Edit

Share via


Onboard Windows Server 2012 R2 and Windows Server 2016 to Microsoft Defender for Endpoint

Applies to:

  • Microsoft Defender for Endpoint for servers
  • Microsoft Defender for Servers Plan 1 or Plan 2

Want to experience Defender for Endpoint? Sign up for a free trial.

Defender for Endpoint extends support to also include the Windows Server operating system. This support provides advanced attack detection and investigation capabilities seamlessly through the Microsoft Defender portal. Support for Windows Server provides deeper insight into server activities, coverage for kernel and memory attack detection, and enables response actions.

Note

To onboard servers to Defender for Endpoint, server licenses are required. You can choose from these options:

This article describes how to onboard Windows Server 2012 R2 and Windows Server 2016 to Defender for Endpoint.

For Windows Server 2012 R6 and Windows Server 2016, you can either manually install/upgrade the modern, unified solution on these servers, or use Defender for Endpoint and Defender for Cloud integration to automatically deploy or upgrade servers covered by your respective Defender for Server plans. For more information, see Protect your endpoints with Defender for Endpoint integration with Defender for Cloud.

Tip

As a companion to this article, see our Security Analyzer setup guide to review best practices and learn to fortify defenses, improve compliance, and navigate the cybersecurity landscape with confidence. For a customized experience based on your environment, you can access the Security Analyzer automated setup guide in the Microsoft 365 admin center.

Prerequisites for Windows Server 2016 and Windows Server 2012 R2

Onboarding Windows Server 2016 and Windows Server 2012 R2

The following diagram shows the general steps required to successfully onboard servers.

An illustration of onboarding flow for Windows Servers and Windows 10 devices.

  1. Download the installation package and onboarding package by following these steps:

    1. In the Microsoft Defender portal, go to Settings > Endpoints > Onboarding.
    2. Windows Server 2016 and Windows Server 2012 R2.
    3. Select Download installation package and save it on the device. The installation package contains an MSI file that installs the Defender for Endpoint agent.
    4. Select Download onboarding package and save the zipped folder on the device. The onboarding package contains WindowsDefenderATPOnboardingScript.cmd, which contains the onboarding script.

    Note

    The installation package is updated monthly. Be sure to download the latest package before usage. To update after installation, you don't have to run the installer package again. If you do, the installer asks you to offboard first as that is a requirement for uninstallation. See Update packages for Defender for Endpoint on Windows Server 2012 R2 and 2016.

  2. Follow the guidance for your preferred tool to install Defender for Endpoint:

For Windows Server, version 1803 or Windows Server 2019 and later, see Onboard Windows Server, version 1803, Windows Server 2019, and Windows Server 2025 to the Microsoft Defender for Endpoint service.

Note

Windows Hyper-V Server editions aren't supported.

Functionality in the modern unified solution

The previous implementation (before April of 2022) of onboarding Windows Server 2016 and Windows Server 2012 R2 required the use of Microsoft Monitoring Agent (MMA). The modern, unified solution package makes it easier to onboard servers by removing dependencies and installation steps. It also provides a much expanded feature set. For more information, see the following resources:

Depending on the server that you're onboarding, the unified solution installs Defender for Endpoint and/or the EDR sensor on the server. The following table indicates what component is installed and what is built in by default.

Server version Microsoft Defender Antivirus EDR sensor
Windows Server 2012 R2 Yes Yes
Windows Server 2016 Built-in Yes
Windows Server 2019 and later Built-in Built-in

Known issues and limitations in the modern unified solution

The following points apply to Windows Server 2016 and Windows Server 2012 R2:

  • Always download the latest installer package from the Microsoft Defender portal (https://security.microsoft.com) before performing a new installation and ensure prerequisites are met. After installation, ensure to regularly update using component updates described in the section Update packages for Defender for Endpoint on Windows Server 2012 R2 and 2016.

  • An operating system update can introduce an installation issue on machines with slower disks due to a time out with service installation. Installation fails with the message "Couldn't find c:\program files\windows defender\mpasdesc.dll, - 310 WinDefend". Use the latest installation package, and the latest install.ps1 script to help clear the failed installation if necessary.

