Onboard Windows servers to the Microsoft Defender ATP service

Important

Welcome to Microsoft Defender for Endpoint, the new name for Microsoft Defender Advanced Threat Protection. Read more about this and other updates here. We'll be updating names in products and in the docs in the near future.

Applies to:

Want to experience Microsoft Defender ATP? Sign up for a free trial.

Microsoft Defender ATP extends support to also include the Windows Server operating system. This support provides advanced attack detection and investigation capabilities seamlessly through the Microsoft Defender Security Center console.

For a practical guidance on what needs to be in place for licensing and infrastructure, see Protecting Windows Servers with Microsoft Defender ATP.

For guidance on how to download and use Windows Security Baselines for Windows servers, see Windows Security Baselines.

Windows Server 2008 R2 SP1, Windows Server 2012 R2, and Windows Server 2016

You can onboard Windows Server 2008 R2 SP1, Windows Server 2012 R2, and Windows Server 2016 to Microsoft Defender ATP by using any of the following options:

After completing the onboarding steps using any of the provided options, you'll need to Configure and update System Center Endpoint Protection clients.

Note

Microsoft defender ATP standalone server license is required, per node, in order to onboard a Windows server through Microsoft Defender Security Center (Option 1), or an Azure Security Center Standard license is required, per node, in order to onboard a Windows server through Azure Security Center (Option 2), see Supported features available in Azure Security Center.

Option 1: Onboard by installing and configuring Microsoft Monitoring Agent (MMA)

You'll need to install and configure MMA for Windows servers to report sensor data to Microsoft Defender ATP. For more information, see Collect log data with Azure Log Analytics agent.

If you're already leveraging System Center Operations Manager (SCOM) or Azure Monitor (formerly known as Operations Management Suite (OMS)), attach the Microsoft Monitoring Agent (MMA) to report to your Microsoft Defender ATP workspace through Multihoming support.

In general, you'll need to take the following steps:

  1. Fulfill the onboarding requirements outlined in Before you begin section.
  2. Turn on server monitoring from Microsoft Defender Security center.
  3. Install and configure MMA for the server to report sensor data to Microsoft Defender ATP.
  4. Configure and update System Center Endpoint Protection clients.

Tip

After onboarding the device, you can choose to run a detection test to verify that it is properly onboarded to the service. For more information, see Run a detection test on a newly onboarded Microsoft Defender ATP endpoint.

Before you begin

Perform the following steps to fulfill the onboarding requirements:

Install and configure Microsoft Monitoring Agent (MMA) to report sensor data to Microsoft Defender ATP

  1. Download the agent setup file: Windows 64-bit agent.

  2. Using the Workspace ID and Workspace key obtained in the previous procedure, choose any of the following installation methods to install the agent on the Windows server:

Configure Windows server proxy and Internet connectivity settings if needed

If your servers need to use a proxy to communicate with Microsoft Defender ATP, use one of the following methods to configure the MMA to use the proxy server:

If a proxy or firewall is in use, please ensure that servers can access all of the Microsoft Defender ATP service URLs directly and without SSL interception. For more information, see enable access to Microsoft Defender ATP service URLs. Use of SSL interception will prevent the system from communicating with the Defender for Endpoint service.

Once completed, you should see onboarded Windows servers in the portal within an hour.

Option 2: Onboard Windows servers through Azure Security Center

  1. In the Microsoft Defender Security Center navigation pane, select Settings > Device management > Onboarding.

  2. Select Windows Server 2008 R2 SP1, 2012 R2 and 2016 as the operating system.

  3. Click Onboard Servers in Azure Security Center.

  4. Follow the onboarding instructions in Microsoft Defender Advanced Threat Protection with Azure Security Center.

After completing the onboarding steps, you'll need to Configure and update System Center Endpoint Protection clients.

Option 3: Onboard Windows servers through Microsoft Endpoint Configuration Manager version 2002 and later

You can onboard Windows Server 2012 R2 and Windows Server 2016 by using Microsoft Endpoint Configuration Manager version 2002 and later. For more information, see Microsoft Defender Advanced Threat Protection in Microsoft Endpoint Configuration Manager current branch.

After completing the onboarding steps, you'll need to Configure and update System Center Endpoint Protection clients.

Windows Server (SAC) version 1803, Windows Server 2019, and Windows Server 2019 Core edition

You can onboard Windows Server (SAC) version 1803, Windows Server 2019, or Windows Server 2019 Core edition by using the following deployment methods:

Note

  • The Onboarding package for Windows Server 2019 through Microsoft Endpoint Configuration Manager currently ships a script. For more information on how to deploy scripts in Configuration Manager, see Packages and programs in Configuration Manager.
  • A local script is suitable for a proof of concept but should not be used for production deployment. For a production deployment, we recommend using Group Policy, Microsoft Endpoint Configuration Manager, or Intune.

Support for Windows Server, provide deeper insight into activities happening on the Windows server, coverage for kernel and memory attack detection, and enables response actions on Windows Server endpoint as well.

  1. Configure Microsoft Defender ATP onboarding settings on the Windows server. For more information, see Onboard Windows 10 devices.

