Microsoft Defender for Endpoint Confusion

New Contributor

I have some questions that I am currently not able to find a clear answer to that I hoped someone could help. 


Here's where I am.  I have Windows Servers (2008R2/2012/2016) and Linux VMs in Azure.  I am looking to replace the current McAfee ePo solution.

I have Azure Security Center, and expect to pay for Azure Defender licences @ £10.88/$14.60 per VM per month.


I can see my VMs in Azure Security Center and I can see a recommendation here to enable endpoint protection (Install endpoint protection solution on virtual machines). 


When I look at the minimum requirements for Microsoft Defender for Endpoint here (Minimum requirements for Microsoft Defender for Endpoint - Windows security | Microsoft Docs) it notes the use of Microsoft Defender for EndPoint Trial, which links back to a page offering details on pricing for enterprise and starting a free trial.  But what is this for? 365? I'm only looking to protect VMs in Azure. 

Do I need to use the Microsoft Defender Portal ( to provide protection to my Azure VMs to replace ePo?  Following this guide seems to suggest that I need to complete my dedicated cloud instance of Microsoft Defender for Endpoint (McAfee to Microsoft Defender for Endpoint - Prepare - Windows security | Microsoft Docs). 


I also find links suggesting that Windows Server 2008R2/2012/2019 and Linus are supported for endpoint

Minimum requirements for Microsoft Defender for Endpoint - Windows security | Microsoft Docs


And also other links that state Windows Server 2019 and Linux are not supported for Endpoint. 

Using the Microsoft Defender for Endpoint license included with Azure Security Center | Microsoft Do...


I can't seem to track the right level of information on this and am looking for some assistance.  End game is, i'd like to move away from McAfee ePo, and have my new solution support Windows Server (2008R2/2012/2016/2019) and Linux OS Server VMs only. 


So what do I need? :)


Appreciate any help.

4 Replies
IT's a bit confusing, I agree.

When you protect machines with Azure Security Center, you receive a license for Microsoft Defender for Endpoint. Defender for Endpoint is the EDR solution from Microsoft which can protect Windows, Windows Server, Linux, MacOS, Android and iOS.

Azure Security Center isn't an EDR solution and for EDR detections, you need to use the Security Center portal. This will contain all the machines that are protection with Microsoft Defender for Endpoint.

To onboard servers (install EDR) you can use Azure Security Center. When you enable Security Center for Virtual Machines, Windows Server 2008R2,2012,2016 is automatically onboarded.
Windows Server 2019 & Linux need to be manually onboarded. This is done through a script, which is described here:

Now that Defender for Endpoint is an EDR, not an AV. For AV, there are also some differences between the different OS'es:

Do let me know if you have any questions

@Thijs Lecomte 

Hey there,


Thank you for the detailed response. This does seem clearer now.


So I guess I can say that my VMs in the subscription which are already protected by the "Azure Defender enabled" Security Center would therefore already have a licence for the EDR which will be automatically onboarded (except Linux/2019) in the new portal?


In terms of AV (in the classic sense) I can also seek to install the Anti-malware extension in the Azure Portal Security Center by installing "endpoint protection solution on virtual machines".  Which in turn installs the Microsoft Antimalware extension to supported Windows OS?


Finally, my Linux nodes in the new ATP (Microsoft Defender) portal, I presume that's about as protected as I can get in terms of 'anti-virus' protection once I on-board them?


Much appreciated.

best response confirmed by AzureJP (New Contributor)

You are correct, if you have Azure Defender Enabled, they will automatically all be licensed for MDE. Alll but 2019/Linux will be onboarded automatically

You are correct that you can use the anti-malware extensions. It does pratically the same. From within the security center, in Threat & Vulnerability Management you can see if they have AV enabled

If your Linux is in security center, that's all good. Just make sure EDR is enabled for them as well:
Hello guys,
how to assign defender licenses for windows server 2016/2019 ?