Onboard Windows servers to the Microsoft Defender for Endpoint service

Applies to:

  • Windows Server 2012 R2
  • Windows Server 2016
  • Windows Server Semi-Annual Enterprise Channel
  • Windows Server 2019 and later
  • Windows Server 2019 core edition
  • Windows Server 2022

Important

Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.

Want to experience Defender for Endpoint? Sign up for a free trial.

Defender for Endpoint extends support to also include the Windows Server operating system. This support provides advanced attack detection and investigation capabilities seamlessly through the Microsoft 365 Defender console. Support for Windows Server provides deeper insight into server activities, coverage for kernel and memory attack detection, and enables response actions.

This topic describes how to onboard specific Windows servers to Microsoft Defender for Endpoint.

For a practical guidance on what needs to be in place for licensing and infrastructure, see Protecting Windows Servers with Defender for Endpoint.

For guidance on how to download and use Windows Security Baselines for Windows servers, see Windows Security Baselines.

Windows Server onboarding overview

You'll need to complete the following general steps to successfully onboard servers.

Illustration of onboarding flow for Windows Servers and Windows 10 devices

Windows Server 2012 R2 and Windows Server 2016 (Preview)

  • Download installation and onboarding packages
  • Install application
  • Follow the onboarding steps for the corresponding tool

Windows Server Semi-Annual Enterprise Channel and Windows Server 2019

  • Download the onboarding package
  • Follow the onboarding steps for the corresponding tool

New functionality in the modern unified solution for Windows Server 2012 R2 and 2016 Preview

Previous implementation of onboarding Windows Server 2012 R2 and Windows Server 2016 required the use of Microsoft Monitoring Agent (MMA).

The new unified solution package makes it easier to onboard servers by removing dependencies and installation steps. In addition, this unified solution package comes with the following major improvements:

If you have previously onboarded your servers using MMA, follow the guidance provided in Server migration to migrate to the new solution.

Note

While this method of onboarding Windows Server 2012 R2 and Windows Server 2016 is in preview, you can choose to continue to use the previous onboarding method using Microsoft Monitoring Agent (MMA). For more information, see Install and configure endpoints using MMA.

Known issues and limitations

The following specifics apply to the new unified solution package for Windows Server 2012 R2 and 2016:

  • Ensure connectivity requirements as specified in Enable access to Microsoft Defender for Endpoint service URLs in the proxy server are met. They are equivalent to those for Windows Server 2019.

  • Previously, the use of the Microsoft Monitoring Agent (MMA) on Windows Server 2016 and below allowed for the OMS / Log Analytics gateway to provide connectivity to Defender cloud services. The new solution, like Microsoft Defender for Endpoint on Windows Server 2019, Windows Server 2022, and Windows 10, does not support this gateway.

  • On Windows Server 2016, verify that Microsoft Defender Antivirus is installed, is active and up to date. You can download and install the latest platform version using Windows Update. Alternatively, download the update package manually from the Microsoft Update Catalog or from MMPC.

  • On Windows Server 2012 R2, there is no user interface for Microsoft Defender Antivirus. In addition, the user interface on Windows Server 2016 only allows for basic operations. To perform operations on a device locally, refer to Manage Microsoft Defender for Endpoint with PowerShell, WMI, and MPCmdRun.exe. As a result, features that specifically rely on user interaction, such as where the user is prompted to make a decision or perform a specific task, may not work as expected. It is recommended to disable or not enable the user interface nor require user interaction on any managed server as it may impact protection capability.

  • Not all Attack Surface Reduction rules are available on all operating systems. See Attack Surface Reduction (ASR) rules.

  • To enable Network Protection, additional configuration is required:

    • Set-MpPreference -EnableNetworkProtection Enabled
    • Set-MpPreference -AllowNetworkProtectionOnWinServer 1
    • Set-MpPreference -AllowNetworkProtectionDownLevel 1
    • Set-MpPreference -AllowDatagramProcessingOnWinServer 1

    In addition, on machines with a high volume of network traffic, performance testing in your environment is highly recommended before enabling this capability broadly. You may need to account for additional resource consumption.

  • On Windows Server 2012 R2, Network Events may not populate in the timeline. This issue requires a Windows Update released as part of the October 12, 2021 monthly rollup (KB5006714).

  • Operating system upgrades are not supported. Offboard then uninstall before upgrading.

  • Automatic exclusions for server roles are not supported on Windows Server 2012 R2; however, built-in exclusions for operating system files are. For more information about adding exclusions, see Virus scanning recommendations for Enterprise computers that are running currently supported versions of Windows.

