MDE vs Azure Defender for Servers

Brass Contributor



Got a few questions today, hopefully someone can shed some light on these question regarding MS Defender for Endpoint (to be deployed on a server) and Azure Defender for Servers :)


Question 1:

Been trying to wrap my head around "MS Defender for Endpoint (MDE) vs Azure Defender for Servers" - and what I have come up with is this:

"Azure Defender for Servers includes MDE plus Cloud Protection Posture Management and Cloud Workload Protection Platform....hence the $15/server/month"

Is that correct?


Question 2:

My Azure Security Center is showing me 8 Azure Defender for Servers (under Price & Settings).

How can I add more? Lets say I want all my servers listed do I do this?


Question 3:

So my ASC console shows 8 Azure Defender for Servers.

However, if I filter for 'Servers' in my Microsoft Defender for Endpoint Portal, I see MDE deployed on 41 servers.

Why is only 1 server from the Azure Defender for Server list on my MDE server list?

Shouldn't I see all of them on both lists?


Question 4:

Does Azure Defender for Server also need the Log Analytics Agent deployed, while if I am only installing MDE on a server, I dont need the Log Analytics Agent installed?


Looking forward to some clarifications around my questions - and thank you all in advance.





3 Replies

Hi @ShimKwan 


I can try to answer some for you!


Question 1:
I had the same question a while ago! $3 vs $15 right!? It provides quite a few things around what you mentioned, Find info at


Question 2: 

You need to onboard them first then they will show. (Sorry if I'm teaching you to suck eggs here!) 

How to onboard them depends on O/S and where the servers are located. (On prem vs Azure)


You could also set your subscription to enable defender for all resources (Hosted in Azure) which should automatically enrol them. Go to ASC (Now called Defender for cloud) Click on "Environment settings" under management :


and then you can select your subscription, select the subscription and you would see something like this: 


You can then use the radio buttons to turn defender on or off for each resource 

Note: The costs before you switch on!

Question 3:
To view all your servers in DFE Security centre You need to enable integration between Defender for cloud and Defender for Endpoint. Here's how: 


Question 4:

I have the same question! However note that if you onboard a server to MDE by installing  the Microsoft management agent, this is the same agent used for onboarding to log analytics! 


However its different for newer Server O/S where the telemetry/DFE etc is already built into the O/S and you onboard using the install script (Which simply enables all the built in signals) I will try and find out if you still need log analytics agent as well!





@Christo De Lange 


For Question 4: 

The Log Analytics Agent will use the provide the Windows Event logs, or Local Syslog from Linux. This is not part of defender for Endpoint. Defender for endpoint does provide a fair amount with the tables it creates. 



Defender for Cloud will also push the Azure Monitor Agent (AMA). This is the new default moving forward and the OMS agent ( log analytics) will be deprecated 2024. 


Either of the agents allow the ingest of Windows Security Events and Custom EventIDs. In defender for cloud you can have those be sent to a separate Log Analytics workspace. I.e., one that has Sentinel deployed on it. This can then be used for the UEBA in Sentinel. This adds anomalous detection as well plus a multitude of out of the box detections in Sentinel. 


Overall - It is not required to install the log analytics agent with either defender for cloud or defender for endpoint. It is useful though for custom logs or windows event ingestion. Same goes for the new AMA. The AMA however is automatically deployed with Defender for Cloud for all Azure VMs, and then via the Arc agent for non-Azure VMs and on-prem.

Personally I always recommend that you go with Defender for Cloud's Defender for Servers of MDE when it comes to servers because of the additional features, integration with MDE, and license. 


Hope this helps. 



Is it a no-brainer to always pick the Defender for Endpoint P2 license?

p1 vs p2 


and then the vuln assessment feature is extra? So you can't run a vuln scan from w/o P2 + scanning?



Thank you.