Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Applies to:
- Microsoft Defender for Endpoint for servers
- Microsoft Defender for Servers Plan 1 or Plan 2
Want to experience Defender for Endpoint? Sign up for a free trial.
Defender for Endpoint extends support to also include the Windows Server operating system. This support provides advanced attack detection and investigation capabilities seamlessly through the Microsoft Defender portal. Support for Windows Server provides deeper insight into server activities, coverage for kernel and memory attack detection, and enables response actions.
Note
To onboard servers to Defender for Endpoint, server licenses are required. You can choose from these options:
- Microsoft Defender for Servers Plan 1 or Plan 2 (as part of the Defender for Cloud) offering
- Microsoft Defender for Endpoint for servers
- Microsoft Defender for Business servers (for small and medium-sized businesses only)
This article describes how to onboard Windows Server 2012 R2 and Windows Server 2016 to Defender for Endpoint.
For Windows Server 2012 R6 and Windows Server 2016, you can either manually install/upgrade the modern, unified solution on these servers, or use Defender for Endpoint and Defender for Cloud integration to automatically deploy or upgrade servers covered by your respective Defender for Server plans. For more information, see Protect your endpoints with Defender for Endpoint integration with Defender for Cloud.
- For Windows Server, version 1803, Windows Server 2019, and later, see Onboard Windows Server 2019 and later to Defender for Endpoint.
- For guidance on how to download and use Windows Security Baselines for Windows servers, see Windows Security Baselines.
Tip
As a companion to this article, see our Security Analyzer setup guide to review best practices and learn to fortify defenses, improve compliance, and navigate the cybersecurity landscape with confidence. For a customized experience based on your environment, you can access the Security Analyzer automated setup guide in the Microsoft 365 admin center.
Prerequisites for Windows Server 2016 and Windows Server 2012 R2
- It's recommended to install the latest available Servicing Stack Update (SSU) and Latest Cumulative Update (LCU) on the server.
- The SSU from September 14, 2021 or later must be installed.
- The LCU from September 20, 2018 or later must be installed.
- Enable the Microsoft Defender Antivirus feature and ensure it's up to date. For more information on enabling Defender Antivirus on Windows Server, see Re-enable Defender Antivirus on Windows Server if it was disabled and Re-enable Defender Antivirus on Windows Server if it was uninstalled.
- Download and install the latest platform version using Windows Update. Alternatively, download the update package manually from the Microsoft Update Catalog or from MMPC.
- On Windows Server 2016, Microsoft Defender Antivirus must be installed as a feature and fully updated before installation. See information for Windows Server 2012 R2 and Windows Server 2016.
Onboarding Windows Server 2016 and Windows Server 2012 R2
The following diagram shows the general steps required to successfully onboard servers.
Download the installation package and onboarding package by following these steps:
- In the Microsoft Defender portal, go to Settings > Endpoints > Onboarding.
- Windows Server 2016 and Windows Server 2012 R2.
- Select Download installation package and save it on the device. The installation package contains an MSI file that installs the Defender for Endpoint agent.
- Select Download onboarding package and save the zipped folder on the device. The onboarding package contains
WindowsDefenderATPOnboardingScript.cmd
, which contains the onboarding script.
Note
The installation package is updated monthly. Be sure to download the latest package before usage. To update after installation, you don't have to run the installer package again. If you do, the installer asks you to offboard first as that is a requirement for uninstallation. See Update packages for Defender for Endpoint on Windows Server 2012 R2 and 2016.
Follow the guidance for your preferred tool to install Defender for Endpoint:
- Migrate from MMA to the modern unified solution: Migrating servers from Microsoft Monitoring Agent to the modern unified solution
- Local script: Onboard Windows devices using a local script
- Group Policy: Onboard Windows devices using Group Policy
- Microsoft Configuration Manager: Onboard Windows devices using Configuration Manager
- VDI scripts: Onboard non-persistent virtual desktop infrastructure (VDI) devices in Microsoft Defender XDR
- Direct onboarding with Defender for Cloud: Connect your non-Azure machines to Microsoft Defender for Cloud with Defender for Endpoint
For Windows Server, version 1803 or Windows Server 2019 and later, see Onboard Windows Server, version 1803, Windows Server 2019, and Windows Server 2025 to the Microsoft Defender for Endpoint service.
Note
Windows Hyper-V Server editions aren't supported.
Functionality in the modern unified solution
The previous implementation (before April of 2022) of onboarding Windows Server 2016 and Windows Server 2012 R2 required the use of Microsoft Monitoring Agent (MMA). The modern, unified solution package makes it easier to onboard servers by removing dependencies and installation steps. It also provides a much expanded feature set. For more information, see the following resources:
- Server migration scenarios from the previous, MMA-based Microsoft Defender for Endpoint solution
- Tech Community Blog: Defending Windows Server 2012 R2 and 2016
Depending on the server that you're onboarding, the unified solution installs Defender for Endpoint and/or the EDR sensor on the server. The following table indicates what component is installed and what is built in by default.
