Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
The Defender for Servers plan in Microsoft Defender for Cloud reduces security risk and exposure for machines in your organization. It provides recommendations to improve and remediate security posture. Defender for Servers also protects machines against real-time security threats and attacks.
Note
Defender for Servers no longer supports the Log Analytics agent and Azure Monitoring Agent (AMA). Agentless machine scanning and the integration with Microsoft Defender for Endpoint replace these agents for most of the plan's features.
Benefits
Defender for Servers offers several security benefits.
- Protect multicloud and on-premises machines: Defender for Servers protects Windows and Linux machines in multicloud environments (Azure, Amazon Web Services (AWS), Google Cloud Platform (GCP)) and on-premises.
- Centralize management and reporting: Defender for Cloud offers a single view of monitored resources, including machines protected by Defender for Servers. Filter, sort, and cross-reference data to understand, investigate, and analyze machine security.
- Integrate with Defender services: Defender for Servers integrates with security capabilities provided by Defender for Endpoint and Microsoft Defender Vulnerability Management.
- Improve posture and reduce risk: Defender for Servers assesses the security posture of machines against compliance standards and provides security recommendations to remediate and improve security posture.
- Benefit from agentless scanning: Defender for Servers Plan 2 provides agentless machine scanning. Without an agent on endpoints, scan software inventory, assess machines for vulnerabilities, scan for machine secrets, and detect malware threats.
- Protect against threats in near real-time: Defender for Servers identifies and analyzes real-time threats and issues security alerts as needed.
- Get intelligent threat detection: Defender for Cloud evaluates events and detects threats using advanced security analytics and machine-learning technologies with multiple threat intelligence sources, including the Microsoft Security Response Center (MSRC).
Defender for Endpoint integration
Defender for Endpoint and Defender for Vulnerability Management integrate into Defender for Cloud.
This integration allows Defender for Servers to use the endpoint detection and response (EDR) capabilities of Defender for Endpoint. It also enables vulnerability scanning, software inventory, and premium features provided by Defender for Vulnerability Management.
Learn more about the integration.
Defender for Servers plans
Defender for Servers offers two plans:
- Defender for Servers Plan 1 (P1) is entry-level and focuses on the EDR capabilities provided by the Defender for Endpoint integration.
- Defender for Servers Plan 2 (P2) provides the same features as Plan 1 and other capabilities.
Plan pricing
For Defender for Servers pricing, review the Defender for Cloud pricing page. You can also estimate costs with the Defender for Cloud cost calculator.
Plan protection features
Plan features are summarized in the table.
| Feature | Plan 1 (P1) | Plan 2 (P2) | Cloud availability |
|---|---|---|---|
| Multicloud and hybrid support | 
|
|
Protects Virtual Machines (VMs) on Azure, AWS and GCP VMs, and on-premises machines that are connected to Microsoft Defender for Cloud. Review Defender for Servers support and requirements. |
| Defender for Endpoint automatic onboarding |
|
|
|
| Defender for Endpoint EDR |
|
|
Azure, AWS, and GCP |
| Integrated alerts and incidents |
|
|
Azure, AWS, and GCP |
| Software inventory discovery 1 |
|
|
Azure, AWS, and GCP |
| Regulatory compliance assessment |
|
|
Different standards are available for different environments. Learn more about compliance cloud availability. |
| Vulnerability scanning (agent-based) |
|
|
Azure, AWS, and GCP |
| Vulnerability scanning (agentless) | - |
|
Azure, AWS, and GCP |
| Threat detection (Azure network layer) | - |
|
Azure |
| OS system updates | - |
|
Azure, AWS, GCP and on-premises Only applicable to machines onboarded with Azure ARC. Learn more. |
| Defender for Vulnerability Management premium features 3 | - |
|
Azure, AWS, GCP |
| Malware scanning (agentless) | - |
|
Azure, AWS, and GCP |
| Machine secrets scanning (agentless) | - |
|
Azure, AWS, and GCP |
| File integrity monitoring | - |
|
Azure, AWS, and GCP Only applicable to AWS and GCP machines onboarded with Azure ARC. |
| Just-in-time virtual machine access | - |
|
Azure and AWS |
| Network map | - |
|
Azure |
| Free data ingestion (500 MB) | - |
|
1 Software inventory discovery (provided by Defender Vulnerability Management) is integrated into Defender for Cloud.
2 OS baseline misconfigurations for MCSB are included in the free foundational posture management.
3 This is only available in the Defender portal.
Deployment scope
You should enable Defender for Servers at the subscription level, but you can enable and disable Defender for Servers at the resource level if you need deployment granularity, as follows:
| Scope | Plan 1 | Plan 2 |
|---|---|---|
| Enable for an Azure subscription | Yes | Yes |
| Enable for a resource | Yes | No |
| Disable for a resource | Yes | Yes |
- Enable and disable Plan 1 at the resource level per server.
- Plan 2 can't be enabled at the resource level, but you can disable it at the resource level.
After enabling
After you enable a Defender for Servers plan, the following rules apply:
- Trial period: A 30-day trial period begins. You can't stop, pause, or extend this trial period. To enjoy the full 30-day trial, plan ahead to meet your evaluation goals.
- Endpoint protection: Microsoft Defender for Endpoint extension is automatically installed on all supported machines connected to Microsoft Defender for Cloud. Disable automatic provisioning if needed.
- Vulnerability assessment: Microsoft Defender Vulnerability Management is enabled by default on machines with the Microsoft Defender for Endpoint extension installed.
- Agentless scanning: Agentless scanning is enabled by default when you enable Defender for Servers Plan 2.
- OS configuration assessment: When you enable Defender for Servers Plan 2, Microsoft Defender for Cloud assesses operation system configuration settings against compute security baselines in Microsoft Cloud Security Benchmark. To use this feature, machines must run the Azure Machine Configuration extension. Learn more about setting up the extension.
- File integrity monitoring: You set up file integrity monitoring after enabling Defender for Servers Plan 2.
Related content
- Plan your Defender for Servers deployment.
- Review common questions about Defender for Servers.