Get answers to common questions about Microsoft Defender for Servers.
Pricing
What servers do I pay for in a subscription?
When you enable Defender for Servers on a subscription, you're charged for all machines based on their power states.
| State | Details | Billing |
|---|---|---|
| Azure VMs | ||
| Starting | VM starting up. | Not billed |
| Running | Normal working state. | Billed |
| Stopping | Transitional. Moves to Stopped state when finished. | Billed |
| Stopped | VM shut down from within guest OS or by using PowerOff APIs. Hardware is still allocated, and the machine remains on the host. | Billed |
| Deallocating | Transitional. Moves to Deallocated state when finished. | Not billed |
| Deallocated | VM stopped and removed from the host. | Not billed |
| Azure Arc machines | ||
| Connecting | Servers connected, but heartbeat not yet received. | Not billed |
| Connected | Receiving regular heartbeat from Connected Machine agent. | Billed |
| Offline/Disconnected | No heartbeat received in 15-30 minutes. | Not billed |
| Expired | If disconnected for 45 days, status might change to Expired. | Not billed |
What's the free data ingestion allowance?
When Defender for Servers Plan is enabled you get a free data ingestion allowance for specific data types. Learn more
Deployment
Can I enable Defender for Servers on a subset of machines in a subscription?
Yes you can enable Defender for Servers on specific resources in a subscription.
Where does Defender for Servers store my data?
Learn about data residency for Defender for Cloud.
Machine support and scanning
What types of virtual machines do Defender for Servers support?
How often does Defender for Cloud scan for operating system vulnerabilities, system updates, and endpoint protection issues?
Operating system: data is updated within 48 hours System updates: data is updated within 24 hours Endpoint protection: data is updated within 8 hours
Defender for Cloud typically scans for new data every hour, and refreshes security recommendations accordingly.
How are VM snapshots collected by agentless scanning secured?
Agentless scanning protects disk snapshots according to Microsoft's highest security standards. Security measures include:
- Data is encrypted at rest and in-transit.
- Snapshots are immediately deleted when the analysis process is complete.
- Snapshots remain within their original Azure region. EC2 snapshots aren't copied to Azure.
- Isolation of environments per customer account/subscription.
- Only metadata containing scan results is sent outside the isolated scanning environment.
- All operations are audited.
What is the auto-provisioning feature for vulnerability scanning with a "bring your own license" (BYOL) solution? Can it be applied on multiple solutions?
Defender for Servers can scan machines to see if they have an EDR solution enabled. If they don't, you can use Microsoft Defender Vulnerability Management that's integrated by default into Defender for Cloud. As an alternative, Defender for Cloud can deploy a supported non-Microsoft BYOL vulnerability scanner. You can only use a single BYOL scanner. Multiple non-Microsoft scanners aren't supported.
Does the integrated Defender for Vulnerability Management scanner find network vulnerabilities?
No, it only finds vulnerabilities on the machine itself.
Why do I get the message "Missing scan data" for my VM?
This message appears when there's no scan data for a VM. It takes around an hour or less to scan data after a data collection method is enabled. After the initial scan, you might receive this message because there's no scan data available. For example, scans don't populate for a VM that's stopped. This message might also appear if scan data hasn't populated recently.
Why is a machine shown as not applicable?
The list of resources in the Not applicable tab includes a Reason column
| Reason | Details |
|---|---|
| No scan data available on the machine | There aren't any compliance results for this machine in Azure Resource Graph. All compliance results are written to Azure Resource Graph by the Azure machine configuration extension. |
| Azure machine configuration extension isn't installed on the machine | The machine is missing the extension, which is a prerequisite for assessing compliance against the Microsoft Cloud Security Baseline. |
| System managed identity isn't configured on the machine | A system-assigned, managed identity must be deployed on the machine. |
| The recommendation is disabled in policy | The policy definition that assesses the OS baseline is disabled on the scope that includes the |