How to Effectively Set Up Microsoft Defender for Servers in 2026
In 2026, securing your servers is more crucial than ever. Cyber threats evolve rapidly, making robust security measures essential. Microsoft Defender for Servers plays a vital role in safeguarding your infrastructure. You need a clear, step-by-step guide to configure Defender effectively. This will help you maximize your security posture and protect your valuable data.
Key Takeaways
Ensure your systems meet the necessary hardware and software requirements before configuring Microsoft Defender for Servers.
Choose the right licensing plan based on your organization's security needs and budget to maximize protection.
Follow a step-by-step process to access the Azure portal and enable server protection effectively.
Regularly update Microsoft Defender for Servers every four hours to stay ahead of emerging threats.
Utilize monitoring tools like Log Analytics to track security events and maintain a robust security posture.
- Protects more than Azure — Defender for Servers can secure Azure VMs, on‑premises servers, and virtual machines in other clouds (AWS, GCP) with a single pane of glass.
- Not Windows‑only — it provides full protection for Linux (and macOS where applicable), including behavioral detection and hardening recommendations.
- Built‑in EDR/XDR capabilities — Defender for Servers includes endpoint detection and response features and integrates with Microsoft Defender for Endpoint to deliver extended detection and response across infrastructure and workloads.
- Automatic investigation and remediation — it can automatically investigate alerts and apply remediation actions to reduce manual triage and mean time to resolution.
- Container and Kubernetes protection — it offers image scanning, runtime protection, and cluster‑level recommendations, so containerized workloads get both prevention and runtime threat detection.
- Vulnerability assessment and adaptive controls — Defender for Servers surfaces prioritized vulnerability findings, provides adaptive application control recommendations, and helps enforce least‑privilege configurations.
Prerequisites for Configuration
Before you configure Microsoft Defender for Servers, ensure that your environment meets the necessary prerequisites. This includes both system requirements and licensing considerations.
System Requirements
To run Microsoft Defender for Servers effectively, your systems must meet specific hardware and software requirements. Below is a table outlining the supported Windows Server versions:
Supported Windows Server Versions |
|---|
Windows Server 2008 R2 |
Windows Server 2012 R2 |
Windows Server 2016 |
Windows Server Semi-Annual Enterprise Channel |
Windows Server 2019 and later |
Windows Server 2019 core edition |
Windows Server 2022 |
For Linux systems, refer to the official Microsoft documentation for detailed requirements. If you run virtual machines (VMs) on Azure, check the agent extension by accessing your VM properties and selecting Extensions + applications. Ensure that your machines meet the minimum requirements for the following extensions:
Windows machines extension:
MDE.WindowsLinux machines extension:
MDE.Linux
Licensing Overview
Understanding the licensing options for Microsoft Defender for Servers is crucial for effective configuration. There are two primary plans available:
Plan | Description |
|---|---|
Plan 1 | Limited defenses focusing on Defender for Endpoint and EDR protections. |
Plan 2 | Full set of enhanced security features from Defender for Cloud. |
The cost and features differ significantly between the two plans. For instance, Plan 1 costs $5 per server, while Plan 2 costs $15. Plan 2 includes advanced capabilities such as security policy compliance and integrated vulnerability assessments.
When selecting a plan, consider your organization's security needs and budget. This decision will impact your overall security posture and the effectiveness of your configuration.
By ensuring that you meet these prerequisites, you set a solid foundation for configuring Microsoft Defender for Servers effectively.
Configure Defender for Servers
Accessing Azure Portal
To configure Defender for Servers, you first need to access the Azure portal. Follow these steps to get started:
Sign in to the Azure portal.
Search for and select Microsoft Defender for Cloud.
In the Defender for Cloud menu, select Environment settings.
Choose the relevant Azure subscription, AWS account, or GCP project.
On the Defender plans page, toggle the Servers switch to On.
By default, this action activates Defender for Servers Plan 2. If you prefer a different plan, select Change plans.
In the popup window, choose either Plan 2 or Plan 1.
Select Confirm.
Finally, click Save.
By following these steps, you will successfully access the Azure portal and prepare to configure Defender for Servers.
Enabling Server Protection
Once you have accessed the Azure portal, the next step is to enable server protection. This process involves several key actions:
Enable Microsoft Defender for Cloud: Connect to Azure and enable Defender for Cloud in your subscription.
Install Azure Arc Agent: For on-premises servers, install the Azure Arc agent to facilitate cloud management.
