The vm-with-mde template fails to install the windows extension

[vinayakhub]

When deploying the VirtualMachine/vm-with-mde/azuredeploy.json ARM template, the Windows extension installation fails. The error message is:

##[error]VMExtensionProvisioningError: VM has reported a failure when processing extension 'MDE.Windows'. Error message: "Failed to configure Microsoft Defender for Endpoint: You cannot call a method on a null-valued expression.
   at System.Management.Automation.ExceptionHandlingOps.CheckActionPreference(FunctionContext funcContext, Exception exception)
   at System.Management.Automation.Interpreter.ActionCallInstruction`2.Run(InterpretedFrame frame)
   at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(InterpretedFrame frame)
   at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(InterpretedFrame frame)"

[azsec]

Hi @vinayakhub

Could you check extension handler log from this path "C:\WindowsAzure\Logs\Plugins\Microsoft.Azure.AzureDefenderForServers.MDE.Windows\{version}\MdeExtensionHandlerLog.log"

Is there any hint from the log?

[vinayakhub]

Hi @azsec ,

I see the log starts with this.

Below is the error I see.

[2021-12-11 14:05:37Z][Information] Start executing handler action: install
[2021-12-11 14:05:37Z][Information] Nothing to install. MDE configuration will occur in 'enable'
[2021-12-11 14:05:37Z][Information] End executing handler action: install
[2021-12-11 14:05:44Z][Information] Start executing handler action: enable
.
.
.
.
.
and then has the error from my previous comment. Is it failing to look up the end point (which is of my vm)?

[azsec]

What do you see in this file? "C:\Packages\Plugins\Microsoft.Azure.AzureDefenderForServers.MDE.Windows\1.0.1.1\RuntimeSettings\0.settings"

The script threw the exception without telling exactly where it got stuck. I'm trying to find that. There could be something below missing:

$securityWorkspaceId = $handlerSettings['publicSettings'][$script:SecurityWorkspaceIdParameterName]
$securityAgentId = $handlerSettings['publicSettings'][$script:SecurityAgentIdParameterName]
		
Verify-SecurityIdentifiers $securityWorkspaceId $securityAgentId
		
Write-Log "Setting identifiers in registry"
		
Create-MdeRegPathIfNeeded $script:MDERegistryPath
Create-MdeRegPathIfNeeded $script:MDERegistryIdentifiersPath

$MDERegistryPathItem = Get-ItemProperty -Path $script:MDERegistryIdentifiersPath
		
AddOrUpdate-MdeRegKeyValue $MDERegistryPathItem $script:AzureResourceIdentifierName $azureResourceId
AddOrUpdate-MdeRegKeyValue $MDERegistryPathItem $script:SecurityWorkspaceIdentifierName $securityWorkspaceId
		
$params = New-Object System.Object
$params | Add-Member -MemberType NoteProperty -Name "azureResourceId" -Value $azureResourceId
$params | Add-Member -MemberType NoteProperty -Name "securityWorkspaceId" -Value $securityWorkspaceId
$params | Add-Member -MemberType NoteProperty -Name "osDetails" -Value $script:OsDetails
		
if ($securityAgentId) {
  AddOrUpdate-MdeRegKeyValue $MDERegistryPathItem $script:SecurityAgentIdentifierName $securityAgentId
  $params | Add-Member -MemberType NoteProperty -Name "securityAgentId" -Value $securityAgentId
}
		
if ($onboardingPackageOperationResultCode) {
  $params | Add-Member -MemberType NoteProperty -Name "onboardingPackageOperationResultCode" -Value $onboardingPackageOperationResultCode
}

[vinayakhub]

The 0.settings file contains my the settings under the "settings" block of the arm template.

{ "runtimeSettings": [ { "handlerSettings": { "publicSettings": {"azureResourceId":"/subscriptions/<subId>/resourceGroups/<rg-name>/providers/Microsoft.Compute/virtualMachines/<vmname>","defenderForServersWorkspaceId":"<workspaceId>","forceReOnboarding":false} } } ] }

[azsec]

It looks like the important information which is protectedSettings is missing. Which OS did you use?

