Defender for Servers (Linux): Troubleshooting Onboarding Errors
While leveraging Defender for Servers in the enterprise across clouds and on—premise both Plans 1 and 2 also deploys Defender for Endpoint giving you endpoint protection with Endpoint Detection and Response (EDR) and Threat Vulnerability Management (TVM). As part of this plan you can leverage Automatic Onboarding or Policy Remediation tasks that execute, register, and in some cases install (Server 2012R2, Linux) Defender for Endpoint onto the server. The deployment occurs on Azure VMs and Arc Connected servers using the following steps for installation.
MDE.Windows Extension is put on the Azure VM or Arc connected server in a Provisioning State.
The agent running in the OS then proceeds to download a MDEOnboarding script and execute the script
The MDE Onboarding script runs through check and installs Sense agent (Server 2012 R2) and Registers Defender for Endpoint (Server 2012R2 +)
The script will catch errors or completion and flag a return code
The return code is sent back to the agent and MDE.Windows Status and updates State with Success or error code
The following can be used to troubleshoot across those steps if an error occurs.
Troubleshooting Higher-level: Azure Mangement Plane
Leverage the Deployment for Endpoint Status Workbook for Defender for Cloud
Leverage the Enterprise Report on MDC - MDE VM Extension Failures PowerShell script to generate detailed error reporting on failed deployments
Troubleshooting Lower-level: Server OS Plane
(Azure VM Only) Agent:
/var/log/waagent.log
Azure VM \ Arc Connected Server MDEonboarding:
/var/log/azure/Microsoft.Azure.AzureDefenderForServers.MDE.Linux/CommandExecution.log
/var/log/azure/Microsoft.Azure.AzureDefenderForServers.MDE.Linux/ MdeInstallerLog.log
Mdatp agent logs:
/var/log/microsoft/mdatp
Hopefully you will not find yourself with errors but if you do the above reports, paths, and logs can be helpful in understanding the issue a bit deeper.