Skip to content
Microsoft Defender for Business Servers
Home » Microsoft Defender for Business Servers

Microsoft Defender for Business Servers

AT LAST! The server licensing for the business line is there and is called "Defender for Business Servers". The onboarding as well as the configuration can be done in the same way as with Defender for Server.
I have summarized the options you have and how you can enter a rule in the sections below.

Table of Contents

licensing

Licensing is currently in preview. As long as this is running, the feature is free of charge, after that the license will cost 3 $/server/month.

To activate, you just have to download the preview features in the Microsoft 365 Defender Portal activate.
(Settings > Endpoints > Advanced features > Preview features)

Defender, Preview features

Microsoft Doc's contribution: Get Microsoft Defender for Business servers | Microsoft Docs

Server onboarding

For Windows Server versions 1803, 2019 and 2022, boarding is very simple. All you have to do is download the corresponding onboarding package under "Settings > Endpoints > Onboarding".

Defender for Business for Server, onboarding

Older server versions are not always supported to 100 % or require an additional installation. You can find it here (Onboard Windows servers to the Microsoft Defender for Endpoint service | Microsoft Docs) the relevant details.

Server Defender Policy

In order to also manage the configuration of the server centrally, settings must be made in the Defender Portal and Microsoft Endpoint Manager.

Configuration in Defender Portal

In the Defender Portal under "Settings > Endpoints > Enforcement scope" we activate the enforcement of the "Security setting management" for servers. In the next step, this gives us the option of distributing certain policies to the server via Endpoint Manager.

Defender MDE, Security setting management

As soon as the setting is active and the server has been onboarded, it can take up to 8 hours before you can see the server in both the Defender Portal and the Endpoint Manager.

Devices MDE
Devices MDE
Devices MEM
Devices MEM

Configuration in Endpoint Manager

The following policies can be created for MDE managed devices in Endpoint Manager:

  • Antivirus Policy
  • firewall policies
  • Firewall Rule Policies

group for assignment

First we create a dynamic group, in which the MDE managed devices will then automatically come.
You can find this under "groups". I used the following dynamic rule for this:

(device.systemLabels -contains "MDEmanaged")

You can now assign this group in the policies and thus ensure that all MDE managed devices receive the settings.

Policy - Sample Antivirus

In the Endpoint Manager you can create the policy identical to that of the Windows 10/11 devices.
However, I recommend that you at least use a dedicated one for the servers, since the configuration can differ from that of the clients.
You create the policy under "Endpoint security > Antivirus" + CreatePolicy:

Create Defender Antivirus Policy

We give the rule a meaningful name and then set the options as desired. The following screenshot shows an example configuration that I often use:

Profile Name and Description
Defender AV settings (1/2)
Defender AV settings (2/2)

If the policy is applied on the server, this is also displayed nicely. Errors are also broken down and displayed in the individual setting options.

Policy report

Just like this policy, you can also create firewall policies and firewall rules and apply them to servers.

TIP: You can also easily duplicate existing guidelines and modify them for a new subset.

duplicate policy

Summary

With the new solution, there is finally a simple way for "business" customers to be able to use Defender in server environments. This means that there is no need to make a detour via "Defender for Cloud" and the setup has been simplified a lot.
The policies that are supported work well and do what they are supposed to do. Of course, I hope that further guidelines will soon be possible here, for example to be able to manage the ASR (Attack Surface Reduction) guidelines.

Leave a Reply

Your email address will not be published.

de_CH DE
de_CH DE
en_US EN
Exit mobile version