Get answers to common questions about Microsoft Defender for Servers.
Can I enable Defender for Servers on a subset of machines in a subscription?
No. When you enable Microsoft Defender for Servers on an Azure subscription or on a connected AWS account or GCP project, all connected machines are protected by Defender for Servers. Servers that don't have the Log Analytics agent or Azure Monitor agent installed are also protected.
Can I get a discount if I already have a Microsoft Defender for Endpoint license?
If you already have a license for Microsoft Defender for Endpoint for Servers, you won't have to pay for that part of your Microsoft Defender for Servers Plan 1 or 2 license.
To request your discount, contact the Defender for Cloud support team through the Azure portal by creating a new support request in the help and support center.
Sign in to the Azure portal.
Select Support and Troubleshooting
Select Help + support.
Select Create a support request.
Enter the following information:
In the Additional details tab, enter your Customer Org name, Tenant ID, the number of Microsoft Defender for Endpoint for Servers licenses that were purchased, the expiration date of the Microsoft Defender for Endpoint for Servers licenses that were purchased, and all other required fields.
The discount becomes effective starting on the approval date. The discount isn't retroactive.
What servers do I pay for in a subscription?
When you enable Defender for Servers on a subscription, you're charged for all machines based on their power states.
|Starting||VM starting up.||Not billed|
|Running||Normal working state.||Billed|
|Stopping||Transitional. Moves to Stopped state when finished.||Billed|
|Stopped||VM shut down from within guest OS or by using PowerOff APIs. Hardware is still allocated, and the machine remains on the host.||Billed|
|Deallocating||Transitional. Moves to Deallocated state when finished.||Not billed|
|Deallocated||VM stopped and removed from the host.||Not billed|
Azure Arc machines:
|Connecting||Servers connected, but heartbeat not yet received.||Not billed|
|Connected||Receiving regular heartbeat from Connected Machine agent.||Billed|
|Offline/Disconnected||No heartbeat received in 15-30 minutes.||Not billed|
|Expired||If disconnected for 45 days, status might change to Expired.||Not billed|
Do I need to enable Defender for Servers on the subscription and on the workspace?
Defender for Servers Plan 1 doesn't depend on Log Analytics. When you enable Defender for Servers Plan 2 at the subscription level, Defender for Cloud automatically enables the plan on your default Log Analytics workspaces. If you use a custom workspace, make sure you enable the plan on the workspace. Here's more information:
- If you turn on Defender for Servers for a subscription and for a connected custom workspace, you aren't charged for both. The system identifies unique VMs.
- If you enable Defender for Servers on cross-subscription workspaces:
- For the Log Analytics agent, connected machines from all subscriptions are billed, including subscriptions that don't have the Defender for Servers plan enabled.
- For the Azure Monitor agent, billing and feature coverage for Defender for Servers depends only on the plan being enabled in the subscription.
What happens if I enabled the Defender for Servers plan at the workspace level only (not at subscription)?
You can enable Microsoft Defender for Servers at the Log Analytics workspace level, but only servers reporting to that workspace will be protected and billed, and those servers won't receive some benefits, such as Microsoft Defender for Endpoint, vulnerability assessment, and just-in-time VM access.
Is the 500 MB of free data ingestion allowance applied per workspace or per machine?
When you have Defender for Servers Plan 2 enabled, you get 500 MB of free data ingestion per day. The allowance is specifically for the security data types that are directly collected by Defender for Cloud.
This allowance is a daily rate that's averaged across all nodes. Your total daily free limit is equal to [number of machines] × 500 MB. You aren't charged extra if the total doesn't exceed your total daily free limit, even if some machines send 100 MB and others send 800 MB.
What data types are included in the daily allowance?
Defender for Cloud billing is closely tied to the billing for Log Analytics. Microsoft Defender for Servers provides an allocation of 500 MB per node per day for machines against the following subset of security data types:
- Update and UpdateSummary when the Update Management solution isn't running in the workspace or solution targeting is enabled.
If the workspace is in the legacy per-node pricing tier, the Defender for Cloud and Log Analytics allocations are combined and applied jointly to all billable ingested data.