Configure Microsoft Defender Antivirus: Ensure that Microsoft Defender Antivirus is enabled. Configure real-time protection and other relevant settings.
Deploy Microsoft Defender for Endpoint: Set up advanced threat protection capabilities to enhance your security posture.
Configure Advanced Threat Protection Policies: Implement security policies tailored to your organization’s specific needs.
Set Up Log Analytics Workspace Integration: Configure logging and monitoring through Azure Log Analytics for better visibility.
Configure Security Baselines: Apply Microsoft's recommended security baselines to ensure optimal configuration.
The following table summarizes the key configuration options available when enabling server protection:
Configuration Option | Description |
|---|---|
Endpoint Protection Integration | Settings for integrating endpoint protection with Microsoft Defender. |
Agentless Scanning for VMs | Configuration for scanning virtual machines without an agent. |
Guest Configuration Agent | Settings related to the guest configuration agent for enhanced security. |
Enable Network Protection | Options for enabling network protection, including block and audit modes. |
Datagram Processing on Windows Server | Configuration for handling datagram processing on Windows servers, with recommendations. |
Disable DNS over TCP Parsing | Options for enabling or disabling DNS over TCP parsing. |
Disable HTTP Parsing | Configuration for HTTP parsing settings. |
Disable SSH Parsing | Options for SSH parsing settings. |
Disable TLS Parsing | Configuration for TLS parsing settings. |
[Deprecated] Enable DNS Sinkhole | Options for enabling or disabling DNS sinkhole functionality. |
By completing these steps, you will effectively enable server protection using Microsoft Defender for Servers, enhancing your security measures against potential threats.
Configuration Steps
Setting Security Policies
Setting security policies is crucial for effective onboarding of Microsoft Defender for Servers. You can customize these policies to fit your organization's specific needs. Here are some best practices to follow:
Utilize Entra ID groups for targeted policy application. This allows you to create dynamic groups that automatically populate based on device OS versions.
Verify configurations through the Azure portal. This ensures that your settings are correctly applied on all endpoints.
For devices without internet access, manage policies using SCCM or Group Policy Objects (GPO). This approach helps maintain consistency across your environment.
Avoid using multiple management solutions on a single endpoint. This prevents confusion over which policy takes precedence.
To customize security policies for different server environments, follow these steps:
Download and save the PowerShell script for Defender for Servers.
Run the script and customize it by selecting resources based on tags.
Use Azure Policy to enable Defender for Servers Plan 1. Navigate to the Policy dashboard and select the appropriate definitions.
Assign the policy and configure it according to your organization's tagging strategy.
By following these steps, you can ensure that your security policies align with your organizational requirements and enhance your overall security posture.
Configuring Alerts
Configuring alerts is essential for monitoring potential threats and vulnerabilities in your environment. Microsoft Defender for Servers allows you to adjust alert thresholds to minimize false positives. Here’s how to effectively configure alerts:
The default alert threshold is set to High. This setting helps reduce false positives and ensures that you focus on critical issues.
Lowering the threshold to Medium or Low increases the number of alerts generated. While this may provide more data, it can also lead to an influx of false positives.
Utilize the Recommended test mode. This mode allows you to test alerts comprehensively by switching all thresholds to Low, increasing alert generation for evaluation purposes.
By carefully configuring alerts, you can maintain a balance between being informed of potential threats and avoiding alert fatigue.
Implementing these configuration steps will significantly enhance your security management capabilities with Microsoft Defender for Servers.
Troubleshooting Defender for Servers
Connectivity Issues
You may encounter various connectivity issues while setting up Microsoft Defender for Servers. These problems can hinder your ability to manage and protect your servers effectively. Below are common connectivity issues and their troubleshooting steps:
Issue Type | Troubleshooting Steps |
|---|---|
Azure Arc Connection Issues | 1. Check Arc agent status: |
| 2. Reconnect if needed: |
| 3. Verify network connectivity: |
Log Analytics Agent Errors | 1. Check agent configuration: |
| 2. Test workspace connectivity: |
| 3. Restart Log Analytics services: |
By following these steps, you can resolve most connectivity issues and ensure that your Defender for Servers setup runs smoothly.
Policy Application Errors
Policy application errors can also occur during the onboarding of Microsoft Defender for Servers. These errors may prevent your security policies from being enforced correctly. Here are some recommended steps to address these issues:
Step | Description |
|---|---|
1 | Check Arc agent status using |
2 | Reconnect if needed with |
3 | Verify network connectivity with |
4 | Address Log Analytics connectivity issues by verifying workspace configuration and network settings |
5 | Check agent configuration with |
6 | Test workspace connectivity with |
7 | Restart Log Analytics services using |
Implementing these troubleshooting steps will help you resolve policy application errors and ensure that your security policies are effectively enforced across your servers.
