This chapter covers Microsoft Defender for Servers plans within Microsoft Defender for Cloud, a critical topic for the SC-200 exam. You will learn the differences between Plan 1 and Plan 2, their features, deployment options, and integration with other Microsoft security services. Approximately 10-15% of exam questions touch on Defender for Cloud, with a significant subset focusing on server protection plans. Mastery of this topic is essential for configuring and managing server security in hybrid and multicloud environments.
Jump to a section
Imagine a corporate headquarters building (your server infrastructure) that needs security. The basic Plan 1 is like hiring a single security guard at the main entrance. This guard checks badges (vulnerability scanning via Microsoft Defender Vulnerability Management) and watches a few security cameras (centralized log collection via Defender for Cloud). But the guard cannot inspect packages for malware, cannot run after intruders, and only works part-time (limited threat detection and response). Plan 2 is like upgrading to a full security team: the guard now has metal detectors (antimalware scanning via Microsoft Defender Antivirus), a canine unit (EDR with real-time behavioral analysis), and a rapid response team (automated investigation and remediation). The team also gets a direct line to the police (Microsoft Sentinel integration) and can lock down specific floors instantly (just-in-time VM access). The security guard in Plan 1 can still call for backup (basic alerting), but the Plan 2 team proactively hunts threats, correlates events across buildings, and can contain a breach in seconds. The key difference: Plan 1 is reactive and limited, Plan 2 is proactive and comprehensive. Without Plan 2, you might miss a sophisticated attack that bypasses the front door—like a threat using fileless malware that the metal detector cannot see but the canine unit can smell.
What is Defender for Servers?
Microsoft Defender for Servers is a cloud-native security solution that provides threat detection, vulnerability management, and advanced protection for servers running in Azure, on-premises, or in other clouds (AWS, GCP). It is part of Microsoft Defender for Cloud and is available in two plans: Plan 1 and Plan 2. The plans are designed to address different security needs and compliance requirements.
Why Two Plans?
The two-tier structure allows organizations to choose the level of protection that matches their risk profile and budget. Plan 1 offers essential security features, while Plan 2 adds advanced capabilities such as endpoint detection and response (EDR), file integrity monitoring, and just-in-time (JIT) VM access. The exam expects you to know exactly which features belong to each plan.
Plan 1 Features
Vulnerability assessment: Powered by Microsoft Defender Vulnerability Management (MDVM). It continuously scans servers for known vulnerabilities and misconfigurations. The vulnerability scanner uses the Common Vulnerabilities and Exposures (CVE) database and provides a prioritized list of findings.
Centralized log collection: Logs from servers are forwarded to the Log Analytics workspace used by Defender for Cloud. This includes security events, syslog, and custom logs.
Threat detection: Uses behavioral analytics and machine learning to detect common attack patterns. Alerts are generated for suspicious activities, such as brute-force attempts or unusual process execution.
Security alerts: Alerts are surfaced in Defender for Cloud and can be integrated with Microsoft Sentinel.
Network security: Integration with network security groups (NSGs) and Azure Firewall for network-layer protection.
Plan 2 Features (All Plan 1 features plus)
Endpoint Detection and Response (EDR): Uses Microsoft Defender for Endpoint (MDE) sensors to collect and analyze endpoint telemetry in real time. This enables detection of fileless attacks, living-off-the-land binaries, and advanced persistent threats (APTs).
Automated investigation and remediation: When an alert is triggered, Defender for Servers can automatically investigate the scope of the incident and take remediation actions, such as isolating a machine or terminating malicious processes.
File Integrity Monitoring (FIM): Monitors critical files, registry keys, and directories for changes. It uses SHA-256 hashing to detect modifications. FIM is essential for compliance frameworks like PCI-DSS.
Just-in-Time (JIT) VM Access: Reduces the attack surface by locking down inbound traffic to VMs. JIT creates temporary rules in NSGs that allow access only when needed and for a specified duration (default 3 hours).
Adaptive Application Controls (AAC): Uses machine learning to create whitelists of allowed applications running on servers. It alerts when unauthorized applications attempt to run.
Adaptive Network Hardening (ANH): Recommends NSG rules based on observed traffic patterns to further restrict access.
Docker Host Security: For containers running on servers, Plan 2 provides additional threat detection and vulnerability assessment.
How It Works Internally
When you enable Defender for Servers on a subscription, the following components are deployed:
Microsoft Defender for Cloud agent (formerly Log Analytics agent): Installed on each server. It collects security-relevant events and forwards them to the Log Analytics workspace. For Plan 2, the Microsoft Defender for Endpoint sensor is also deployed.
