Forum Discussion
Defender for servers (P1)
Hey guys,
I enabled my Defender for cloud trial licens (P1) for my Windows servers.
They are onboarded and i can see them visually in the (security.microsoft.com) EDR Portal.
My enforcement scope is set to Intune - so all my AV policies etc are created there.
I want to create a AV Policy for my Windows servers but i can't see the objects in Entra.
What is best practice. To register them in Entra manually or should it automaticlly create a object in Entra during the onboarding process?
Can't create & assign a AV policy etc until i create a group and put all my servers into that group.
Any ideas?
Also might be worth mentioning i see that they are managed by "unknown" and not Microsoft Sense? Should i point back the scope to the Defender portal? Whilst my endpoints are managed by Intune.
1 Reply
Hi Diddler431,
Defender for Servers (P1) is meant to be enabled at the subscription level and managed through Defender for Cloud and Azure Policy, not Intune. When servers are onboarded to Defender for Endpoint, they appear in security.microsoft.com, but they do not automatically create Entra ID device objects - that’s expected behavior. Intune AV policies only work for client OS (Windows 10/11), so Windows Servers won’t show up in Entra or be targetable by Intune groups unless you manually register them, which Microsoft does not recommend.
Best practice is to onboard the servers to Azure Arc, which gives them an Azure resource identity and allows Defender for Cloud to enforce AV and security settings using Azure Policy. Once Arc is in place, Defender becomes the management authority (instead of “unknown”), and policies apply at the subscription or resource-group level. In short: keep Intune for endpoints, and use Defender for Cloud + Azure Arc for servers - that’s the supported and scalable model.
