Finally! The server licensing for the business line is there and is called "Defender for Business Servers". The onboarding as well as the configuration can be done in the same way as with Defender for Server.
I have summarized the options you have and how you can enter a rule in the sections below.
Table of Contents
Licensing
Licensing is currently in preview. As long as this is running, the feature is free of charge, after that the license will cost 3 $/server/month.
To activate, you just have to download the preview features in the Microsoft 365 Defender Portal activate.
(Settings > Endpoints > Advanced features > Preview features)
Microsoft Doc's post: Get Microsoft Defender for Business servers | Microsoft Docs
Server Onboarding
For Windows Server versions 1803, 2019 and 2022, boarding is very simple. All you have to do is download the corresponding onboarding package under "Settings > Endpoints > Onboarding".
Older server versions are not always supported to 100 % or require an additional installation. You can find it here (Onboard Windows servers to the Microsoft Defender for Endpoint service | Microsoft Docs) the relevant details.
Server Defender Policy
In order to also manage the configuration of the server centrally, settings must be made in the Defender Portal and Microsoft Endpoint Manager.
A prerequisite for the MDE management to work is that the "Hybrid Join" is activated on the Azure AD Connect and the server is in an OU that is synchronized with the Azure AD.
Configuration in Defender Portal
In the Defender Portal under "Settings > Endpoints > Enforcement scope" we activate the enforcement of the "Security setting management" for servers. In the next step, we now have the option of distributing certain guidelines to the server via Endpoint Manager.
As soon as the setting is active and the server has been onboarded, it can take up to 8 hours before you can see the server in both the Defender Portal and the Endpoint Manager.
Configuration in Endpoint Manager
The following policies can be created for MDE managed devices in Endpoint Manager:
- Antivirus Policy
- firewall policies
- Firewall Rule Policies
Group for assignment
First we create a dynamic group, in which the MDE managed devices will then automatically come.
You can find this under "groups". I used the following dynamic rule for this:
(device.systemLabels -contains "MDEmanaged") |
You can now assign this group in the policies and thus ensure that all MDE managed devices receive the settings.
Policy - Sample Antivirus
In the Endpoint Manager you can create the policy identical to that of the Windows 10/11 devices.
However, I recommend that you at least use a dedicated one for the servers, since the configuration can differ from that of the clients.
You create the policy under "Endpoint security > Antivirus" + CreatePolicy:
We give the rule a meaningful name and then set the options as desired. The following screenshot shows an example configuration that I often use:
If the policy is applied on the server, this is also displayed nicely. Errors are also broken down and displayed in the individual setting options.
Just like this policy, you can also create firewall policies and firewall rules and apply them to servers.
TIP: You can also easily duplicate existing guidelines and modify them for a new subset.
Summary
With the new solution, there is finally a simple way for "business" customers to be able to use Defender in server environments. This means that there is no need to make a detour via "Defender for Cloud" and the setup has been simplified a lot.
The policies that are supported work well and do what they are supposed to do. Of course, I hope that further guidelines will soon be possible here, for example to be able to manage the ASR (Attack Surface Reduction) guidelines.
Great blog. There are 2 steps missing in this post. Did you configure Hybrid Azure AD Join ? and did you configure so that Servers are in AD Connect sync scope ?
You're totally right, thanks. Added that important part to the "Policy" section.
Hybrid domain join is good but not supported for a domain controller