Forum Discussion

mitewarrior's avatar
mitewarrior
Copper Contributor
Aug 20, 2025

Differentiate actual DfC/DfE license usage on Windows systems

Trying to understand on how the Windows endpoint(server/laptops) licenses are being used in my environment and for that,  trying to figure out how to check the number of on-prem/azure cloud systems deployed with Microsoft Defender for Endpoint or Defender for server P2 license? Like where and how can i see which are the assets that are getting configured DfS license and which systems have been configured with MS DfE?

1 Reply

  • Ankit365's avatar
    Ankit365
    Iron Contributor
    Oct 22, 2025

    Microsoft does not expose a single unified view that clearly differentiates Defender for Endpoint (DfE) and Defender for Servers (DfS) license assignments across all Windows endpoints, but you can get an accurate picture by combining data from Microsoft Defender for Endpoint, Defender for Cloud, and Entra ID. The difference between the two is mainly the provisioning source:

    Defender for Endpoint (DfE) licenses are tied to user or device onboarding through Microsoft 365 Defender (E5 or standalone DfE P2).

    Defender for Servers (DfS) licenses are tied to Defender for Cloud onboarding of servers through Azure Arc or native Azure VM coverage, usually as Plan 2.

    Here is how to separate and confirm them:

    1. Check Defender for Endpoint devices (DfE)
    Go to Microsoft 365 Defender portal → Assets → Devices and add the column Onboarding Status and Operating System Platform.

    Devices that appear here are licensed under your Microsoft 365 Defender or DfE plan.

    For large-scale reporting, run this KQL in Advanced Hunting:
    DeviceInfo
    | summarize LastSeen = max(Timestamp) by DeviceName, OSPlatform, OnboardingStatus, MachineGroup

    This list represents all endpoints actively reporting through Defender for Endpoint (E5 or DfE P2 license).

    2. Check Defender for Servers devices (DfS)
    Go to Defender for Cloud → Inventory → Environment filters.
    Select “Azure,” “Azure Arc,” and “Hybrid” assets, then add the columns Defender plan, Subscription, and Defender for Servers Plan.

    Any resource with Defender for Servers Plan 1 or 2 enabled is covered under DfS licensing, even if it also appears in Microsoft 365 Defender.

    You can export this list or query it through the Azure Resource Graph Explorer using:

    securityresources
    | where type == "microsoft.security/pricings"
    | where properties.pricingTier == "Standard"
    | project subscriptionId, name, properties.pricingTier

    This tells you which subscriptions have DfS enabled and which resources are billed under that plan.

    3. Correlate results for overlap or hybrid devices
    Export both lists (from Microsoft 365 Defender and Defender for Cloud) and cross-reference by DeviceId or Hostname. Devices appearing only in the Microsoft 365 Defender dataset are counted under DfE. Devices appearing under Defender for Cloud are billed as DfS, even if they report telemetry to the same MDE tenant.

    4. Optional: API approach
    You can use the Microsoft Graph Security API (/security/endpointSecurity/partners) or the Defender for Cloud API (/subscriptions/{id}/providers/Microsoft.Security/pricings) to automate license reporting.

    In short, use Microsoft 365 Defender or Advanced Hunting to see DfE endpoints and Defender for Cloud inventory to see DfS-covered servers. The overlap between the two is where both telemetry and billing intersect, but licensing is determined by the onboarding method and plan type, not by the device name.

    Please hit like if you like the solution.

Resources