently Asked Questions (FAQs)

Can I onboard my non-Azure servers directly to Defender for Endpoint without Azure Arc?

Yes, with the new Direct Onboarding feature, you can onboard your non-Azure servers directly to Defender for Endpoint without needing Azure Arc. It simplifies the onboarding process, especially for organizations that do not require the additional controls and management that come with Azure Arc​​.

How do I enable Direct Onboarding?

You can enable Direct Onboarding by going to the Defender for Cloud portal, selecting Environment Settings, and switching the Direct Onboarding toggle to On. Afterward, you’ll need to choose the Azure subscription you’d like to use for servers onboarded directly with Defender for Endpoint​.

Does Direct Onboarding have any limitations?

Yes, there are some limitations to Direct Onboarding. For instance, certain Defender for Servers Plan 2 features still require the Azure Monitor Agent deployment, which is only available with Azure Arc on non-Azure machines. There may also be limitations in certain server deployment use cases where Defender for Cloud cannot correlate your machines, potentially resulting in overcharges on specific devices if direct onboarding is also enabled on your tenant​​.

What is the difference between Direct Onboarding and using Azure Arc for onboarding?

Direct Onboarding allows organizations to onboard on-premises Windows and Linux servers to Defender for Servers without Azure Arc, simplifying the onboarding process and avoiding the additional controls and management associated with Azure Arc. However, Azure Arc is still required for full server management capabilities and certain Defender for Servers Plan 2 features​.

Do I still need Azure Arc if I enable Direct Onboarding?

While Direct Onboarding can sometimes eliminate the need for Azure Arc, Azure Arc is still necessary for full server management capabilities and for accessing certain Defender for Servers Plan 2 features. If you plan to simultaneously connect your AWS or GCP account to Defender for Servers using multi-cloud connectors, deploying Azure Arc is still recommended.

Wrapping Up

Onboarding non-Azure servers to Microsoft Defender for Endpoint has been significantly simplified with the introduction of the Direct Onboarding feature. With this new feature, you can now onboard your on-premises Windows and Linux servers directly to Defender for Endpoint, bypassing the need for Azure Arc in many cases.

It has made it easier for organizations with hybrid server estates to consolidate their server protection under Defender for Servers while providing a unified offering for cloud and non-cloud assets. The process is straightforward and once enabled, your servers will be synced under the designated Azure subscription, giving you licensing, billing, alerts, and security insights.

However, it’s important to note that Azure Arc still has its place. For complete server management capabilities, as well as access to certain features in Defender for Servers Plan 2, Azure Arc is still necessary. It will be interesting to see how the Direct onboarding features continue evolving and if future releases overcome the current limitations.

Hey! Found Brandon’s insights useful? Looking for a cost-effective, high-performance, and easy-to-use hyperconverged platform?
Taras Shved
Taras Shved StarWind HCI Appliance Product Manager
Look no further! StarWind HCI Appliance (HCA) is a plug-and-play solution that combines compute, storage, networking, and virtualization software into a single easy-to-use hyperconverged platform. It's designed to significantly trim your IT costs and save valuable time. Interested in learning more? Book your StarWind HCA demo now to see it in action!