Lensix
Back to blog
AzureBest PracticesCloud SecurityCompute & ContainersMonitoring & Logging

Defender for Servers Not Enabled: How to Fix and Prevent It

Defender for Servers off on your Azure subscription means no EDR, vulnerability scanning, or alerts. Learn why it matters and how to enable and enforce it.

TL;DR

Microsoft Defender for Servers is off on this subscription, which means your Azure VMs and hybrid machines have no behavioral threat detection, vulnerability scanning, or alerting. Turn it on per subscription with az security pricing create --name VirtualMachines --tier standard and enforce it with Azure Policy.

Defender for Servers is the workload protection plan in Microsoft Defender for Cloud that watches your virtual machines for active threats. When it's disabled, your servers run without endpoint detection and response (EDR), without agentless vulnerability scanning, and without the alerting pipeline that tells you when something has gone wrong. This check flags any Azure subscription where that plan is set to the free tier.

It's an easy gap to create. Defender for Servers is a paid plan, so it ships off by default on new subscriptions. Teams spin up workloads, forget to enable it, and end up with production VMs that have zero runtime security telemetry.

What this check detects

The defender_servers check inspects the Defender for Cloud pricing configuration for each subscription and verifies that the VirtualMachines plan is set to the Standard tier. If it's on the Free tier, the plan is effectively disabled and the check fails.

Defender for Cloud has two relevant tiers per resource type:

  • Free — basic Cloud Security Posture Management (CSPM) recommendations only. No threat detection, no EDR integration, no vulnerability scanning.
  • Standard — the full Defender for Servers plan with Microsoft Defender for Endpoint integration, agentless scanning, file integrity monitoring, and security alerts.

Note: Defender for Servers comes in two plans. Plan 1 gives you Defender for Endpoint integration and license. Plan 2 adds agentless vulnerability scanning, file integrity monitoring, just-in-time VM access, and free data ingestion to Log Analytics. The check passes as long as the tier is Standard, but Plan 2 is what most security teams actually want.

Why it matters

A VM without Defender for Servers is a VM you cannot see into. The posture recommendations in the free tier tell you that a port is open or a disk is unencrypted, but they say nothing about what's happening inside the machine right now.

Here is what you lose when the plan is off:

  • No EDR. Defender for Endpoint integration brings behavioral detection for malware, suspicious process trees, credential theft, and lateral movement. Without it, an attacker who lands on a VM operates in the dark.
  • No vulnerability scanning. Plan 2 runs agentless scans that surface unpatched CVEs on your machines. Disabled means you're guessing about your patch posture.
  • No security alerts. Detections like "suspicious SSH login" or "crypto-mining process detected" simply never fire.
  • No file integrity monitoring. Changes to sensitive system files go unnoticed, which is a problem for both attack detection and compliance frameworks like PCI DSS.

A realistic scenario: an internet-facing VM has a weak SSH password. An attacker brute-forces it, drops a crypto-miner, and pivots to a database server using credentials cached on disk. With Defender for Servers enabled, the brute-force attempt, the anomalous outbound traffic from the miner, and the lateral movement each generate alerts. With it disabled, the first sign of trouble is your cloud bill or a customer complaint.

Warning: Defender for Servers is billed per server per hour. Plan 2 runs roughly $15 per server per month at list price, with Plan 1 cheaper. Enable it broadly with intent, and use Azure Reservations if you have a stable fleet to cut the cost.

How to fix it

The plan is enabled at the subscription level, not per VM. Once it's on, every eligible machine in the subscription is covered.

Azure Portal

  1. Open Microsoft Defender for Cloud in the Azure Portal.
  2. Go to Environment settings and select your subscription.
  3. Find the Servers plan in the list and toggle the status to On.
  4. Click Select plan to choose Plan 1 or Plan 2. Plan 2 is recommended for most environments.
  5. Click Save.

