Enable Defender for Servers Plan 2

About This Lab

Microsoft Defender for Servers is a workload protection plan within Microsoft Defender for Cloud that provides threat detection, vulnerability management, and security posture hardening for Azure VMs and hybrid servers. Plan 2 includes all Plan 1 capabilities plus vulnerability assessment powered by Microsoft Defender Vulnerability Management, file integrity monitoring, adaptive application controls, and just-in-time VM access. In this lab you will activate Defender for Servers Plan 2, configure auto-provisioning of agents, review your initial Secure Score, and resolve security recommendations. By the end of this lab, your Azure VMs will have full workload protection with continuous vulnerability scanning and threat detection enabled.

🏢 Enterprise Use Case

Scenario: NorthWind Retail operates 200 Azure VMs running e-commerce services across two Azure regions (East US and West Europe). The VMs host web front-ends, API services, and backend processing for online orders, customer accounts, and payment processing.

The security team needs vulnerability management and real-time threat detection for all server workloads to comply with PCI DSS requirements. Recent industry reports show that unpatched web servers are the top initial access vector for retail breaches.

Success criteria: all VMs protected, Secure Score above 70%, vulnerability scanning active, alert notifications configured.

🎯 What You Will Learn

1. Understand Defender for Cloud pricing tiers and the differences between Plan 1 and Plan 2
2. Enable Defender for Servers Plan 2 on an Azure subscription using the portal, Azure CLI, and PowerShell
3. Configure auto-provisioning to deploy the Log Analytics agent and monitoring extensions automatically
4. Review and interpret your Secure Score and understand how recommendations affect it
5. Run vulnerability assessment scans on Azure VMs and review discovered vulnerabilities
6. Remediate top security recommendations to improve your security posture
7. Configure email notifications so your team is alerted to high-severity threats
8. Investigate a sample security alert to understand the alert lifecycle
9. Review the regulatory compliance dashboard for standards like PCI DSS and CIS Benchmarks
10. Understand file integrity monitoring basics and when to enable it

🔑 Why This Matters

Server workloads are primary targets for attackers: they run critical applications, store sensitive data, and often have elevated privileges. Research shows that unprotected VMs exposed to the internet are compromised within hours, not days. Without workload protection, your VMs lack vulnerability visibility, threat detection, and security posture assessment. Defender for Servers provides a unified security layer that covers detection, prevention, and compliance in a single plan. Enabling Plan 2 provides the deepest protection: integrated vulnerability management, file integrity monitoring, and adaptive controls eliminate coverage gaps.

• Azure Subscription: An active Azure subscription with at least one resource group
• Role: Contributor or Security Admin role on the subscription (Owner for full plan management)
• Azure VMs: At least one Azure VM running (Windows Server 2019/2022/2025 or Ubuntu 20.04/22.04/24.04 recommended)
• Azure CLI: Version 2.50 or later installed locally or use Azure Cloud Shell
• PowerShell: Az.Security module installed for PowerShell-based management
• Portal Access: Access to the Azure portal with permissions to modify Defender for Cloud settings
• Network: VMs must have outbound HTTPS (443) connectivity to Azure management endpoints

Before enabling any workload protection plan, you should understand how Defender for Cloud pricing tiers work and what each plan includes.

Foundational CSPM (Free)

• Enabled by default on all Azure subscriptions at no cost
• Provides Secure Score, basic security recommendations, and the Microsoft Cloud Security Benchmark
• Does not include workload-specific threat detection or vulnerability assessment

Defender for Servers Plan 1

• Provides integration with Microsoft Defender for Endpoint (MDE) for server threat detection
• Includes endpoint detection and response (EDR) capabilities via the MDE agent
• Does not include vulnerability assessment, file integrity monitoring, or adaptive application controls

Defender for Servers Plan 2 (This Lab)

• Everything in Plan 1 plus: vulnerability assessment powered by Microsoft Defender Vulnerability Management
• File integrity monitoring (FIM) to detect changes to critical OS and application files
• Adaptive application controls to whitelist approved applications
• Just-in-time (JIT) VM access to reduce attack surface on management ports
• Agentless scanning for vulnerabilities and secrets detection
• 500 MB per day of free data ingestion to the connected Log Analytics workspace

