Microsoft Entra Suite Tech Accelerator
Aug 14 2024, 07:00 AM - 09:30 AM (PDT)
Microsoft Tech Community

Defender for Endpoint Server standalone license

Iron Contributor

As of September 1, Microsoft has removed the Defender for Endpoint on Servers P1 and P2 licenses, forcing on-premises customers to use Azure ARC / Defender for Cloud!


Onboarding to Azure ARC is not always possible, another agent is required and it requires a huge effort for the management of the subscription, security and assets.

 

Microsoft will lose EDR customers... This will also show up in the client licenses of Defender for Endpoint. If Microsoft does not want on-premises server customers in their EDR solutions, the customers will not go with two EDR solutions but leave Microsoft and choose antoher EDR / XDR solution for server AND clients. How does Microsoft imagine it if different MSPs provide services for the customer and on premises and Azure are strictly separated? Should the Azure partner then have access to the on-premises systems. That won't happen.

 

Another bad decision for customers, partners and lastly for Microsoft.

 

Please revert your decision and make the Defender for Endpoint Server P2 License available again through CSP, EA and Direct. 

14 Replies

@seth,  I work with the major \ strategic customers and we are still selling MDE P2 for servers on Enterprise Agreements.  The Azure offering is a elevated offering provide the core MDE capability + advanced capabilities such as vulnerability management and file integrity monitoring. 

The product name is Defender Endpoint Server and the part # is 1NZ-00004
That's nice that you speak for your EA Bubble. But it is no longer available in Direct and CSP for new customers / renew subscriptions. Not everyone wants or can sign an EA. Even more stupid was the idea to make it different in the contracts.

@seth  Have you learned anything new since your previous posts on how to obtain endpoint for server licensing?  I'm trying to get MDE P1 for servers but defender for cloud is forcing me to P2.

HI Seth,

Is this for your personal use or for a small to medium business? What are your reasons that you feel having an enterprise agreement is prohibitive?   If you are Microsoft partner you can obtain solutions via the partner program.  Otherwise, an EA can be economical even for the smallest customers.   I recommend speaking to your reseller. 

Here is the link to the descriptions of the available server plans:

Overview of Microsoft Defender for Servers | Microsoft Learn

Note that Plan 1 for Servers actually includes MDE P2 and it is about $4.91 for 730 hours per month (ie. 100% usage).     Plan 2 for servers offers a treasure trove of additional capabilities that you can read about in the link above - it's retail is $14.60 for 730 hours per month. 

“Onboarding to Azure ARC is not always possible, another agent is required and it requires a huge effort for the management of the subscription, security and assets.”

There are customers where on-premises infrastructure is strictly separated from Azure. Azure is also often operated by other administrators or partners than the on prem systems. So it expands access to the on prem systems just because you want to use an edr. This is compliance and security issue. Maybe not every on oprem customer wants to mess around with the complexity in azure and possibly implement an insecure solution! This applies to customers of all sizes…

My understanding is you ONLY need Azure Arc for the capabilities outside of MDE P2 that are described in the Servers Plan 2. AFAIK - you can use all the same deployment methods for MDE P2 vs if you bought it standalone (e.g. Endpoint Manager etc). I'll verify that with my Technical Specialist - but I am 99% sure.

That said, I have been told that Azure Arc is much simpler to deploy and manage then you have described.    I have colleagues with many, many large customers who are successfully leveraging ARC for on-premise devices.    I would expect there are some hw \ sw requirements to achieve the scalable deployment.    For me so far, a popular case for on-premise use of the Server P2 license is file integrity monitoring on servers that have a regulatory requirement for FIM such as PCI.

@JonRuiz 
I think you don't want to understand or hear that ARC / Azure Integration for on-prem is not an option for many customers and partners for a variety of reasons.

How am I supposed to pay for the licenses without ARC or Defender for Cloud onboarding? With the standalone license I run a onboarding script and have nothing to do with Azure!

Maybe a few voices outside of your bubble:
https://twitter.com/NathanMcNulty/status/1575303162306908161?s=20&t=81wWY1zOG7XvlP9M8ODk5Q
https://twitter.com/NathanMcNulty/status/1578586601869168640?s=20&t=81wWY1zOG7XvlP9M8ODk5Q
https://twitter.com/SamErde/status/1584915246069809152?s=20&t=81wWY1zOG7XvlP9M8ODk5Q

@seth 

Can I ask what your solution was?  I have a client that has legacy Defender for Endpoint Server licenses and I am not clear on what to transition them to in the CSP.  Microsoft support has been not been able to provide an answer for me yet.

@DL_4504 

 

Unfortunately, there is only the option of licensing Defender for Cloud. For example, via Azure Arc onboarding. Microsoft has ignored customer and partner feedback that there is continued high demand for the Defender for Endpoint Server P2 stand alone license for on premises environments. According to my information, it was also removed from new signed Enterprise Agreements.


Our / Costumer solution was to switch EDR for Servers to a different product away from Microsoft.

small update that i worked with MS azure support recently and can confirm doing the onboarding with Azure Arc is what makes this possible now days.  It does mean an extra agent installed for Arc/Log management, but things did go smoothly once I did that onboarding and then configured defender for cloud to leverage P1 server licensing.  It adds additional complexity if all you want is Defender EDR on your servers, but I can see the benefits to leveraging more Azure features now that they are available via Arc.

@LS957458 - You can only have 1 type of MDS (Microsoft Defender for Server, which is part of the Microsoft Defender for Cloud solutions) plan per Azure Subscription. So, if you have already deployed MDS Plan 2 within your subscription, you won't be able to 'downgrade' other servers to Plan 1. The reverse holds true as well. 

 

  So, if you want to have a mixture of Plan 1 and Plan for your on-premises and/or in the Cloud (Azure, AWS, and/or GCP), then you need 2 Azure Subscriptions for that same single tenant. Your licensing specialist, MSFT Account Team, and/or your reseller can help you with that process.  

Your information may not be complete. There is no "Defender for Endpoint Server P2" per se--you should ask your Microsoft account team about the 'Defender Endpoint Servers' license (SKU #1NZ-00004) to see about making your purchase.

Also, FYI, the Microsoft Defender for Servers Plan 1 is fundamentally the same thing as "Defender Endpoint Servers". There are 2 core differences: (1) 'Defender Endpoint Servers' DOES NOT have the flexibility to use Microsoft Defender for Cloud or the Microsoft 365 Defender portal; and (2) MDE for Servers is paid for 100% each month--whether you use it or not. MDS P1 or P2 are paid for during EACH hour that they are used--if your server is 'down' then there is no cost paid for MDS. So, you should be able to achieve the functionality that you want, at a similar (or lesser) price point, depending on your actual usage. Something to consider, anyway.

@Keith Powell

Hi Keith, do you have any information about if Arc is required for Defender for Server Plans? From what I’ve gathered from Microsoft Pages it is recommended but not required. (for additional Defender for Cloud based recommendations) We have some customers running defender on Server with the "old" License Defender for Endpoint Server. We now get the information that we cannot renew this license. 

We try to figure out if we need to onboard all Servers to Azure Arc now or if there still is a standalone license and onboarding via Powershell is still a valid choice. 

Thanks in advance, cheers Felix