Integration with Microsoft Defender for Cloud

Microsoft Defender for Endpoint integrates seamlessly with Microsoft Defender for Cloud. You can onboard servers automatically, have servers monitored by Azure Defender appear in Defender for Endpoint, and conduct detailed investigations as a Microsoft Defender for Cloud customer.

For more information, see Integration with Microsoft Defender for Cloud.

Note

For Windows Server 2012 R2 and 2016 running the modern unified solution preview, integration with Microsoft Defender for Cloud / Microsoft Defender for servers for alerting and automated deployment is not yet available. Whilst you can install the new solution on these machines, no alerts will be displayed in Microsoft Defender for Cloud.

Windows Server 2012 R2 and Windows Server 2016

Note

While this method of onboarding Windows Server 2012 R2 and Windows Server 2016 is in preview, you can choose to continue to use the previous onboarding method using Microsoft Monitoring Agent (MMA). For more information, see Install and configure endpoints using MMA.

Prerequisites

Prerequisites for Windows Server 2012 R2

If you have fully updated your machines with the latest monthly rollup package, there are no additional prerequisites.

The installer package will check if the following components have already been installed via an update:

Prerequisites for Windows Server 2016

Aside from fully updating the machine with the Latest Cumulative Update (LCU), verify that Microsoft Defender Antivirus is installed, is active and up to date. You can download and install the latest platform version using Windows Update. Alternatively, download the update package manually from the Microsoft Update Catalog or from MMPC.

Note

In order to successfully update the built-in version of Windows Defender, which has a version number starting with 4.10, to the latest available platform, a servicing stack update must have been applied as well as the Latest Cumulative Update (LCU) equal to or later than September 20, 2018—KB4457127 (OS Build 14393.2515).

New update package for Microsoft Defender for Endpoint on Windows Server 2012 R2 and 2016

To receive regular product improvements and fixes for the EDR Sensor component, ensure Windows Update KB5005292 gets applied or approved. In addition, to keep protection components updated, see Manage Microsoft Defender Antivirus updates and apply baselines.

Download installation and onboarding packages

  1. In Microsoft Defender Security Center, go to Settings > Device Management > Onboarding.

  2. Select Windows Server 2012 R2 and 2016.

  3. Select Download installation package and save the .msi file. You can run the msi package through the installation wizard, or follow the command-line steps in Install Microsoft Defender for Endpoint using the command line.

    Note

    Microsoft Defender Antivirus will get installed and will be active unless you set it to passive mode.

  4. Select Download onboarding package and save the .zip file.

  5. Install the installation package using any of the options to install Microsoft Defender Antivirus.

  6. Follow the steps provided in the onboarding steps section.

Options to install Microsoft Defender for Endpoint

In the previous section, you downloaded an installation package. The installation package contains the installer for all Microsoft Defender for Endpoint components.

Install Microsoft Defender for Endpoint using command line

Use the installation package from the previous step to install Microsoft Defender for Endpoint.

Run the following command to install Microsoft Defender for Endpoint:

Msiexec /i md4ws.msi /quiet

To uninstall, ensure the machine is offboarded first using the appropriate offboarding script. Then, use Control Panel > Programs > Programs and Features to perform the uninstall.

Alternatively, run the following uninstall command to uninstall Microsoft Defender for Endpoint:

Msiexec /x md4ws.msi /quiet

You must use the same package you used for installation for the above command to succeed.

The /quiet switch suppresses all notifications.

Note

Microsoft Defender Antivirus doesn't automatically go into passive mode. You can choose to set Microsoft Defender Antivirus to run in passive mode if you are running a non-Microsoft antivirus/antimalware solution. For command line installations, the optional FORCEPASSIVEMODE=1 immediately sets the Microsoft Defender Antivirus component to Passive mode to avoid interference. Then, to ensure Defender Antivirus remains in passive mode after onboarding to support capabilities like EDR Block, set the "ForceDefenderPassiveMode" registry key.

  • The Onboarding package for Windows Server 2019 and Windows Server 2022 through Microsoft Endpoint Manager currently ships a script. For more information on how to deploy scripts in Configuration Manager, see Packages and programs in Configuration Manager.
  • A local script is suitable for a proof of concept but should not be used for production deployment. For a production deployment, we recommend using Group Policy, or Microsoft Endpoint Configuration Manager.

Support for Windows Server provides deeper insight into server activities, coverage for kernel and memory attack detection, and enables response actions.

Install Microsoft Defender for Endpoint using a script

You can also use the installer script to help automate installation, uninstallation, and onboarding.