Check Current Plan Status with Azure CLI

# List every Defender plan and whether it is Free or Standard (paid).
# Output: table of plan names (VirtualMachines, SqlServers, etc.) with their tier.
az security pricing list --query "[].{Name:name, Tier:pricingTier}" -o table

# Drill into the VirtualMachines plan (portal label: "Defender for Servers").
# Shows the tier (Free|Standard) and sub-plan (P1 or P2).
az security pricing show --name VirtualMachines --query "{Plan:name, Tier:pricingTier, SubPlan:subPlan}" -o json

Check Current Plan Status with PowerShell

# Install the Az.Security PowerShell module (required once per machine).
# -AllowClobber overwrites any conflicting cmdlets from older modules.
Install-Module -Name Az.Security -Force -AllowClobber

# Display every Defender plan with its pricing tier and sub-plan.
# Look for PricingTier = "Standard" to confirm a plan is enabled.
Get-AzSecurityPricing | Select-Object Name, PricingTier, SubPlan | Format-Table

# Show details for the Servers plan specifically.
# Expect SubPlan = P2 for full vulnerability assessment and JIT access.
Get-AzSecurityPricing -Name "VirtualMachines"

Now you will enable Defender for Servers Plan 2 on your target subscription. You can do this through the Azure portal, Azure CLI, or PowerShell.

Enable via the Azure Portal

1. Navigate to the Azure portal and sign in with your Security Admin account
2. Search for Microsoft Defender for Cloud in the search bar and select it
3. In the left menu, click Environment settings
4. Expand your management group hierarchy and select your target subscription
5. On the Defender plans page, locate the Servers row
6. Toggle the plan status to On
7. Under the Plan column, click the dropdown and select Plan 2
8. Click Save at the top of the page to apply the changes
9. Wait 1 to 2 minutes for the plan to activate; the status will change to a green checkmark

Enable via Azure CLI

# Switch context to the subscription where you want to enable Defender.
# Replace YOUR_SUBSCRIPTION_ID with the actual GUID or friendly name.
az account set --subscription "YOUR_SUBSCRIPTION_ID"

# Enable Defender for Servers Plan 2 on the current subscription.
# --tier Standard turns on paid protection (Free = no protection).
# --subplan P2 enables the full feature set (vulnerability scanning,
# JIT access, adaptive application controls, file integrity monitoring).
az security pricing create \
  --name VirtualMachines \
  --tier Standard \
  --subplan P2

# Confirm the plan is active. Tier should read "Standard" and SubPlan "P2".
az security pricing show \
  --name VirtualMachines \
  --query "{Plan:name, Tier:pricingTier, SubPlan:subPlan}" \
  -o json

Enable via PowerShell

# Authenticate to Azure (opens a browser login if not already authenticated).
Connect-AzAccount

# Switch to the subscription you want to protect.
# Replace with your actual subscription GUID.
Set-AzContext -SubscriptionId "YOUR_SUBSCRIPTION_ID"

# Enable Defender for Servers with the Plan 2 feature set.
# Plan 2 adds: vulnerability assessment, JIT VM access,
# adaptive application controls, and file integrity monitoring.
Set-AzSecurityPricing -Name "VirtualMachines" -PricingTier "Standard" -SubPlan "P2"

# Verify activation. PricingTier should be "Standard", SubPlan "P2".
Get-AzSecurityPricing -Name "VirtualMachines" | Format-List Name, PricingTier, SubPlan

Auto-provisioning automatically installs the required monitoring agents on your Azure VMs. This ensures that new VMs are protected immediately without manual intervention.