Am I charged for machines that don't have Log Analytics installed?
Yes. You're charged for all machines that are protected by Defender for Servers in Azure subscriptions, connected AWS accounts, or connected GCP projects. The term machines includes Azure virtual machines, instances of Azure Virtual Machine Scale Sets, and Azure Arc-enabled servers. Machines that don't have Log Analytics installed are covered by protections that don't depend on the Log Analytics agent.
What's this "MDE.Windows" / "MDE.Linux" extension running on my machine?
In the past, Microsoft Defender for Endpoint was provisioned by the Log Analytics agent. When we expanded support to include Windows Server 2019 and Linux, we also added an extension to perform the automatic onboarding.
Defender for Cloud automatically deploys the extension to machines running:
- Windows Server 2019 and Windows Server 2022
- Windows Server 2012 R2 and 2016 if MDE Unified Solution integration is enabled
- Windows 10 on Azure Virtual Desktop.
- Other versions of Windows Server if Defender for Cloud doesn't recognize the OS version (for example, when a custom VM image is used). In this case, Microsoft Defender for Endpoint is still provisioned by the Log Analytics agent.
If you delete the MDE.Windows/MDE.Linux extension, it won't remove Microsoft Defender for Endpoint. To offboard the machine, see Offboard Windows servers..
I enabled the solution but the `MDE.Windows`/`MDE.Linux` extension isn't showing on my machine
If you enabled the integration, but still don't see the extension running on your machines:
- You need to wait at least 12 hours to be sure there's an issue to investigate.
- If after 12 hours you still don't see the extension running on your machines, check that you've met Prerequisites for the integration.
- Ensure you've enabled the Microsoft Defender for Servers plan for the subscriptions related to the machines you're investigating.
- If you've moved your Azure subscription between Azure tenants, some manual preparatory steps are required before Defender for Cloud deploys Defender for Endpoint. For full details, contact Microsoft support.
What are the licensing requirements for Microsoft Defender for Endpoint?
Licenses for Defender for Endpoint for servers are included with Microsoft Defender for Servers.
Do I need to buy a separate anti-malware solution to protect my machines?
No. With Defender for Endpoint integration in Defender for Servers, you'll also get malware protection on your machines.
- On Windows Server 2012 R2 with Defender for Endpoint unified solution integration enabled, Defender for Servers deploys Microsoft Defender Antivirus in active mode.
- On newer Windows Server operating systems, Microsoft Defender Antivirus is part of the operating system and will be enabled in active mode.
- On Linux, Defender for Servers deploy Defender for Endpoint including the anti-malware component, and set the component in passive mode.
How do I switch from a third-party EDR tool?
Full instructions for switching from a non-Microsoft endpoint solution are available in the Microsoft Defender for Endpoint documentation: Migration overview.
Which Microsoft Defender for Endpoint plan is supported in Defender for Servers?
Defender for Servers Plan 1 and Plan 2 provides the capabilities of Microsoft Defender for Endpoint Plan 2.
Are there any options to enforce the application controls?
No enforcement options are currently available. Adaptive application controls are intended to provide security alerts if any application runs other than the ones you've defined as safe. They have a range of benefits (What are the benefits of adaptive application controls?) and are customizable as shown on this page.
Why do I see a Qualys app in my recommended applications?
Microsoft Defender for Servers includes vulnerability scanning for your machines. You don't need a Qualys license or even a Qualys account - everything's handled seamlessly inside Defender for Cloud. For details of this scanner and instructions for how to deploy it, see Defender for Cloud's integrated Qualys vulnerability assessment solution.
To ensure no alerts are generated when Defender for Cloud deploys the scanner, the adaptive application controls recommended allowlist includes the scanner for all machines.
Why aren't all of my resources shown, such as subscriptions, machines, storage accounts in my asset inventory?
The inventory view lists your Defender for Cloud connected resources from a Cloud Security Posture Management (CSPM) perspective. The filters show only the resources with active recommendations.
For example, if you have access to eight subscriptions but only seven currently have recommendations, filter by Resource type = Subscriptions shows only the seven subscriptions with active recommendations:
Why do some of my resources show blank values in the Defender for Cloud or monitoring agent columns?