Windows Server Semi-Annual Enterprise Channel and Windows Server 2019 and Windows Server 2022

The onboarding package for Windows Server 2019 and Windows Server 2022 through Microsoft Endpoint Manager currently ships a script. For more information on how to deploy scripts in Configuration Manager, see Packages and programs in Configuration Manager.

Download package

  1. In Microsoft Defender Security Center, go to Settings > Device Management > Onboarding.

  2. Select Windows Server 1803 and 2019.

  3. Select Download package. Save it as WindowsDefenderATPOnboardingPackage.zip.

  4. Follow the steps provided in the onboarding steps section.

Onboarding steps

  1. Now that you have downloaded the required onboarding packages use the guidance listed in onboarding tools and methods for your server.

  2. (Only applicable if you're using a third-party anti-malware solution). You'll need to apply the following Microsoft Defender Antivirus passive mode settings. Verify that it was configured correctly:

    1. Set the following registry entry:

      • Path: HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection
      • Name: ForceDefenderPassiveMode
      • Type: REG_DWORD
      • Value: 1
    2. Run the following PowerShell command to verify that the passive mode was configured:

      Get-WinEvent -FilterHashtable @{ProviderName="Microsoft-Windows-Sense" ;ID=84}
      

      Note

      • The integration between Microsoft Defender for servers and Microsoft Defender for Endpoint has been expanded to support Windows Server 2022, Windows Server 2019, and Windows Virtual Desktop (WVD).
      • Server endpoint monitoring utilizing this integration has been disabled for Office 365 GCC customers.
    3. Confirm that a recent event containing the passive mode event is found:

      Image of passive mode verification result

Important

  • When you use Microsoft Defender for Cloud to monitor servers, a Defender for Endpoint tenant is automatically created (in the US for US users, in the EU for European users, and in the UK for UK users). Data collected by Defender for Endpoint is stored in the geo-location of the tenant as identified during provisioning.
  • If you use Defender for Endpoint before using Microsoft Defender for Cloud, your data will be stored in the location you specified when you created your tenant even if you integrate with Microsoft Defender for Cloud at a later time.
  • Once configured, you cannot change the location where your data is stored. If you need to move your data to another location, you need to contact Microsoft Support to reset the tenant.

Verify the onboarding and installation

Verify that Microsoft Defender Antivirus and Microsoft Defender for Endpoint are running.

Run a detection test to verify onboarding

After onboarding the device, you can choose to run a detection test to verify that a device is properly onboarded to the service. For more information, see Run a detection test on a newly onboarded Microsoft Defender for Endpoint device.

Note

Running Microsoft Defender Antivirus is not required but it is recommended. If another antivirus vendor product is the primary endpoint protection solution, you can run Defender Antivirus in Passive mode. You can only confirm that passive mode is on after verifying that Microsoft Defender for Endpoint sensor (SENSE) is running.

  1. Run the following command to verify that Microsoft Defender Antivirus is installed:

    Note

    This verifcation step is only required if you're using Microsoft Defender Antivirus as your active antimalware solution.

    sc.exe query Windefend

    If the result is 'The specified service doesn't exist as an installed service', then you'll need to install Microsoft Defender Antivirus.

    For information on how to use Group Policy to configure and manage Microsoft Defender Antivirus on your Windows servers, see Use Group Policy settings to configure and manage Microsoft Defender Antivirus.

  2. Run the following command to verify that Microsoft Defender for Endpoint is running:

    sc.exe query sense

    The result should show it is running. If you encounter issues with onboarding, see Troubleshoot onboarding.

Run a detection test

Follow the steps in Run a detection test on a newly onboarded device to verify that the server is reporting to Defender for the Endpoint service.

Next steps

After successfully onboarding devices to the service, you'll need to configure the individual components of Microsoft Defender for Endpoint. Follow the Adoption order to be guided on enabling the various components.

Offboard Windows servers

You can offboard Windows Server 2012 R2, Windows Server 2016, Windows Server (SAC), Windows Server 2019, Windows Server 2019 Core edition in the same method available for Windows 10 client devices.

For other Windows server versions, you have two options to offboard Windows servers from the service:

  • Uninstall the MMA agent
  • Remove the Defender for Endpoint workspace configuration

Note

*These offboarding instructions for other Windows server versions also apply if you are running the previous Microsoft Defender for Endpoint for Windows Server 2016 and Windows Server 2012 R2 that requires the MMA. Instructions to migrate to the new unfiied solution are at Server migration scenarios in Microsoft Defender for Endpoint.