Configure via the Azure Portal

1. In Defender for Cloud, navigate to Environment settings and select your subscription
2. Click Settings and monitoring (next to the Defender plans page)
3. Locate the Log Analytics agent row and toggle it to On
4. Choose the workspace configuration: Default workspace (Defender for Cloud creates one) or Custom workspace (select your own Log Analytics workspace)
5. For this lab, select Default workspace unless you already have a workspace you want to use
6. Review additional extensions: Vulnerability assessment should be set to On
7. Ensure Guest Configuration agent is set to On for security baseline assessments
8. Click Continue and then Save to apply the auto-provisioning settings

Verify Auto-Provisioning via Azure CLI

# Show all auto-provisioning toggles (Log Analytics agent, VA, Guest Config).
az security auto-provisioning-setting list -o table

# Check whether the default Log Analytics agent auto-provisioning is On or Off.
# "On" means new VMs automatically receive the monitoring agent.
az security auto-provisioning-setting show \
  --name "default" \
  --query "{Name:name, AutoProvision:autoProvision}" \
  -o json

# Turn on auto-provisioning so every new VM is instrumented automatically.
# Existing VMs will also receive the agent within 15-30 minutes.
az security auto-provisioning-setting create \
  --name "default" \
  --auto-provision "On"

Verify Agent Deployment on a VM

# List all installed VM extensions and their provisioning status.
# Replace "myResourceGroup" and "myVM" with your actual values.
az vm extension list \
  --resource-group "myResourceGroup" \
  --vm-name "myVM" \
  --query "[].{Name:name, Status:provisioningState}" \
  -o table

# Expected extensions after auto-provisioning:
#   MicrosoftMonitoringAgent (Windows) / OmsAgentForLinux (Linux)
#     - sends security data to Log Analytics workspace.
#   MDE.Windows / MDE.Linux
#     - Defender for Endpoint sensor for real-time threat detection.
# Status should read "Succeeded" for both.

Secure Score is a measurement of your organization's security posture. It ranges from 0% to 100%, with higher scores indicating a stronger security configuration. Reviewing your baseline score before making changes lets you track improvement over time.

View Secure Score in the Portal

1. In Defender for Cloud, click Secure Score in the left menu (under Cloud Security)
2. Note your current overall score and write it down as your baseline
3. Click on the score to drill into the Recommendations view
4. Review the security controls: each control groups related recommendations and shows the maximum score increase if all are resolved
5. Identify the controls with the highest potential score increase; these are your top priorities

Understanding Score Components

• Healthy resources: Resources that meet the recommendation requirements
• Unhealthy resources: Resources that violate the recommendation and reduce your score
• Not applicable: Resources excluded from the recommendation (for example, a recommendation for Windows VMs does not apply to Linux VMs)
• Max score: The highest score achievable if all recommendations in a control are resolved

Query Secure Score via KQL

// Retrieve the latest Secure Score snapshot per subscription.
// Requires continuous export to Log Analytics (covered in later labs).
// Output columns:
//   CurrentScore - points earned from healthy resources.
//   MaxScore     - maximum achievable points.
//   Percentage   - overall security posture (target > 70%).
SecureScores
| where TimeGenerated > ago(30d)
| summarize arg_max(TimeGenerated, *) by SubscriptionId
| project TimeGenerated, SubscriptionId, 
    CurrentScore = Properties.score.current,
    MaxScore = Properties.score.max,
    Percentage = Properties.score.percentage
| order by TimeGenerated desc

Security recommendations are actionable findings that tell you exactly what to fix and why. After enabling Defender for Servers, new VM-specific recommendations will appear within minutes.

Navigate to Recommendations

1. In Defender for Cloud, click Recommendations in the left menu
2. Use the Resource type filter and select Virtual machines to focus on VM recommendations
3. Sort by Severity (High first) to prioritize the most critical findings
4. Click on any recommendation to see the full details: description, remediation steps, and affected resources

Common VM Recommendations

• System updates should be installed on your machines: Missing OS patches detected
• Vulnerabilities in security configuration should be remediated: OS baseline hardening gaps
• Endpoint protection should be installed on your machines: Antimalware agent missing or inactive
• Management ports should be closed on your virtual machines: RDP or SSH ports open to the internet
• Disk encryption should be applied on virtual machines: OS or data disks not encrypted
• Just-in-time network access control should be applied: JIT VM access not configured

