Microsoft Defender for Endpoint (MDE) comes under the umbrella of Microsoft 365 but it has a direct link with Defender for Cloud which is on Azure. So, if you spin up your VMs (Windows or Linux) and enable Defender for Cloud – Servers plan and enable “Endpoint Protection”, it will trigger the installation of the extension for Defender for Endpoint (MDE). In Windows, it will be seen as “MDE.Windows” while for Linux, it is “MDE.Linux”. You can read more about Defender for Cloud Endpoint Protection here.
However, sometimes you may end up in different errors which may cause error in these extensions to work correctly. In this blogpost, I will take you through the troubleshooting and resolution steps for an error which I came across with.
If you get an error like this “Extension ” of Handler ‘Microsoft.Azure.AzureDefenderForServers.MDE.Windows’ version ‘1.0.9.5’ faulted due to exception during extension processing” then you came at right place. Follow these resolution steps below but before that let me explain why this error came up.
Cause
In my case, the issue was happening due to an incorrect syntax of the Windows PowerShell Environmental Variable. Some developers who were using the machine, made some change in the Windows PowerShell environmental variable. The MDE.Windows extensions runs a built-in script which is written in PowerShell but could not run because of the misconfiguration in the environmental variable.
(Disclaimer: There may be different reason/cause for the same error in your machine depending on application and OS build)
Resolution
Now you know the error and how it came up, lets look at the steps to fix it.
- Go to the Azure Portal > Virtual Machines > search for the affected server
- Click on the Extensions in the left-navigation menu
- Uninstall the MDE.Windows extension
- Go to the affected Windows machine and check if PowerShell.exe exist in this path (C:\Windows\System32\WindowsPowerShell\v1.0\)
cloudbynaqash
- Once you confirm that Powershell.exe exist in that path, go to Control Panel and search on the top-right for “Environmental Variable”.
- Assuming you are the local administrator of the machine, click on “Edit the system environment variables”.
- Under user variables, click on the Path and Edit it.
- Add the default path “C:\Windows\System32\WindowsPowerShell\v1.0\” under the Path parameter and save it.
- Do the same steps under System variables and edit the Path parameter.
- Save once done and restart the machine.
- After the restart is completed, Defender for Cloud will trigger the installation of MDE.Windows extension once again using the managed-identity. Wait for at least an hour (in some cases it worked under 1 hour).
Hope it will help you and fix your issue. Happy Learning!
Be First to Comment