Defending Windows Server 2012 R2 and 2016

Paul_Huijbregts thank you for leaving no doubt in my mind.

This will simplify the deployment and configuration considerably for those that haven't yet deployed MDE, especially for those without any Server 2008 R2 (which still requires .NET 4.x, SCEP, MMA and it's own GPOs).

I had just completed a pilot rollout to Server 2008 R2 / 2012 R2 / 2016 / 1803 / 2019 / 2022.  I will have to revisit the Server 2012 R2 endpoints in the pilot group and replace SCEP with MD4WS (Microsoft Defender for Windows Server 2012 R2), remove the MMA workspace config (cannot uninstall MMA as it is used by SCOM), and migrate all the Endpoint Protection GPO settings into Microsoft Defender Antivirus GPO settings before proceeding with the full rollout.

I believe these are the pros and cons of using MD4WS with MDE vs SCEP with MDE

• Pro: Simplified deployment
• Pro: Uses same GPO settings as Microsoft Defender Antivirus (Server 2016/2019/2022)
• Pro: More security capabilities than SCEP with MDE, such as ASR and PUA blocking
• Pro: Anticipate it will be supported longer than SCEP
• Con: Currently in preview
• Con: "On Windows Server 2012 R2, there is no user interface for Microsoft Defender Antivirus".  Unlike SCEP, or WD on Server 2016, this makes it harder to verify GPOs have successfully applied, and provides no interaction for end users.  Get-MpComputerStatus is your new friend

I will miss the user interface, but I cannot pass up the enhanced security capabilities.

I have another question for clarification that I haven't seen answered.  Does MD4WS support Auto Exclusions?  Documentation states at least Server 2016, but that could now be outdated. https://docs.microsoft.com/microsoft-365/security/defender-endpoint/configure-server-exclusions-microsoft-defender-antivirus