Query Recommendations via KQL

// Count how many VM-related security issues exist, grouped by recommendation title.
// Filters to "Unhealthy" state only (unresolved findings).
// Sorts by severity (High first) so you remediate the riskiest items first.
SecurityRecommendation
| where TimeGenerated > ago(7d)
| where RecommendationState == "Unhealthy"
| where tolower(ResourceGroup) contains "vm" 
    or tolower(RecommendationDisplayName) contains "virtual machine"
    or tolower(RecommendationDisplayName) contains "server"
| summarize Count = count() by RecommendationDisplayName, RecommendationSeverity
| order by RecommendationSeverity asc, Count desc

// List each unhealthy VM alongside the specific recommendation it violates.
// Useful for assigning remediation tasks to VM owners.
// split(ResourceId, "/")[-1] extracts the VM name from the full resource path.
SecurityRecommendation
| where TimeGenerated > ago(1d)
| where RecommendationState == "Unhealthy"
| where ResourceType == "microsoft.compute/virtualmachines"
| project TimeGenerated, ResourceName = tostring(split(ResourceId, "/")[-1]),
    Recommendation = RecommendationDisplayName,
    Severity = RecommendationSeverity
| order by Severity asc, ResourceName asc

Defender for Servers Plan 2 includes integrated vulnerability assessment powered by Microsoft Defender Vulnerability Management. Scans run automatically once the agent is deployed, but you can also trigger manual scans.

Verify Vulnerability Assessment Is Enabled

1. In Defender for Cloud, go to Recommendations
2. Search for A vulnerability assessment solution should be enabled on your virtual machines
3. Click the recommendation to see which VMs have a vulnerability scanner deployed and which do not
4. For VMs without a scanner, click Fix and select Microsoft Defender Vulnerability Management as the scanner
5. The scanner deploys as a VM extension and begins scanning automatically

Review Scan Results

1. After the initial scan completes (typically within 30 to 60 minutes), navigate to Recommendations
2. Search for Machines should have vulnerability findings resolved
3. Click the recommendation to see all discovered vulnerabilities across your VMs
4. Click on a specific vulnerability to see: CVE details, affected VMs, severity, available patches, and remediation guidance
5. Use the Severity filter to focus on Critical and High findings

Check Vulnerability Assessment Status via CLI

# Retrieve vulnerability scan findings for a specific VM.
# --assessed-resource-id: full ARM path to the target VM (replace placeholders).
# --assessment-name: the GUID "1195afff-..." identifies the built-in
#   "Machines should have vulnerability findings resolved" assessment.
# Output: CVE identifier, severity (Critical/High/Medium/Low), and description.
az security sub-assessment list \
  --assessed-resource-id "/subscriptions/YOUR_SUB_ID/resourceGroups/myRG/providers/Microsoft.Compute/virtualMachines/myVM" \
  --assessment-name "1195afff-c881-495e-9bc5-1486211ae03f" \
  --query "[].{CVE:id.azureResourceId, Severity:status.severity, Description:displayName}" \
  -o table

Now that you have visibility into your security posture, remediate the highest-impact recommendations. Focus on findings that close management ports, apply patches, and enable encryption.

Remediation 1: Close Open Management Ports

1. In Recommendations, find Management ports should be closed on your virtual machines
2. Click the recommendation and review the list of affected VMs
3. For each affected VM, navigate to Networking in the VM blade
4. Remove or restrict NSG rules that allow inbound RDP (3389) or SSH (22) from Any source
5. Replace broad rules with specific source IP ranges or enable JIT VM access instead

Remediation 2: Install System Updates

1. Find the System updates should be installed on your machines recommendation
2. Click the recommendation to see which updates are missing on each VM
3. For Azure VMs, use Azure Update Manager to schedule and deploy missing patches
4. Navigate to Azure Update Manager in the Azure portal and create an update deployment