Vulnerability scanner: The MDVM scanner runs as a background service. It queries the server’s software inventory and checks against the CVE database. Scans are performed continuously; there is no scheduled scan interval.
EDR sensor (Plan 2 only): The MDE sensor hooks into the operating system kernel and monitors process creation, network connections, file system events, and registry changes. It sends telemetry to the MDE cloud service for analysis.
Threat intelligence feeds: Defender for Cloud uses global threat intelligence from Microsoft’s security research teams. Alerts are generated based on correlation of events across multiple servers and tenants.
Key Configuration Values
Default JIT access duration: 3 hours (configurable up to 24 hours).
FIM monitoring interval: By default, FIM checks for changes every 2 hours.
Log Analytics workspace retention: Default 30 days for free tier, adjustable up to 2 years.
Vulnerability assessment scan frequency: Continuous (real-time), not scheduled.
Deployment Options
Azure VMs: Enable via Defender for Cloud’s Environment Settings > Defender plans. The agent is auto-deployed if not present.
On-premises servers: Requires Azure Arc installation. After onboarding, enable Defender for Servers via Arc-enabled servers.
AWS EC2 instances: Use the AWS connector in Defender for Cloud. The connector deploys the Log Analytics agent and MDE sensor.
GCP VMs: Similar to AWS, use the GCP connector.
Integration with Other Services
Microsoft Sentinel: All Defender for Cloud alerts can be streamed to Sentinel for SIEM and SOAR capabilities.
Microsoft Defender for Endpoint: Plan 2’s EDR is actually powered by MDE. Alerts from MDE appear in Defender for Cloud.
Azure Policy: Defender for Cloud uses Azure Policy to enforce security configurations, such as requiring the Log Analytics agent on VMs.
Azure Automation: JIT and adaptive controls can be automated via runbooks.
Exam Tips
Remember that Plan 2 includes EDR, FIM, JIT, AAC, and ANH. Plan 1 does not.
The vulnerability scanner in Plan 1 is the same as in Plan 2 (MDVM). The difference is not in vulnerability scanning quality but in response capabilities.
For on-premises servers, Azure Arc is mandatory. Without Arc, you cannot enable Defender for Servers.
JIT VM access is a Plan 2 feature that reduces brute-force attack surface.
FIM is often tested in the context of compliance (e.g., PCI-DSS requirement 11.5).
Adaptive Application Controls require a learning period (at least 7 days) before they become effective.
Command Examples
Enable Defender for Servers Plan 2 on a subscription using Azure CLI:
az security pricing create --name VirtualMachines --pricing-tier Standard2Check current pricing tier:
az security pricing show --name VirtualMachines --query pricingTierFor PowerShell:
Set-AzSecurityPricing -Name VirtualMachines -PricingTier Standard2Note: The pricing tier names are 'Standard' for Plan 1 and 'Standard2' for Plan 2. 'Free' is the default (no Defender for Servers).
Troubleshooting
If the Log Analytics agent fails to deploy, check network connectivity to the Log Analytics service endpoints. For MDE sensor issues, verify that the server meets minimum requirements (Windows Server 2012 R2 or later, or Linux with kernel 3.10+). Use the Microsoft Defender for Endpoint client analyzer tool to diagnose sensor health.
Summary of Plan Differences
Plan 1: Vulnerability scanning, basic threat detection, log collection.
Plan 2: All of Plan 1 plus EDR, automated investigation, FIM, JIT, AAC, ANH.
Cost: Plan 2 is approximately 2-3x the cost of Plan 1 per server per hour.
The exam will present scenarios where you must choose the appropriate plan based on requirements. For example, if a compliance mandate requires FIM, you need Plan 2. If the requirement is only vulnerability scanning, Plan 1 suffices.
Onboard server to Defender for Cloud
First, ensure the server is visible in Defender for Cloud. For Azure VMs, this happens automatically when the Log Analytics agent is installed. For on-premises servers, install Azure Arc and connect to Azure. For AWS/GCP, configure the multicloud connector. The connector creates a resource in Azure that represents the external VM. Once onboarded, the server appears in the Inventory blade.
Enable Defender for Servers plan
In Defender for Cloud, navigate to Environment Settings > Select subscription > Defender plans. Toggle 'Servers' to On. Choose Plan 1 or Plan 2. Plan 2 requires Microsoft Defender for Endpoint integration, which is automatically enabled. The pricing tier updates to Standard (Plan 1) or Standard2 (Plan 2). Billing starts per hour per server.