Not all Defender for Cloud monitored resources requires agents. For example, Defender for Cloud doesn't require agents to monitor Azure Storage accounts or PaaS resources, such as disks, Logic Apps, Data Lake Analysis, and Event Hubs.
When pricing or agent monitoring isn't relevant for a resource, nothing is shown in those columns of inventory.
Which ports are supported by adaptive network hardening?
Adaptive network hardening recommendations are only supported on the following specific ports (for both UDP and TCP):
13, 17, 19, 22, 23, 53, 69, 81, 111, 119, 123, 135, 137, 138, 139, 161, 162, 389, 445, 512, 514, 593, 636, 873, 1433, 1434, 1900, 2049, 2301, 2323, 2381, 3268, 3306, 3389, 4333, 5353, 5432, 5555, 5800, 5900, 5900, 5985, 5986, 6379, 6379, 7000, 7001, 7199, 8081, 8089, 8545, 9042, 9160, 9300, 11211, 16379, 26379, 27017, 37215
Are there any prerequisites or VM extensions required for adaptive network hardening?
Adaptive network hardening is an agentless feature of Microsoft Defender for Cloud - nothing needs to be installed on your machines to benefit from this network hardening tool.
When should I use a "Deny all traffic" rule?
A Deny all traffic rule is recommended when, as a result of running the algorithm, Defender for Cloud doesn't identify traffic that should be allowed, based on the existing NSG configuration. Therefore, the recommended rule is to deny all traffic to the specified port. The name of this type of rule is displayed as "System Generated". After enforcing this rule, its actual name in the NSG will be a string comprised of the protocol, traffic direction, "DENY", and a random number.
How do I deploy the prerequisites for the security configuration recommendations?
To deploy the Guest Configuration extension with its prerequisites:
For selected machines, follow the security recommendation Guest Configuration extension should be installed on your machines from the Implement security best practices security control.
At scale, assign the policy initiative Deploy prerequisites to enable Guest Configuration policies on virtual machines.
Why is a machine shown as not applicable?
The list of resources in the Not applicable tab includes a Reason column. Some of the common reasons include:
|No scan data available on the machine||There aren't any compliance results for this machine in Azure Resource Graph. All compliance results are written to Azure Resource Graph by the Guest Configuration extension. You can check the data in Azure Resource Graph using the sample queries in Azure Policy Guest Configuration - sample ARG queries.|
|Guest Configuration extension isn't installed on the machine||The machine is missing the Guest Configuration extension, which is a prerequisite for assessing the compliance with the Azure security baseline.|
|System managed identity isn't configured on the machine||A system-assigned, managed identity must be deployed on the machine.|
|The recommendation is disabled in policy||The policy definition that assesses the OS baseline is disabled on the scope that includes the relevant machine.|
If I enable Defender for Clouds Servers plan on the subscription level, do I need to enable it on the workspace level?
When you enable the Servers plan on the subscription level, Defender for Cloud enables the Servers plan on your default workspaces automatically. Connect to the default workspace by selecting Connect Azure VMs to the default workspace(s) created by Defender for Cloud option and selecting Apply.
However, if you're using a custom workspace in place of the default workspace, you need to enable the Servers plan on all of your custom workspaces that don't have it enabled.
If you're using a custom workspace and enable the plan on the subscription level only, the
Microsoft Defender for servers should be enabled on workspaces recommendation appears on the Recommendations page. This recommendation gives you the option to enable the servers plan on the workspace level with the Fix button. You're charged for all VMs in the subscription even if the Servers plan isn't enabled for the workspace. The VMs won't benefit from features that depend on the Log Analytics workspace, such as Microsoft Defender for Endpoint, VA solution (MDVM/Qualys), and Just-in-Time VM access.
Enabling the Servers plan on both the subscription and its connected workspaces, won't incur a double charge. The system will identify each unique VM.
If you enable the Servers plan on cross-subscription workspaces, connected VMs from all subscriptions will be billed, including subscriptions that don't have the Servers plan enabled.
Will I be charged for machines without the Log Analytics agent installed?
