Select a Defender for Servers plan and deployment scope
This article helps you to understand whichDefender for Servers plan you want to deploy in Microsoft Defender for Cloud.
Before you begin
This article is the third article in the Defender for Servers planning guide. Before you begin, review the earlier articles:
- Start planning your deployment.
- Review Defender for Servers access roles.
Review plans
Defender for Servers offers two paid plans:
Defender for Servers Plan 1 is entry-level, and focuses on the endpoint detection and response (EDR) capabilities provided by the Defender for Endpoint integration with Defender for Cloud.
Defender for Servers Plan 2 provides the same features as Plan 1, and more
- Agentless scanning for machine posture scanning, vulnerability assessment, threat protection, malware scanning, and secrets scanning.
- Compliance assessment against various regulatory standards. Available with Defender for Servers Plan 2 or any other paid plan.
- Capabilities provided by premium Microsoft Defender Vulnerability Management.
- A free data ingestion benefit for specific data types.
- OS configuration assessment against compute security baselines in the Microsoft Cloud Security Benchmark.
- OS updates assessment with Azure Updates integrated into Defender for Servers.
- File integrity monitoring to examine files and registries for changes that might indicate an attack.
- Just-in-time machine access to lock down machine ports and reduce attack surfaces.
- Network map to get a geographical view of network recommendations.
For a full list, review Defender for Servers plan features.
Decide on deployment scope
We recommend enabling Defender for Servers at subscription level, but you can enable and disable Defender for Servers plans at resource level if you need deployment granularity.
| Scope | Plan 1 | Plan 2 |
|---|---|---|
| Enable for Azure subscription | Yes | Yes |
| Enable for resource | Yes | No |
| Disable for resource | Yes | Yes |
- Plan 1 can be enabled and disabled at resource level.
- Plan 2 can't be enabled at the resource level, but you can disable the plan at resource level.
Here are some use case examples to help you decide about Defender for Servers deployment scope.
| Use case | Enabled in subscription | Details | Method |
|---|---|---|---|
| Turn on for a subscription | Yes | We recommend this option. | Turn on in the portal. You can also turn off the plan for an entire subscription in the portal. |
| Turn on Plan 1 for multiple machines | No | You can use a script or policy to enable Plan 1 for a group of machines without turning on the plan for an entire subscription. | In the script, specify the relevant machines using a resource tag or resource group. Then follow the on-screen instruction. With the policy, create the assignment on a resource group, or specify the relevant machines using a resource tag. The tag is customer specific. |
| Turn on Plan 1 for multiple machines | Yes | If Defender for Servers Plan 2 is enabled in a subscription, you can use a script or policy assignment to downgrade a group of machines to Defender for Servers Plan 1. | In the script, specify the relevant machines using a resource tag or resource group. Then follow the on-screen instruction. With the policy, create the assignment on a resource group, or specify the relevant machines using a resource tag. The tag is customer specific. |
| Turn on Plan 1 for individual machines | No | When Defender for Servers isn't enabled in a subscription, you can use the API to turn on Plan 1 for individual machines. | Use the Azure Microsoft Security Pricings operation group. In Update Pricings, use a PUT request to set the pricingTier property to standard and the subPlan to P1. The pricingTier property indicates whether the plan is enabled on the selected scope. |
| Turn on Plan 1 for individual machines | Yes | When Defender for Servers Plan 2 is enabled in a subscription, you can use the API to turn on Plan 1, instead of Plan 2, for individual machines in the subscription. | Use the Azure Microsoft Security Pricings operation group. In Update Pricings, use a PUT request to set the pricingTier property to standard and the subPlan to P1. The pricingTier property indicates whether the plan is enabled on the selected scope. |
| Turn off a plan for multiple machines | Yes/No | Regardless of whether a plan is turned on or off in a subscription, you can turn off the plan for a group of machines. | Use the script or policy to specify the relevant machines using a resource tag or resource group. |
| Turn off a plan for specific machines | Yes/No | Regardless of whether a plan is turned on or off in a subscription, you can turn off a plan for a specific machine. | In Update Pricings, use a PUT request to set the pricingTier property to free and the subPlan to P1. |
| Delete the plan configuration on individual machines | Yes/No | Remove the configuration from a machine to make the subscription-wide setting effective. | In Update Pricings, use a Delete request to remove the configuration. |
| Delete the plan on multiple resources | Remove the configuration from a group of resources to make the the subscription-wide setting effective. | In the script, specify the relevant machines using a resource group or tag. Then follow the on-screen instructions. |
Learn more about how to deploy the plan on a subscription and on specific resources.
Workspace considerations
Defender for Servers needs a Log Analytics workspace when:
- You deploy Defender for Servers Plan 2 and you want to take advantage of free daily ingestion for specific data types. Learn more.
- You deploy Defender for Servers Plan 2 and you're using file integrity monitoring. Learn more.
Azure ARC onboarding
We recommend that you onboard machine in non-Azure clouds and on-premises to Azure as Azure Arc-enabled VMs. Enabling as Azure Arc VMs allows machines to take full advantage of Defender for Servers features. Azure Arc-enabled machines have the Azure Arc Connected Machine agent installed on them.
- When you use the Defender for Cloud multicloud connector to connect to AWS accounts and GCP projects , you can automatically onboard the Azure Arc agent to AWS or GCP servers.
- We recommend that you onboard on-premises machines as Azure Arc-enabled.
- Although you onboard on-premises machines by directly installing the Defender for Endpoint agent instead of onboarding machines with Azure Arc, Defender for Servers Plan functionality is available. For Defender for Servers Plan 2, in addition to Plan 1 features, only the premium Defender Vulnerability Management features are available.
Before you deploy Azure Arc:
- Review a full list of operating systems supported by Azure Arc.
- Review the Azure Arc planning recommendations and deployment prerequisites.
- Review networking requirements for the Connected Machine agent.
- Open the network ports for Azure Arc in your firewall.
- Review requirements for the Connected Machine agent:
- Agent components and data collected from machines.
- Network and internet access for the agent.
- Connection options for the agent.
Next steps
Understand how data is collected to Azure.