Microsoft Defender for Servers offers two powerful protection tiers—Plan 1 and Plan 2—but knowing which one to choose (and how to configure it properly) can make a major difference in cost and security outcomes. In this post, we’ll break down the key capability differences between Defender for Servers P1 and P2, explore granular configuration options for P1 subplans, and walk through direct onboarding scenarios outside of Azure Arc. You’ll also get practical recommendations on when to deploy each plan based on your organization’s size, compliance needs, and existing tooling. Whether you’re optimizing hybrid workloads or securing standalone virtual machines, this guide will help you make the most of Defender for Cloud’s server protection capabilities.
Defender for Servers Feature Capabilities
Microsoft Defender for Servers is available in two distinct plans—P1 and P2—each designed to meet different levels of server protection needs. While both plans extend Defender for Cloud’s capabilities beyond Azure to hybrid and multi-cloud environments, they differ significantly in scope and depth. This comparison gives you a clear view of how to choose the right Defender for Servers plan for your environment.
| Category | Defender for Servers P1 | Defender for Servers P2 |
|---|---|---|
| Core Focus | Endpoint protection and vulnerability management | Comprehensive server protection with advanced cloud-native capabilities |
| Defender for Endpoint Features | – Endpoint protection & response (EDR) – OS-level security alerts – Malware detection- Vulnerability management & software inventory | Includes all P1 features plus: – OS security baselines (Guest Configuration) – File Integrity Monitoring (FIM) – Microsoft Defender Vulnerability Management (MDVM) Add-On |
| Defender for Cloud Features | — | – Agentless machine scanning – System update recommendations – Network-layer threat detection – Control plane detections – Endpoint protection recommendations – Just-in-time (JIT) VM access – Regulatory compliance assessments – Secret scanning |
| Deployment Options | Azure, AWS, Google Cloud, On-premises | Azure, AWS, Google Cloud, On-premises (limited protection features available) |
| Best For | Organizations already using Microsoft Defender for Endpoint who want unified licensing via Defender for Cloud | Enterprises needing deeper visibility, compliance monitoring, and advanced cloud-native protections |
| Typical Scenarios | – Hybrid/multi-cloud protection – Basic security monitoring – Core vulnerability assessment – Integration with existing SOC tools | – Hybrid/multi-cloud protection – Regulatory compliance – Premium vulnerability assessment – Enhanced detection and response in Azure and AWS (foundational protection in GCP) – Integration with existing SOC tools |
Onboarding Methods in Defender for Servers
Azure Native Onboarding:
Defender for Servers automatically provisions the required agents and integrations without manual steps.
Cloud Connectors (AWS & GCP):
Defender for Cloud connectors automatically discover virtual machines, assign security policies, and deploy Defender for Servers protection.
Azure Arc–Enabled Servers (Hybrid and On-Premises):
Azure Arc connects non-Azure servers to Azure Resource Manager and Defender for Servers provisions the required agents and integrations without manual steps.
Direct (Manual) Onboarding via Defender for Endpoint:
Servers can be onboarded directly into Microsoft Defender for Endpoint using local scripts, Group Policy, or Endpoint Manager, without the requirement for Azure Arc.
Antimalware component installation mode (Microsoft Defender Antivirus (MDAV)):
On Linux OS, MDAV will be enabled in passive mode (always).
On Windows, MDAV will be enabled in active mode (always, independent of a third-party running AV solution unlike on Windows Desktop OS).
Tip: Defender for Endpoint Security Settings Management gives you an easy method deploying security policies and change the MDAV running mode from passive to active (or vice versa).
Defender for Servers Deployment Scopes
You may be aware that you can enable Defender for Servers P1 and P2 on a subscription level directly in the Defender for Cloud portal. However, the Defender for Cloud UI does not provide the ability to configure the P1 subplan at the resource level, which means you can either choose a more granular rollout instead of the entire subscription or mix the P1 plan with the more advanced P2 plan within the same subscription and resource group.
• Enable Defender for Servers Plan 1 on individual machines while keeping Defender for Servers disabled on the subscription
• Downgrade individual machines to Defender for Servers Plan 1 while having Plan 2 enabled on the subscription
• Disable Defender for Servers on individual machines while having Defender for Servers Plan 1 or Plan 2 enabled on the subscription
This can bei done either with Azure Policy or even more granular using the REST API. For Azure Policy, you can filter the Category part of your Azure Policy Definitions and choose Security Center – Granular Pricing. This gives you four built-in policies where you can configure the P1 subplan on a more granular level.
For the REST API configuration, please have a look at the Microsoft Learn documentation: https://learn.microsoft.com/en-us/azure/defender-for-cloud/tutorial-enable-servers-plan#configure-on-individual-machines
Recommendation Matrix Server Protection
| Scenario | Recommended Onboarding Method | Notes |
|---|---|---|
| Only Azure VMs, no on-prem or multicloud servers | Native onboarding | Easiest and most automated option for Azure-only environments |
| Mixed environment: Azure, AWS, GCP, and on-prem (Arc acceptable) | Multicloud connector + Azure Arc | Provides full Defender for Servers coverage and central visibility |
| Mixed environment: Azure, AWS, GCP, on-prem (Arc not possible for on-prem)** | MDE Direct Onboarding | Use Defender for Endpoint scripts or tools for manual onboarding |
| No Azure workloads, MDE protection only | MDE Direct Onboarding | Ideal for isolated or disconnected systems |
| Azure VMs and other servers, interested only in MDE | MDE Direct Onboarding | Simple deployment when full Defender for Cloud integration isn’t required |
| On-premises servers to be covered by Defender for Servers (Plan 1 by default, some Plan 2)** | Azure Arc | Enables full Defender for Cloud and MDVM Premium integration |
Summary
Microsoft Defender for Servers extends the capabilities of Defender for Cloud across Azure, on-premises, and multicloud environments. Plan 1 provides essential endpoint protection and basic vulnerability management, while Plan 2 adds advanced capabilities including Defender Vulnerability Management Premium, File Integrity Monitoring, and Guest Configuration. Onboarding can be done natively for Azure VMs, through Azure Arc for hybrid and on-premises servers, via cloud connectors for AWS and GCP, or directly through Defender for Endpoint for isolated systems. Choosing the right plan and onboarding method helps organizations align protection depth and cost with their security and operational needs.