Remediation 3: Enable Just-in-Time VM Access

# Enable Just-in-Time (JIT) VM access to lock down management ports.
# JIT keeps RDP (3389) and SSH (22) blocked at the NSG level and only
# opens them for a limited window when an authorised user requests access.
#   "maxRequestAccessDuration": "PT3H" - ports open for max 3 hours per request.
#   "allowedSourceAddressPrefix": "*"  - any source IP can request (you can
#     restrict this to a corporate CIDR for tighter control).
az security jit-policy create \
  --resource-group "myResourceGroup" \
  --location "eastus" \
  --name "default" \
  --virtual-machines '[{
    "id": "/subscriptions/YOUR_SUB_ID/resourceGroups/myRG/providers/Microsoft.Compute/virtualMachines/myVM",
    "ports": [
      {"number": 3389, "protocol": "TCP", "allowedSourceAddressPrefix": "*", "maxRequestAccessDuration": "PT3H"},
      {"number": 22, "protocol": "TCP", "allowedSourceAddressPrefix": "*", "maxRequestAccessDuration": "PT3H"}
    ]
  }]'

Verify Remediation Impact on Secure Score

# View your current Secure Score after remediation.
# Percentage = CurrentScore / MaxScore (target > 70% for a healthy baseline).
Get-AzSecuritySecureScore | Select-Object DisplayName, CurrentScore, MaxScore, Percentage

# Show the top 10 remaining unhealthy recommendations to plan next actions.
# Resolving these will continue to raise your Secure Score.
Get-AzSecurityTask | Where-Object { $_.State -eq "Unhealthy" } | 
    Select-Object RecommendationType, ResourceId -First 10

Configure email notifications to ensure your security team is alerted immediately when Defender for Cloud detects threats against your server workloads.

Configure via the Azure Portal

1. In Defender for Cloud, navigate to Environment settings and select your subscription
2. Click Email notifications in the left menu
3. Under Email recipients, add the email addresses of your security operations team
4. You can add individual addresses or a distribution list (recommended for team coverage)
5. Under Notification types, ensure the following are checked:
   • High severity alerts
   • Medium severity alerts (optional but recommended)
6. Check Also notify subscription owners if your subscription owners should receive alerts
7. Click Save to apply the notification settings

Verify Notification Settings via Azure CLI

# Display existing security contact configuration (email addresses, toggles).
az security contact list -o json

# Set (or update) the security contact for alert notifications.
# --emails: distribution list or address that receives High/Medium alerts.
# --alert-notifications On: send email when Defender for Cloud raises an alert.
# --alerts-admins On: also notify subscription Owner and Contributor roles.
az security contact create \
  --name "default" \
  --emails "soc-team@northwindretail.com" \
  --alert-notifications "On" \
  --alerts-admins "On"

Defender for Servers generates alerts when it detects suspicious activity on your VMs. In this step, you will trigger a sample alert and walk through the investigation workflow.

Generate a Sample Alert

1. In Defender for Cloud, navigate to Security alerts in the left menu
2. Click the Sample alerts button at the top of the alerts page
3. Select your subscription and choose Defender for Servers as the plan
4. Click Create sample alerts
5. Wait 2 to 5 minutes for the sample alerts to appear in the alerts queue

Investigate the Alert

1. Click on one of the sample alerts to open the alert details pane
2. Review the Description to understand what was detected
3. Check the Affected resource to identify which VM triggered the alert
4. Review the MITRE ATT&CK tactics mapping to understand the attack stage
5. Examine the Evidence section for process details, file hashes, IP addresses, and command lines
6. Click Take action to see remediation recommendations specific to this alert
7. Set the alert status to Resolved after completing your investigation

Query Security Alerts via KQL

// Retrieve the 25 most recent High/Medium security alerts from Defender for Servers.
// ProductName "Azure Security Center" covers all Defender for Cloud workload alerts.
// Key output columns:
//   AlertName        - short title describing the detected threat.
//   Tactics          - MITRE ATT&CK stage (InitialAccess, Execution, etc.).
//   RemediationSteps - suggested actions to contain and resolve the threat.
SecurityAlert
| where TimeGenerated > ago(7d)
| where ProductName == "Azure Security Center"
| where AlertSeverity in ("High", "Medium")
| project TimeGenerated, AlertName, AlertSeverity, 
    Description, RemediationSteps,
    ResourceId, Tactics, Techniques
| order by TimeGenerated desc
| take 25

// Count alerts by MITRE ATT&CK tactic and severity over the last 30 days.
// mv-expand flattens the Tactics array so each tactic gets its own row.
// Use this for trend dashboards - a spike in "LateralMovement" or
// "CredentialAccess" may indicate an active intrusion.
SecurityAlert
| where TimeGenerated > ago(30d)
| where ProductName == "Azure Security Center"
| mv-expand Tactics = todynamic(Tactics)
| summarize AlertCount = count() by tostring(Tactics), AlertSeverity
| order by AlertCount desc

The regulatory compliance dashboard maps your security posture to industry standards and regulatory frameworks. Enabling Defender for Servers improves your compliance score by covering server-specific controls.

