跳到主要内容

Review & Remediate Endpoint Detection and Response Recommendations

Implementation Effort: Medium
Security and IT teams must review EDR-related recommendations, validate agent presence, and take remediation actions across Azure, AWS, and GCP workloads.

User Impact: Low
EDR remediation is handled by administrators; end users are not directly involved.

Overview

Microsoft Defender for Servers integrates with Microsoft Defender for Endpoint (MDE) to provide Endpoint Detection and Response (EDR) capabilities. Defender for Cloud continuously assesses whether supported machines have a valid EDR solution installed and running. If gaps are found, it generates recommendations to help security teams remediate them.

Key Capabilities

  • Agentless scanning is used to detect EDR presence on Azure VMs, AWS EC2, and GCP Compute Engine instances.
  • Recommendations are generated when:
    • No EDR solution is detected.
    • A non-Microsoft EDR is unsupported.
    • Defender for Endpoint is not properly configured 1.

How to Review EDR Recommendations

  1. Go to Microsoft Defender for Cloud > Recommendations.
  2. Search for:
    • "EDR solution should be installed on Virtual Machines"
    • "EDR solution should be installed on EC2s"
    • "EDR solution should be installed on Virtual Machines (GCP)"
  3. Select a recommendation to view affected resources.
  4. Use the Healthy resources tab to verify which machines already have EDR installed 1.

How to Remediate

  1. Select the recommendation and click Fix.
  2. Choose Enable Defender for Endpoint integration.
  3. Select one or more affected machines.
  4. Click Enable to automatically install the Defender for Endpoint sensor.
  5. Wait up to 24 hours for the machine to appear under Healthy resources 1.

Prerequisites

  • Defender for Servers Plan 2 or Defender CSPM must be enabled.
  • Agentless scanning must be turned on (enabled by default in supported plans).
  • Machines must be supported by Defender for Endpoint (Windows or Linux).

Failing to remediate EDR recommendations leaves workloads vulnerable to undetected threats and weakens incident response capabilities. This supports the "Assume Breach" principle of Zero Trust by ensuring all endpoints are monitored and protected.

Reference