Edit

Share via


Defender for Servers

The Defender for Servers plan in Microsoft Defender for Cloud reduces security risk and exposure for machines in your organization. It provides recommendations to improve and remediate security posture. Defender for Servers also protects machines against real-time security threats and attacks.

Note

Defender for Servers no longer supports the Log Analytics agent and Azure Monitoring Agent (AMA). Agentless machine scanning and the integration with Microsoft Defender for Endpoint replace these agents for most of the plan's features.

Benefits

Defender for Servers offers several security benefits.

  • Protect multicloud and on-premises machines: Defender for Servers protects Windows and Linux machines in multicloud environments (Azure, Amazon Web Services (AWS), Google Cloud Platform (GCP)) and on-premises.
  • Centralize management and reporting: Defender for Cloud offers a single view of monitored resources, including machines protected by Defender for Servers. Filter, sort, and cross-reference data to understand, investigate, and analyze machine security.
  • Integrate with Defender services: Defender for Servers integrates with security capabilities provided by Defender for Endpoint and Microsoft Defender Vulnerability Management.
  • Improve posture and reduce risk: Defender for Servers assesses the security posture of machines against compliance standards and provides security recommendations to remediate and improve security posture.
  • Benefit from agentless scanning: Defender for Servers Plan 2 provides agentless machine scanning. Without an agent on endpoints, scan software inventory, assess machines for vulnerabilities, scan for machine secrets, and detect malware threats.
  • Protect against threats in near real-time: Defender for Servers identifies and analyzes real-time threats and issues security alerts as needed.
  • Get intelligent threat detection: Defender for Cloud evaluates events and detects threats using advanced security analytics and machine-learning technologies with multiple threat intelligence sources, including the Microsoft Security Response Center (MSRC).

Defender for Endpoint integration

Defender for Endpoint and Defender for Vulnerability Management integrate into Defender for Cloud.

This integration allows Defender for Servers to use the endpoint detection and response (EDR) capabilities of Defender for Endpoint. It also enables vulnerability scanning, software inventory, and premium features provided by Defender for Vulnerability Management.

Learn more about the integration.

Defender for Servers plans

Defender for Servers offers two plans:

  • Defender for Servers Plan 1 (P1) is entry-level and focuses on the EDR capabilities provided by the Defender for Endpoint integration.
  • Defender for Servers Plan 2 (P2) provides the same features as Plan 1 and other capabilities.

Plan pricing

For Defender for Servers pricing, review the Defender for Cloud pricing page. You can also estimate costs with the Defender for Cloud cost calculator.

Plan protection features

Plan features are summarized in the table.

Feature Plan 1 (P1) Plan 2 (P2) Cloud availability
Multicloud and hybrid support Protects Virtual Machines (VMs) on Azure, AWS and GCP VMs, and on-premises machines that are connected to Microsoft Defender for Cloud.

Review Defender for Servers support and requirements.
Defender for Endpoint automatic onboarding
Defender for Endpoint EDR Azure, AWS, and GCP
Integrated alerts and incidents Azure, AWS, and GCP
Software inventory discovery 1 Azure, AWS, and GCP
Regulatory compliance assessment Different standards are available for different environments. Learn more about compliance cloud availability.
Vulnerability scanning (agent-based) Azure, AWS, and GCP
Vulnerability scanning (agentless) - Azure, AWS, and GCP
Threat detection (Azure network layer) - Azure
OS system updates - Azure, AWS, GCP and on-premises

Only applicable to machines onboarded with Azure ARC. Learn more.
Defender for Vulnerability Management premium features 3 - Azure, AWS, GCP
Malware scanning (agentless) - Azure, AWS, and GCP
Machine secrets scanning (agentless) - Azure, AWS, and GCP
File integrity monitoring - Azure, AWS, and GCP

Only applicable to AWS and GCP machines onboarded with Azure ARC.
Just-in-time virtual machine access - Azure and AWS
Network map - Azure
Free data ingestion (500 MB) -

1 Software inventory discovery (provided by Defender Vulnerability Management) is integrated into Defender for Cloud.
2 OS baseline misconfigurations for MCSB are included in the free foundational posture management.
3 This is only available in the Defender portal.

Deployment scope

You should enable Defender for Servers at the subscription level, but you can enable and disable Defender for Servers at the resource level if you need deployment granularity, as follows:

Scope Plan 1 Plan 2
Enable for an Azure subscription Yes Yes
Enable for a resource Yes No
Disable for a resource Yes Yes
  • Enable and disable Plan 1 at the resource level per server.
  • Plan 2 can't be enabled at the resource level, but you can disable it at the resource level.

After enabling

After you enable a Defender for Servers plan, the following rules apply:

  • Trial period: A 30-day trial period begins. You can't stop, pause, or extend this trial period. To enjoy the full 30-day trial, plan ahead to meet your evaluation goals.
  • Endpoint protection: Microsoft Defender for Endpoint extension is automatically installed on all supported machines connected to Microsoft Defender for Cloud. Disable automatic provisioning if needed.
  • Vulnerability assessment: Microsoft Defender Vulnerability Management is enabled by default on machines with the Microsoft Defender for Endpoint extension installed.
  • Agentless scanning: Agentless scanning is enabled by default when you enable Defender for Servers Plan 2.
  • OS configuration assessment: When you enable Defender for Servers Plan 2, Microsoft Defender for Cloud assesses operation system configuration settings against compute security baselines in Microsoft Cloud Security Benchmark. To use this feature, machines must run the Azure Machine Configuration extension. Learn more about setting up the extension.
  • File integrity monitoring: You set up file integrity monitoring after enabling Defender for Servers Plan 2.