I don't have any issue so far. The deployment succeeded and MDE was installed successfully. My environment isn't special. It doesn't even have Microsoft Defender 365 licensed. It is just a testing environment. Below is my setting file

{
  "runtimeSettings": [
    {
      "handlerSettings": {
        "protectedSettingsCertThumbprint": "REDACTED",
        "protectedSettings": "REDACTED",
        "publicSettings": {
          "azureResourceId": "/subscriptions/REDACTED/resourceGroups/AZSEC-CORPORATE-RG/providers/Microsoft.Compute/virtualMachines/accord2015-vm",
          "defenderForServersWorkspaceId": "REDACTED"
        }
      }
    }
  ]
}

[vinayakhub]

You're correct. It was missing the protectedSettings property. However, it was not present in the windows template that I referred. Looks like the Windows template behaved the same way as the Linux template. I had to add an empty protectedSettings property and it worked fine. Thank you for your help. You can close this issue as resolved.

[azsec]

Thanks for your confirmation @vinayakhub . That's weird because protectedSettings is supposed to be created by Azure. Could you share the part of the extension you added protectedSettings

Thank you

[vinayakhub]

Below is the full resource definition.

{
  "type": "Microsoft.Compute/virtualMachines/extensions",
  "apiVersion": "2021-03-01",
  "location": "canadacentral",
  "name": "[concat(parameters('virtualMachineName'),'/MDE.Windows')]",
  "dependsOn": [
    "[resourceId('Microsoft.Compute/virtualMachines', parameters('virtualMachineName'))]"
  ],
  "properties": {
    "autoUpgradeMinorVersion": true,
    "publisher": "Microsoft.Azure.AzureDefenderForServers",
    "type": "MDE.Windows",
    "typeHandlerVersion": "1.0",
    "settings": {
      "azureResourceId": "[resourceId('Microsoft.Compute/virtualMachines',variable('vmName'))]",
      "defenderForServersWorkspaceId": "<('workspaceId')",
      "forceReOnboarding": false
    },
    "protectedSettings": {}
  }
}

[helderpinto]

It turns out the MDE extension deployment is now returning the error below. I tried the same deployment via the Set-AzVmExtension PowerShell cmdlet and got the very same error. Any idea of what changed in one month?

Status Message: VM has reported a failure when processing extension 'MDE.Windows'. Error message: "Failed to configure Microsoft Defender for Endpoint: Protected Setting defenderForEndpointOnboardingScript does not exist, please use mdeOnboardings API to retreive it (https://docs.microsoft.com/en-us/rest/api/securitycenter)"

[anmolbabu]

I tried :

{ "type": "Microsoft.Compute/virtualMachineScaleSets/extensions", "apiVersion": "2021-04-01", "name": "[concat(variables('namingInfix'), '/MDE.Windows')]", "location": "[resourceGroup().location]", "dependsOn": [ "[resourceId('Microsoft.Compute/virtualMachineScaleSets', variables('namingInfix'))]" ], "properties": { "autoUpgradeMinorVersion": true, "publisher": "Microsoft.Azure.AzureDefenderForServers", "type": "MDE.Windows", "typeHandlerVersion": "1.0", "settings": { "forceReOnboarding": false, "vNextEnabled": false, "azureResourceId": "[resourceId('Microsoft.Compute/virtualMachineScaleSets',variables('namingInfix'))]", "defenderForServersWorkspaceId": "vm-mde" }, "protectedSettings": { "defenderForEndpointOnboardingScript": "[reference(subscriptionResourceId('Microsoft.Security/mdeOnboardings', 'Windows'), '2021-10-01-preview', 'full').properties.onboardingPackageWindows]" } } }

for VMSS and it worked...
Just replace virtualMachineScaleSets with virtualMachines and it should work