  2. If you're running a third-party antimalware solution, you'll need to apply the following Microsoft Defender AV passive mode settings. Verify that it was configured correctly:

    1. Set the following registry entry:

      • Path: HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection
      • Name: ForceDefenderPassiveMode
      • Type: REG_DWORD
      • Value: 1
    2. Run the following PowerShell command to verify that the passive mode was configured:

      Get-WinEvent -FilterHashtable @{ProviderName="Microsoft-Windows-Sense" ;ID=84}
      
    3. Confirm that a recent event containing the passive mode event is found:

      Image of passive mode verification result

  3. Run the following command to check if Microsoft Defender AV is installed:

    sc.exe query Windefend

    If the result is 'The specified service does not exist as an installed service', then you'll need to install Microsoft Defender AV. For more information, see Microsoft Defender Antivirus in Windows 10.

    For information on how to use Group Policy to configure and manage Microsoft Defender Antivirus on your Windows servers, see Use Group Policy settings to configure and manage Microsoft Defender Antivirus.

Integration with Azure Security Center

Microsoft Defender ATP can integrate with Azure Security Center to provide a comprehensive Windows server protection solution. With this integration, Azure Security Center can leverage the power of Microsoft Defender ATP to provide improved threat detection for Windows Servers.

The following capabilities are included in this integration:

  • Automated onboarding - Microsoft Defender ATP sensor is automatically enabled on Windows Servers that are onboarded to Azure Security Center. For more information on Azure Security Center onboarding, see Onboarding to Azure Security Center Standard for enhanced security.

    Note

    Automated onboarding is only applicable for Windows Server 2008 R2 SP1, Windows Server 2012 R2, and Windows Server 2016.

  • Windows servers monitored by Azure Security Center will also be available in Microsoft Defender ATP - Azure Security Center seamlessly connects to the Microsoft Defender ATP tenant, providing a single view across clients and servers. In addition, Microsoft Defender ATP alerts will be available in the Azure Security Center console.

  • Server investigation - Azure Security Center customers can access Microsoft Defender Security Center to perform detailed investigation to uncover the scope of a potential breach.

Important

  • When you use Azure Security Center to monitor servers, a Microsoft Defender ATP tenant is automatically created (in the US for US users, in the EU for European and UK users).
    Data collected by Microsoft Defender ATP is stored in the geo-location of the tenant as identified during provisioning.
  • If you use Microsoft Defender ATP before using Azure Security Center, your data will be stored in the location you specified when you created your tenant even if you integrate with Azure Security Center at a later time.
  • Once configured, you cannot change the location where your data is stored. If you need to move your data to another location, you need to contact Microsoft Support to reset the tenant.
    Server endpoint monitoring utilizing this integration has been disabled for Office 365 GCC customers.

Configure and update System Center Endpoint Protection clients

Microsoft Defender ATP integrates with System Center Endpoint Protection. The integration provides visibility to malware detections and to stop propagation of an attack in your organization by banning potentially malicious files or suspected malware.

The following steps are required to enable this integration:

Offboard Windows servers

You can offboard Windows Server (SAC), Windows Server 2019, and Windows Server 2019 Core edition in the same method available for Windows 10 client devices.

For other Windows server versions, you have two options to offboard Windows servers from the service:

  • Uninstall the MMA agent
  • Remove the Microsoft Defender ATP workspace configuration

Note

Offboarding causes the Windows server to stop sending sensor data to the portal but data from the Windows server, including reference to any alerts it has had will be retained for up to 6 months.

Uninstall Windows servers by uninstalling the MMA agent

To offboard the Windows server, you can uninstall the MMA agent from the Windows server or detach it from reporting to your Microsoft Defender ATP workspace. After offboarding the agent, the Windows server will no longer send sensor data to Microsoft Defender ATP. For more information, see To disable an agent.

Remove the Microsoft Defender ATP workspace configuration

To offboard the Windows server, you can use either of the following methods:

  • Remove the Microsoft Defender ATP workspace configuration from the MMA agent
  • Run a PowerShell command to remove the configuration

Remove the Microsoft Defender ATP workspace configuration from the MMA agent

  1. In the Microsoft Monitoring Agent Properties, select the Azure Log Analytics (OMS) tab.

  2. Select the Microsoft Defender ATP workspace, and click Remove.

    Image of Microsoft Monitoring Agen Properties

Run a PowerShell command to remove the configuration

  1. Get your Workspace ID:

    1. In the navigation pane, select Settings > Onboarding.

    2. Select Windows Server 2008 R2 SP1, 2012 R2 and 2016 as the operating system and get your Workspace ID:

      Image of Windows server onboarding

  2. Open an elevated PowerShell and run the following command. Use the Workspace ID you obtained and replacing WorkspaceID:

    # Load agent scripting object
    $AgentCfg = New-Object -ComObject AgentConfigManager.MgmtSvcCfg
    # Remove OMS Workspace
    $AgentCfg.RemoveCloudWorkspace($WorkspaceID)
    # Reload the configuration and apply changes
    $AgentCfg.ReloadConfiguration()