Explore the Compliance Dashboard

1. In Defender for Cloud, click Regulatory compliance in the left menu
2. Review your compliance percentage against the Microsoft Cloud Security Benchmark (applied by default)
3. Click on individual controls to see which server-related recommendations are mapped
4. Expand a control like Endpoint Security to see recommendations such as "Endpoint protection should be installed"
5. Note the Passed, Failed, and Skipped counts for each control

Add Additional Compliance Standards

1. Click Manage compliance policies at the top of the dashboard
2. Select your subscription and click Add more standards
3. Add standards relevant to your organization: PCI DSS 4.0, NIST SP 800-53, CIS Azure Benchmarks, or SOC 2
4. Click Add and wait a few minutes for the compliance assessment to run
5. Return to the compliance dashboard to see your score against the new standards

Export Compliance Report

1. On the compliance dashboard, click Download report
2. Select the standard you want to export (for example, PCI DSS)
3. Choose the format: PDF for executive reporting or CSV for detailed analysis
4. Share the report with your compliance team or auditors as evidence of your security posture

// Count how many distinct resources fail each server-related compliance control.
// Filters to the five most impactful server hardening recommendations.
// dcount(ResourceId) gives the unique number of non-compliant resources,
// so you can prioritise the control that affects the most machines.
SecurityRecommendation
| where TimeGenerated > ago(1d)
| where RecommendationState == "Unhealthy"
| where RecommendationDisplayName has_any ("endpoint protection", "system updates", 
    "disk encryption", "management ports", "vulnerability")
| summarize FailedResources = dcount(ResourceId) by RecommendationDisplayName
| order by FailedResources desc

What You Accomplished

• Reviewed Defender for Cloud pricing tiers and understood the differences between Plan 1 and Plan 2
• Enabled Defender for Servers Plan 2 on your Azure subscription using the portal, CLI, and PowerShell
• Configured auto-provisioning to deploy monitoring agents to all Azure VMs automatically
• Reviewed your baseline Secure Score and identified the highest-impact security controls
• Explored VM-specific security recommendations and understood severity prioritization
• Verified vulnerability assessment scanning and reviewed discovered CVEs on your VMs
• Remediated top recommendations: closed management ports, applied patches, and enabled JIT access
• Configured email notifications so your security team receives alerts for high-severity threats
• Investigated a sample security alert and walked through the full investigation workflow
• Reviewed the regulatory compliance dashboard and added relevant compliance standards

Cost Considerations

• Defender for Servers Plan 2 is billed per server per hour; review current pricing on the Azure pricing page
• Each protected server includes 500 MB per day of free data ingestion to the connected Log Analytics workspace
• If you are using this in a lab environment, disable the plan after completing the lab to avoid ongoing charges
• For production, consider enabling the plan at the management group level for consistent coverage across all subscriptions

Cleanup (Lab Environment Only)

• To disable Defender for Servers, navigate to Environment settings, select your subscription, and toggle the Servers plan to Off
• Alternatively, disable via CLI: az security pricing create --name VirtualMachines --tier Free
• Remove any test NSG rules or JIT policies you created during the lab
• Resolve or dismiss sample alerts generated during Step 9

Next Steps

• Next Lab: Implement Cloud Security Posture Management
• Enable Defender CSPM for attack path analysis and cloud security graph capabilities
• Configure continuous export to send recommendations and alerts to a Log Analytics workspace or Event Hub
• Integrate Defender for Cloud alerts with Microsoft Sentinel for unified SIEM/SOAR workflows
• Explore file integrity monitoring to detect unauthorized changes to critical system files