Azure CLI

Set the VirtualMachines pricing tier to Standard for the subscription:

az security pricing create \
  --name VirtualMachines \
  --tier standard

To select Plan 2 specifically, pass the subplan:

az security pricing create \
  --name VirtualMachines \
  --tier standard \
  --subplan P2

Confirm the change:

az security pricing show --name VirtualMachines \
  --query "{name:name, tier:pricingTier, subPlan:subPlan}" -o table

Tip: If you run dozens of subscriptions, script this across all of them. Loop over az account list --query "[].id" -o tsv, set the subscription with az account set --subscription, then run the pricing command inside the loop. Pair that with a management-group-level Azure Policy so new subscriptions inherit the setting automatically.

Terraform

resource "azurerm_security_center_subscription_pricing" "vm" {
  tier          = "Standard"
  resource_type = "VirtualMachines"
  subplan       = "P2"
}

Bicep / ARM

resource vmPricing 'Microsoft.Security/pricings@2024-01-01' = {
  name: 'VirtualMachines'
  properties: {
    pricingTier: 'Standard'
    subPlan: 'P2'
  }
}

Note: The pricing resource is scoped to the subscription you're deploying into. To cover an entire tenant, deploy it through a policy assignment at the management group level rather than running it subscription by subscription.

How to prevent it from happening again

Manual enablement drifts. New subscriptions get created for new teams or projects, and the plan starts off in the free tier every time. Enforce it instead of remembering it.

Use the built-in Azure Policy

Microsoft ships a policy named "Microsoft Defender for Servers should be enabled". Assign it at the management group level with a DeployIfNotExists effect so the plan is enabled automatically on any subscription that doesn't have it.

az policy assignment create \
  --name "enable-defender-servers" \
  --display-name "Enable Defender for Servers" \
  --scope "/providers/Microsoft.Management/managementGroups/<mg-id>" \
  --policy "/providers/Microsoft.Authorization/policyDefinitions/" \
  --location eastus \
  --mi-system-assigned \
  --role Owner \
  --identity-scope "/providers/Microsoft.Management/managementGroups/<mg-id>"

Warning: A DeployIfNotExists policy needs a managed identity with permissions to change the pricing tier. Grant it the minimum role required and review the assignment scope before applying. Assigning at a broad management group will enable a paid plan across every child subscription, which has real cost.

Gate it in CI/CD

If you manage subscriptions through Terraform or Bicep, make the pricing resource part of your landing zone template so every new subscription gets it at provisioning time. Add a check to your pipeline that fails the build if the resource is missing or set to Free.

Continuously verify

Policy and IaC cover provisioning, but settings can still be changed by someone with access. Run the defender_servers check on a schedule so any regression surfaces quickly rather than sitting undetected until an incident.

Best practices

  • Default to Plan 2. The agentless vulnerability scanning and file integrity monitoring in Plan 2 are worth the price difference for any production workload. Reserve Plan 1 for low-risk, isolated subscriptions.
  • Enable at the management group level. Set the plan once at the top of your hierarchy and let it cascade. This is far more reliable than enabling each subscription by hand.
  • Connect to Defender for Endpoint. Make sure the auto-provisioning of the Defender for Endpoint integration is turned on so coverage extends to the OS level, not just the Azure control plane.
  • Cover hybrid machines too. Defender for Servers protects on-prem and other-cloud machines connected through Azure Arc. If you run hybrid, onboard those servers so the same protections apply.
  • Route alerts somewhere humans see them. Connect Defender for Cloud to your SIEM (Microsoft Sentinel or a third party) and configure alert notifications. A detection that nobody reads is no better than no detection.
  • Use Azure Reservations for stable fleets. If your server count is predictable, reservations meaningfully reduce the per-server cost of the plan.

Enabling Defender for Servers is one of the highest-leverage security changes you can make on an Azure subscription. It's a single setting that turns a fleet of blind VMs into machines you can actually monitor, scan, and defend.