Determine Server Workload Protection Requirements
Implementation Effort: Medium
Security and IT teams must assess server environments across Azure, AWS, GCP, and on-premises, select the appropriate Defender for Servers plan, and configure integrations like Microsoft Defender for Endpoint or agentless scanning.
User Impact: Low
Server protection setup is handled by administrators and security teams; end users are not directly involved.
Overview
Determining server workload protection requirements in Microsoft Defender for Cloud involves selecting the right Defender for Servers plan and configuring the necessary components to secure virtual machines (VMs) across cloud and hybrid environments. Defender for Servers supports Azure VMs, AWS EC2, GCP Compute Engine, and on-premises machines via Azure Arc 1.
There are two main plans:
- Plan 1: Includes Microsoft Defender for Endpoint (MDE) integration for basic threat detection and vulnerability management.
- Plan 2: Adds advanced capabilities like file integrity monitoring, adaptive application controls, and just-in-time VM access 2.
Protection can be delivered through:
- Agentless scanning (recommended for simplicity and coverage)
- Microsoft Defender for Endpoint integration
- Azure Arc agent for hybrid/on-premises workloads
The Workload Protections Dashboard helps visualize coverage and identify unprotected resources. If server workloads are not properly protected, organizations risk exposure to malware, lateral movement, and data exfiltration. This capability supports the "Assume Breach" principle of Zero Trust by ensuring all server workloads are continuously monitored and hardened against threats.