  • The user interface on Windows Server 2016 and Windows Server 2012 R2 only allows for basic operations. To perform operations on a device locally, refer to Manage Defender for Endpoint with PowerShell, WMI, and MPCmdRun.exe. As a result, features that specifically rely on user interaction, such as where the user is prompted to make a decision or perform a specific task, may not work as expected. It's recommended to disable or not enable the user interface nor require user interaction on any managed server as it may impact protection capability.

  • Not all attack surface reduction rules are applicable to all operating systems. See Attack surface reduction rules.

  • Operating system upgrades aren't supported. Offboard then uninstall before upgrading. The installer package can only be used to upgrade installations that haven't yet been updated with new antimalware platform or EDR sensor update packages.

  • To automatically, deploy and onboard the new solution using Microsoft Endpoint Configuration Manager (MECM) you need to be on version 2207 or later. You can still configure and deploy using version 2107 with the hotfix rollup, but this requires extra deployment steps. See Microsoft Endpoint Configuration Manager migration scenarios for more information.

Important information about running Defender for Endpoint with non-Microsoft security solutions

If you intend to use a non-Microsoft anti-malware solution, you need to run Microsoft Defender Antivirus in passive mode. You must remember to set to passive mode during the installation and onboarding process.

Note

If you're installing Defender for Endpoint on servers with McAfee Endpoint Security (ENS) or VirusScan Enterprise (VSE), the version of the McAfee platform might need to be updated to ensure Microsoft Defender Antivirus isn't removed or disabled. For more information including the specific version numbers required, see McAfee Knowledge Center article.

Update packages for Windows Server 2016 or Windows Server 2012 R2

To receive regular product improvements and fixes for the Defender for Endpoint component, ensure Windows Update KB5005292 gets applied or approved. In addition, to keep protection components updated, see Manage Microsoft Defender Antivirus updates and apply baselines.

If you're using Windows Server Update Services (WSUS) and/or Microsoft Configuration Manager, this new "Microsoft Defender for Endpoint update for EDR Sensor" is available under the category "Microsoft Defender for Endpoint."

Run a detection test to verify onboarding

After onboarding the device, you can choose to run a detection test to verify that a device is properly onboarded to the service. For more information, see Run a detection test on a newly onboarded Defender for Endpoint device.

Note

Running Microsoft Defender Antivirus isn't required but it's recommended. If another antivirus vendor product is the primary endpoint protection solution, you can run Defender Antivirus in Passive mode. You can only confirm that passive mode is on after verifying that Defender for Endpoint sensor (SENSE) is running.

  1. Run the following command to verify that Microsoft Defender Antivirus is installed:

    Note

    This verification step is only required if you're using Microsoft Defender Antivirus as your active antimalware solution.

    sc.exe query Windefend
    

    If the result is, "The specified service doesn't exist as an installed service," then you need to install Microsoft Defender Antivirus.

  2. Run the following command to verify that Defender for Endpoint is running:

    sc.exe query sense
    

    The result should show it's running. If you encounter issues with onboarding, see Troubleshoot onboarding.

Next steps

After successfully onboarding devices to the service, you'll need to configure the individual components of Defender for Endpoint. Follow Configure capabilities to be guided on enabling the various components.

Offboard Windows servers

You can offboard Windows servers by using the same methods that are available for Windows client devices:

After offboarding, you can proceed to uninstall the unified solution package on Windows Server 2016 and Windows Server 2012 R2. For other Windows server versions, you have two options to offboard Windows servers from the service:

  • Uninstall the MMA agent
  • Remove the Defender for Endpoint workspace configuration

Note

These offboarding instructions for other Windows Server versions also apply if you're running the previous Defender for Endpoint for Windows Server 2016 and Windows Server 2012 R2 that requires the MMA. Instructions to migrate to the new unified solution are at Server migration scenarios in Defender for Endpoint.

Tip

Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.