Yes. When you enable Microsoft Defender for Servers on an Azure subscription or a connected AWS account, you'll be charged for all machines that are connected to your Azure subscription or AWS account. The term machines include Azure virtual machines, Azure Virtual Machine Scale Sets instances, and Azure Arc-enabled servers. Machines that don't have Log Analytics installed are covered by protections that don't depend on the Log Analytics agent.
If a Log Analytics agent reports to multiple workspaces, will I be charged twice?
If a machine, reports to multiple workspaces, and all of them have Defender for Servers enabled, the machines will be billed for each attached workspace.
If a Log Analytics agent reports to multiple workspaces, is the 500-MB free data ingestion available on all of them?
Yes. If you configure your Log Analytics agent to send data to two or more different Log Analytics workspaces (multi-homing), you'll get 500-MB free data ingestion for each workspace. It's calculated per node, per reported workspace, per day, and available for every workspace that has a 'Security' or 'AntiMalware' solution installed. You'll be charged for any data ingested over the 500-MB limit.
Is the 500-MB free data ingestion calculated for an entire workspace or strictly per machine?
You receive a daily allowance of 500 MB of free data ingestion for each virtual machine (VM) connected to the workspace. This allocation specifically applies to the security data types collected directly by Defender for Cloud.
The data allowance is a daily rate calculated across all connected machines. Your total daily free limit is equal to the [number of machines] x 500 MB. So even if on a given day some machines send 100 MB and others send 800 MB, if the total data from all machines doesn't exceed your daily free limit, you won't be charged extra.
What data types are included in the 500-MB data daily allowance?
Defender for Cloud's billing is closely tied to the billing for Log Analytics. Microsoft Defender for Servers provides a 500 MB/node/day allocation for machines against the following subset of security data types:
- Update and UpdateSummary when the Update Management solution isn't running in the workspace or solution targeting is enabled.
If the workspace is in the legacy Per Node pricing tier, the Defender for Cloud and Log Analytics allocations are combined and applied jointly to all billable ingested data. To learn more on how Microsoft Sentinel customers can benefit, please see the Microsoft Sentinel Pricing page.
How can I monitor my daily usage?
You can view your data usage in two different ways, the Azure portal, or by running a script.
To view your usage in the Azure portal:
Sign in to the Azure portal.
Navigate to Log Analytics workspaces.
Select your workspace.
Select Usage and estimated costs.
You can also view estimated costs under different pricing tiers by selecting for each pricing tier.
To view your usage by using a script:
Sign in to the Azure portal.
Navigate to Log Analytics workspaces > Logs.
Select your time range. Learn about time ranges.
Copy and past the following query into the Type your query here section.
let Unit= 'GB'; Usage | where IsBillable == 'TRUE' | where DataType in ('SecurityAlert', 'SecurityBaseline', 'SecurityBaselineSummary', 'SecurityDetection', 'SecurityEvent', 'WindowsFirewall', 'MaliciousIPCommunication', 'SysmonEvent', 'ProtectionStatus', 'Update', 'UpdateSummary') | project TimeGenerated, DataType, Solution, Quantity, QuantityUnit | summarize DataConsumedPerDataType = sum(Quantity)/1024 by DataType, DataUnit = Unit | sort by DataConsumedPerDataType desc
You can learn how to Analyze usage in Log Analytics workspace.
Based on your usage, you won't be billed until you've used your daily allowance. If you're receiving a bill, it's only for the data used after the 500-MB limit is reached, or for other service that doesn't fall under the coverage of Defender for Cloud.
How can I manage my costs?
You might want to manage your costs and limit the amount of data collected for a solution by limiting it to a particular set of agents. Use solution targeting to apply a scope to the solution and target a subset of computers in the workspace. If you're using solution targeting, Defender for Cloud lists the workspace as not having a solution.
Solution targeting has been deprecated because the Log Analytics agent is being replaced with the Azure Monitor agent and solutions in Azure Monitor are being replaced with insights. You can continue to use solution targeting if you already have it configured, but it isn't available in new regions. The feature won't be supported after August 31, 2024. Regions that support solution targeting until the deprecation date are:
|Region code||Region name|
|Air-gapped clouds||Region code||Region name|