Best Practices for Microsoft Defender
Regular Updates
To maintain optimal security with Microsoft Defender for Servers, you must prioritize regular updates. Frequent updates ensure that your systems can detect the latest threats effectively. Here are some key points to consider:
Update Frequency: Perform updates every four hours. This schedule helps you stay ahead of emerging threats, as new signature updates are released frequently.
Automatic Updates: Enable automatic updates for Defender signatures and Windows Updates. This practice minimizes the risk of running outdated software, which can expose your servers to vulnerabilities.
Outdated installations can lead to several risks, including:
Risk Type | Description |
|---|---|
Installation Failures | Outdated installations can lead to installation failures, particularly on machines with slower disks. |
Limited Functionality | Basic operations may be all that is available, limiting the effectiveness of the security features. |
User Interaction Issues | Features requiring user interaction may not function as expected, impacting overall protection. |
Monitoring Security
Monitoring your security environment is crucial for identifying potential threats and vulnerabilities. Microsoft Defender for Servers offers various integrated tools to help you maintain a secure posture. Here are some effective monitoring strategies:
Log Analytics/Azure Monitor Agent: This tool allows you to configure log analytics settings and monitoring capabilities.
Defender for Endpoint Integration: This feature provides endpoint detection and response (EDR) capabilities, enhancing your threat protection.
Vulnerability Assessment: Utilize Microsoft Defender Vulnerability Management to assess and mitigate vulnerabilities in your environment.
You can track and analyze security events using features like:
Feature | Description |
|---|---|
Attack Surface Reduction | Lowers the risk of attack through proactive measures. |
Provides real-time scanning and protection, including Microsoft Defender Antivirus. | |
EDR | Offers threat analytics, automated investigation and response, and advanced hunting capabilities. |
Vulnerability Assessment | Integrates with Microsoft Defender Vulnerability Management for assessing and mitigating vulnerabilities. |
By implementing these best practices, you can significantly enhance the security of your servers and ensure that Microsoft Defender for Servers operates effectively.
In summary, configuring Microsoft Defender for Servers involves several critical steps. You must ensure your systems meet the prerequisites, access the Azure portal, enable server protection, and set security policies. Regular updates and monitoring are essential for maintaining a robust security posture.
Remember to take proactive measures after configuration. For instance, use network protection to block malicious sites and respond swiftly to threats.
By following these best practices, you can significantly enhance your server security. Take action today and implement these configurations to protect your organization effectively.
FAQ
What is Microsoft Defender for Servers?
Microsoft Defender for Servers is a cloud-based security solution that protects your servers from threats. It provides advanced threat detection, vulnerability management, and security policy enforcement to enhance your overall security posture.
How do I know if my server meets the system requirements?
To check if your server meets the system requirements, verify the Windows version and ensure it aligns with the supported versions listed in the official documentation. You can also check for necessary extensions if using Azure.
Can I use Microsoft Defender for Servers on Linux?
Yes, Microsoft Defender for Servers supports Linux systems. Ensure you follow the specific installation and configuration guidelines provided in the official documentation for Linux environments.
How often should I update Microsoft Defender for Servers?
You should perform updates every four hours to ensure your systems can detect the latest threats. Enabling automatic updates for Defender signatures and Windows updates helps maintain optimal security.
What should I do if I encounter connectivity issues?
If you face connectivity issues, check the Azure Arc agent status and verify network connectivity. Use commands like azcmagent show and Test-NetConnection to troubleshoot and resolve the issues effectively.
defender for servers plan and defender for endpoint integration
What is Microsoft Defender for Servers and how does it relate to Microsoft Defender for Endpoint?
Microsoft Defender for Servers is a server-specific capability within Microsoft Defender for Cloud that provides threat protection, vulnerability management and advanced endpoint protection for Windows Server and Linux servers. It integrates with Microsoft Defender for Endpoint (including Defender for Endpoint Plan 2 features when enabled) so that endpoint telemetry, sensors and threat detection are correlated with cloud signals to yield better protections for servers whether they are in Azure, on-premises or hybrid via Azure Arc-enabled servers.
How do I plan a Defender for Servers deployment and what is the plan and deployment scope?
