Overview of Microsoft Defender for Servers

Microsoft Defender for Servers is one of the plans provided by Microsoft Defender for Cloud's enhanced security features. Defender for Servers protects your Windows and Linux machines in Azure, AWS, GCP, and on-premises.

Defender for Servers plans

Defender for Servers provides two plans you can choose from:

  • Plan 1
  • Plan 2
    • Plan 1: Includes everything in Defender for Servers Plan 1.
    • Additional features: All other enhanced Defender for Servers security features.

Plan features

The following table summarizes what's included in each plan.

Feature Details Defender for Servers Plan 1 Defender for Servers Plan 2
Unified view The Defender for Cloud portal displays Defender for Endpoint alerts. You can then drill down into Defender for Endpoint portal, with additional information such as the alert process tree, the incident graph, and a detailed machine timeline showing historical data up to six months.
Automatic MDE provisioning Automatic provisioning of Defender for Endpoint on Azure, AWS, and GCP resources.
Microsoft Defender Vulnerability Management Discover vulnerabilities and misconfigurations in real time with Microsoft Defender for Endpoint, without other agents or periodic scans. Learn more.
Threat detection for OS-level (Agent-based) Defender for Servers and Microsoft Defender for Endpoint (MDE) detect threats at the OS level, including VM behavioral detections and Fileless attack detection, which generates detailed security alerts that accelerate alert triage, correlation, and downstream response time.
Learn more
Threat detection for network-level (Agentless) Defender for Servers detects threats directed at the control plane on the network, including network-based detections for Azure virtual machines.
Microsoft Defender Vulnerability Management Add-on See a deeper analysis of the security posture of your protected servers, including risks related to browser extensions, network shares, and digital certificates. Learn more.
Security Policy and Regulatory Compliance Customize a security policy for your subscription and also compare the configuration of your resources with requirements in industry standards, regulations, and benchmarks.
Integrated vulnerability assessment powered by Qualys Use the Qualys scanner for real-time identification of vulnerabilities in Azure and hybrid VMs. Everything's handled by Defender for Cloud. You don't need a Qualys license or even a Qualys account. Learn more.
Log Analytics 500 MB free data ingestion Defender for Cloud leverages Azure Monitor to collect data from Azure VMs and servers, using the Log Analytics agent.
Adaptive application controls (AAC) AACs in Defender for Cloud define allowlists of known safe applications for machines.
File Integrity Monitoring (FIM) FIM (change monitoring) examines files and registries for changes that might indicate an attack. A comparison method is used to determine whether suspicious modifications have been made to files.
Just-in-time VM access for management ports Defender for Cloud provides JIT access, locking down machine ports to reduce the machine's attack surface.
Adaptive network hardening Filtering traffic to and from resources with network security groups (NSG) improves your network security posture. You can further improve security by hardening the NSG rules based on actual traffic patterns.
Docker host hardening Defender for Cloud assesses containers hosted on Linux machines running Docker containers, and compares them with the Center for Internet Security (CIS) Docker Benchmark. Learn more.


If you only enable Defender for Cloud at the workspace level, Defender for Cloud won't enable just-in-time VM access, adaptive application controls, and network detections for Azure resources.

Want to learn more? Watch an overview of enhanced workload protection features in Defender for Servers in our Defender for Cloud in the Field series.


When you enable Defender for Servers Plan 1 or Plan 2 and then enable Defender for Endpoint unified integration, the Defender for Endpoint agent is automatically provisioned on all supported machines in the subscription.

  • Azure Windows machines: Defender for Cloud deploys the MDE.Windows extension. The extension provisions Defender for Endpoint and connects it to the Defender for Endpoint backend.
  • Azure Linux machines: Defender for Cloud collects audit records from Linux machines by using auditd, one of the most common Linux auditing frameworks. For a list of the Linux alerts, see the Reference table of alerts.
  • On-premises: Defender for Cloud integrates with Azure Arc using the Azure Connected Machine agent. Learn how to connect your on-premises machines to Microsoft Defender for Cloud.
  • Multicloud: Defender for Cloud uses Azure Arc to ensure these non-Azure machines are seen as Azure resources. Learn how to connect your AWS accounts and your GCP accounts to Microsoft Defender for Cloud.


For details of which Defender for Servers features are relevant for machines running on other cloud environments, see Supported features for virtual machines and servers.

Simulating alerts

You can simulate alerts by downloading one of the following playbooks:

Learn more

You can check out the following blogs:

Next steps

In this article, you learned about Microsoft Defender for Servers.