Deploy Log Analytics agent
Defender for Cloud automatically provisions the Log Analytics agent on Azure VMs via the 'Log Analytics agent should be installed on your Windows Azure Arc machines' policy. For on-premises servers, install the agent manually or via Azure Arc extensions. The agent connects to the Log Analytics workspace specified in Defender for Cloud settings. Without the agent, vulnerability scanning and log collection cannot occur.
Deploy MDE sensor (Plan 2 only)
For Plan 2, the Microsoft Defender for Endpoint sensor is deployed automatically on Windows servers. On Linux, you must install the sensor manually via the MDE onboarding script. The sensor registers with the MDE tenant and begins sending telemetry. Sensor health can be monitored via the MDE portal or Defender for Cloud's inventory.
Configure additional features (Plan 2 only)
For JIT VM access, enable it in Defender for Cloud's 'Just-in-time VM access' blade. For FIM, create a File Integrity Monitoring policy specifying which files/registries to monitor. For Adaptive Application Controls, enable it and allow a learning period (7+ days). These features require Plan 2 and may need additional permissions (e.g., NSG write access for JIT).
In a typical enterprise deployment, a global financial services company runs thousands of servers across Azure, on-premises, and AWS. They require compliance with PCI-DSS and SOC 2, which mandate vulnerability scanning, file integrity monitoring, and access control. They choose Defender for Servers Plan 2 for all production servers. The security team enables JIT VM access for all Azure VMs, reducing the attack surface by 90% for management ports. FIM monitors critical system files and registry keys, alerting on unauthorized changes. The EDR capability detects a fileless attack using PowerShell, automatically isolates the affected server, and triggers an investigation in Microsoft Sentinel. The team uses the automated investigation feature to contain the threat within minutes, preventing lateral movement.
A second scenario involves a mid-sized healthcare provider running only Azure VMs. They have budget constraints and need only vulnerability scanning and basic threat detection. They opt for Plan 1. The vulnerability scanner identifies a critical CVE in a web server, and the team patches it within hours. They also use centralized log collection to meet HIPAA audit requirements. However, they lack EDR, so a sophisticated ransomware attack using living-off-the-land binaries goes undetected for several days, causing significant damage. This highlights the risk of choosing Plan 1 when advanced threats are a concern.
Common misconfigurations include: not enabling Azure Arc for on-premises servers, leading to no protection; mixing plans across subscriptions without understanding that Plan 2 features are not available in Plan 1 subscriptions; and forgetting to configure the Log Analytics workspace retention period, causing loss of historical data for compliance. Performance considerations: the Log Analytics agent and MDE sensor consume minimal CPU (1-2%) and memory (100-200 MB), but on servers with limited resources (e.g., 1 GB RAM), the overhead can be noticeable. Scaling: Defender for Cloud can handle tens of thousands of servers per tenant, but alert volume can overwhelm if not tuned. Use suppression rules and automation to manage noise.
The SC-200 exam tests Defender for Servers Plans under objective 3.1 'Configure and manage Microsoft Defender for Cloud'. Specific sub-objectives include: differentiate between Plan 1 and Plan 2 features, enable plans on subscriptions, deploy agents, and configure advanced features like JIT and FIM.
Common wrong answers candidates choose: 1. 'Plan 1 includes EDR' – Wrong. EDR is exclusive to Plan 2. Candidates often confuse Defender for Cloud with Microsoft Defender for Endpoint standalone. Remember: Plan 1 = vulnerability + basic detection; Plan 2 = EDR + advanced. 2. 'Vulnerability scanning is only in Plan 2' – Wrong. Both plans use the same MDVM scanner. The difference is not in scanning but in response capabilities. 3. 'JIT VM access is available in Plan 1' – Wrong. JIT is a Plan 2 feature. Candidates may think JIT is a basic network security feature. 4. 'On-premises servers can be protected without Azure Arc' – Wrong. Azure Arc is mandatory. The exam may present a scenario where a server is on-premises and the candidate selects 'Enable Defender for Servers directly' – that is incorrect.
Specific numbers/terms that appear verbatim: 'Standard' (Plan 1), 'Standard2' (Plan 2), '3 hours' (default JIT duration), '2 hours' (FIM interval), '7 days' (AAC learning period).
Edge cases: The exam tests that Plan 2 features like FIM require the Log Analytics agent (not just the MDE sensor). Also, if you enable Plan 2 on a subscription but do not deploy the MDE sensor (e.g., on unsupported OS), some features degrade. Another edge: JIT works only on Azure VMs with NSGs; it does not work for on-premises servers.