Planning a Defender for Servers deployment requires choosing the right servers plan in Microsoft Defender, defining scope at subscription or resource level (servers on a subscription or servers at the resource level), and deciding whether to enable Defender for Endpoint extension or use the Defender for Endpoint agent. Review plan and deployment scope to map licensing (plan 1 and plan 2 options), integration with Microsoft Defender for Cloud’s capabilities, and whether Azure Arc-enabled servers will be included. Microsoft Learn has step-by-step guides to help plan defender for servers deployments.
What features does Defender for Servers provide and what is included in Defender for Cloud’s offering?
Defender for Servers features include endpoint protection, adaptive application controls, file integrity monitoring, just-in-time VM access recommendations, and integration with Defender for Vulnerability Management. Defender for Cloud provides security posture management and integrates these server protections with cloud-native controls, compliance assessments such as the Microsoft Cloud Security Benchmark, and the Defender for Cloud portal for centralized monitoring.
How do I enable or disable Defender for Servers and what are the implications of disabling it?
To enable Defender for Servers you can turn on the relevant Defender for Cloud plan at subscription or resource group level in the Defender for Cloud portal or enable integration with Defender for Endpoint from there. Disabling Defender for Servers removes the protections, telemetry collection and vulnerability management for those servers; disabling it on production servers is not recommended unless you have alternative protections in place. If you must disable defender for servers temporarily, document the scope and ensure other security controls are active.
How does pricing work for Microsoft Defender for Servers and how does it compare to Microsoft Defender for Cloud pricing?
Defender for servers pricing is typically charged per node and may vary depending on whether you select plan options and add Defender for Endpoint Plan 2 or use Defender for Endpoint for servers as part of an integrated offering. Defender for Cloud pricing pages outline costs for different plans, and organizations should compare defender for servers pricing with bundled Microsoft Cloud Security offerings and any discounts for Azure customers. Review the Defender for Cloud pricing documentation and Microsoft Learn resources for detailed scenarios.
Can I protect Linux servers with Defender for Servers and what agents are required?
Yes, Linux servers are supported. To use defender for servers you will deploy the appropriate Defender for Endpoint agent or the extension for Linux, which integrates with defender for cloud’s vulnerability management and threat detection. Azure Arc-enabled servers and other non-Azure hosts can be onboarded and protected so they are consistently protected by Defender for Servers across environments.
How does vulnerability management integrate with Defender for Servers and should I recommend enabling it?
Defender for Vulnerability Management is integrated with Defender for Servers to provide continuous discovery, prioritization and remediation guidance for server vulnerabilities. It feeds into the Defender for Cloud portal and works with the Defender for Endpoint sensor to collect data. Security teams should recommend enabling Defender for Servers to gain vulnerability management, prioritized findings and remediation workflows that reduce exposure for critical server assets.
What are the common integration points between endpoint protection and Defender for Cloud for servers?
Common integration points include the Defender for Endpoint agent/extension, endpoint integration with Defender for Cloud for unified alerting, the Defender for Endpoint sensor used for advanced detection, and consolidated incident management in the Defender for Cloud portal. These integrations allow servers to be protected by defender for servers while leveraging Defender for Endpoint’s detection capabilities and Defender for Cloud’s broader Microsoft cloud security posture and recommendations.
Which Microsoft Learn resources and best practices should I use to deploy and maintain Defender for Servers?
Use Microsoft Learn modules covering Defender for Cloud, Defender for Endpoint, Azure Arc-enabled servers onboarding, and Defender for Cloud plans. Follow best practices: define your servers plan (plan 1 and plan 2 choices), enable endpoint integration, deploy the Defender for Endpoint agent or extension to all servers (including Linux servers), monitor the Defender for Cloud portal, and align with the Microsoft Cloud Security Benchmark for compliance and configuration guidance.
Founder of M365 Show, M365con.net & m365.fm
Mirko Peters is a Microsoft 365 expert, content creator, and founder of m365.fm, a platform dedicated to sharing practical insights on modern workplace technologies. His work focuses on Microsoft 365 governance, security, collaboration, and real-world implementation strategies.
Through his podcast and written content, Mirko provides hands-on guidance for IT professionals, architects, and business leaders navigating the complexities of Microsoft 365. He is known for translating complex topics into clear, actionable advice, often highlighting common mistakes and overlooked risks in real-world environments.
With a strong emphasis on community contribution and knowledge sharing, Mirko is actively building a platform that connects experts, shares experiences, and helps organizations get the most out of their Microsoft 365 investments.
Microsoft Teams Phone Overview: Transforming Communication for Modern Businesses