Server version | Microsoft Defender Antivirus | EDR sensor |
---|---|---|
Windows Server 2012 R2 | ||
Windows Server 2016 | Built-in | |
Windows Server 2019 and later | Built-in | Built-in |
Known issues and limitations in the modern unified solution
The following points apply to Windows Server 2016 and Windows Server 2012 R2:
Always download the latest installer package from the Microsoft Defender portal (https://security.microsoft.com) before performing a new installation and ensure prerequisites are met. After installation, ensure to regularly update using component updates described in the section Update packages for Defender for Endpoint on Windows Server 2012 R2 and 2016.
An operating system update can introduce an installation issue on machines with slower disks due to a time out with service installation. Installation fails with the message "Couldn't find c:\program files\windows defender\mpasdesc.dll, - 310 WinDefend". Use the latest installation package, and the latest install.ps1 script to help clear the failed installation if necessary.
The user interface on Windows Server 2016 and Windows Server 2012 R2 only allows for basic operations. To perform operations on a device locally, refer to Manage Defender for Endpoint with PowerShell, WMI, and MPCmdRun.exe. As a result, features that specifically rely on user interaction, such as where the user is prompted to make a decision or perform a specific task, may not work as expected. It's recommended to disable or not enable the user interface nor require user interaction on any managed server as it may impact protection capability.
Not all attack surface reduction rules are applicable to all operating systems. See Attack surface reduction rules.
Operating system upgrades aren't supported. Offboard then uninstall before upgrading. The installer package can only be used to upgrade installations that haven't yet been updated with new antimalware platform or EDR sensor update packages.
To automatically, deploy and onboard the new solution using Microsoft Endpoint Configuration Manager (MECM) you need to be on version 2207 or later. You can still configure and deploy using version 2107 with the hotfix rollup, but this requires extra deployment steps. See Microsoft Endpoint Configuration Manager migration scenarios for more information.
Important information about running Defender for Endpoint with non-Microsoft security solutions
If you intend to use a non-Microsoft anti-malware solution, you need to run Microsoft Defender Antivirus in passive mode. You must remember to set to passive mode during the installation and onboarding process.
Note
If you're installing Defender for Endpoint on servers with McAfee Endpoint Security (ENS) or VirusScan Enterprise (VSE), the version of the McAfee platform might need to be updated to ensure Microsoft Defender Antivirus isn't removed or disabled. For more information including the specific version numbers required, see McAfee Knowledge Center article.
Update packages for Windows Server 2016 or Windows Server 2012 R2
To receive regular product improvements and fixes for the Defender for Endpoint component, ensure Windows Update KB5005292 gets applied or approved. In addition, to keep protection components updated, see Manage Microsoft Defender Antivirus updates and apply baselines.
If you're using Windows Server Update Services (WSUS) and/or Microsoft Configuration Manager, this new "Microsoft Defender for Endpoint update for EDR Sensor" is available under the category "Microsoft Defender for Endpoint."
Run a detection test to verify onboarding
After onboarding the device, you can choose to run a detection test to verify that a device is properly onboarded to the service. For more information, see Run a detection test on a newly onboarded Defender for Endpoint device.
Note
Running Microsoft Defender Antivirus isn't required but it's recommended. If another antivirus vendor product is the primary endpoint protection solution, you can run Defender Antivirus in Passive mode. You can only confirm that passive mode is on after verifying that Defender for Endpoint sensor (SENSE) is running.
Run the following command to verify that Microsoft Defender Antivirus is installed:
Note
This verification step is only required if you're using Microsoft Defender Antivirus as your active antimalware solution.
sc.exe query Windefend
If the result is, "The specified service doesn't exist as an installed service," then you need to install Microsoft Defender Antivirus.
Run the following command to verify that Defender for Endpoint is running:
sc.exe query sense
The result should show it's running. If you encounter issues with onboarding, see Troubleshoot onboarding.
Next steps
After successfully onboarding devices to the service, you'll need to configure the individual components of Defender for Endpoint. Follow Configure capabilities to be guided on enabling the various components.
Offboard Windows servers
You can offboard Windows servers by using the same methods that are available for Windows client devices:
- Offboard devices using Group Policy
- Offboard devices using Configuration Manager
- Offboard devices using Mobile Device Management tools
- Offboard devices using a local script
After offboarding, you can proceed to uninstall the unified solution package on Windows Server 2016 and Windows Server 2012 R2. For other Windows server versions, you have two options to offboard Windows servers from the service:
- Uninstall the MMA agent
- Remove the Defender for Endpoint workspace configuration
Note
These offboarding instructions for other Windows Server versions also apply if you're running the previous Defender for Endpoint for Windows Server 2016 and Windows Server 2012 R2 that requires the MMA. Instructions to migrate to the new unified solution are at Server migration scenarios in Defender for Endpoint.
Related articles
- Onboard servers through Microsoft Defender for Endpoint's onboarding experience
- Onboard Windows and Mac client devices to Microsoft Defender for Endpoint
- Configure proxy and Internet connectivity settings
- Run a detection test on a newly onboarded Defender for Endpoint device
- Troubleshooting Defender for Endpoint onboarding issues
- Troubleshoot onboarding issues related to Security Management for Defender for Endpoint
Tip
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.