How to eliminate wrong answers: Always map the feature to the plan. If the scenario mentions 'EDR', 'FIM', 'JIT', 'AAC', or 'ANH', the answer must be Plan 2. If it mentions only vulnerability scanning or basic alerts, Plan 1 may suffice. Also, remember that on-premises requires Azure Arc; multicloud requires connectors.
Defender for Servers Plan 1 includes vulnerability scanning and basic threat detection; Plan 2 adds EDR, FIM, JIT, AAC, and ANH.
On-premises servers require Azure Arc before enabling Defender for Servers.
JIT VM Access default duration is 3 hours (configurable up to 24 hours).
FIM monitoring interval defaults to 2 hours.
Adaptive Application Controls require a learning period of at least 7 days.
The vulnerability scanner (MDVM) is the same in both plans.
Plan 2 pricing tier is 'Standard2' in Azure CLI; Plan 1 is 'Standard'.
These come up on the exam all the time. Here's how to tell them apart.
Defender for Servers Plan 1
Includes vulnerability scanning via MDVM.
Basic threat detection with behavioral analytics.
Centralized log collection to Log Analytics.
No EDR or automated response.
Lower cost per server per hour.
Defender for Servers Plan 2
Includes all Plan 1 features.
Adds EDR with real-time endpoint telemetry.
Automated investigation and remediation.
File Integrity Monitoring, JIT VM Access, Adaptive Application Controls.
Higher cost but provides advanced protection.
Mistake
Defender for Servers Plan 1 includes EDR capabilities.
Correct
Plan 1 does not include EDR. EDR is a Plan 2 feature powered by Microsoft Defender for Endpoint. Plan 1 provides vulnerability scanning and basic threat detection only.
Mistake
Vulnerability scanning is only available in Plan 2.
Correct
Both Plan 1 and Plan 2 include the same vulnerability scanner (Microsoft Defender Vulnerability Management). The difference lies in additional features like EDR, FIM, and JIT.
Mistake
You can protect on-premises servers by simply enabling Defender for Servers on the subscription.
Correct
On-premises servers must first be onboarded via Azure Arc. Without Arc, Defender for Servers cannot deploy agents or collect logs. The subscription-level toggle only affects Azure VMs.
Mistake
Just-in-Time VM Access is a Plan 1 feature.
Correct
JIT VM Access is exclusive to Plan 2. It reduces the attack surface by locking down management ports and opening them only when needed.
Mistake
File Integrity Monitoring (FIM) works without the Log Analytics agent.
Correct
FIM requires the Log Analytics agent to collect file and registry changes. The MDE sensor alone does not provide FIM. Both agents may be needed for full Plan 2 functionality.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Plan 1 provides vulnerability scanning (via MDVM), basic threat detection, and log collection. Plan 2 includes all of Plan 1 plus Endpoint Detection and Response (EDR), automated investigation and remediation, File Integrity Monitoring (FIM), Just-in-Time (JIT) VM access, Adaptive Application Controls, and Adaptive Network Hardening. Plan 2 is more expensive but offers comprehensive protection.
Yes, but only if the servers are onboarded via Azure Arc. Azure Arc extends Azure management to on-premises and multicloud environments. Once Arc is installed, you can enable Defender for Servers on the Arc-enabled server resource. Without Arc, Defender for Servers cannot deploy agents or collect telemetry.
No. Microsoft Defender for Endpoint (MDE) is included only in Plan 2. Plan 1 uses a different threat detection engine that is not based on MDE. Plan 2 integrates MDE sensors for advanced endpoint detection.
Use the command: az security pricing create --name VirtualMachines --pricing-tier Standard2 for Plan 2, or Standard for Plan 1. Verify with: az security pricing show --name VirtualMachines --query pricingTier.
The default duration is 3 hours. You can configure it up to 24 hours. JIT requests can be made via the Azure portal, CLI, or API. The duration is set per request.
No. FIM is a Plan 2 feature. It monitors critical files, registry keys, and directories for changes using SHA-256 hashing. FIM is often required for compliance standards like PCI-DSS.
Yes. Defender for Cloud supports multicloud protection. You need to configure the AWS connector in Defender for Cloud, which deploys the Log Analytics agent and MDE sensor (if Plan 2) on EC2 instances. The instances appear in Defender for Cloud's inventory.
You've just covered Defender for Servers Plans — now see how well it sticks with free SC-200 practice questions. Full explanations included, no account needed.
Done with this chapter?