Forum Discussion
Windows Defender AV for Server 2012 R2 and 2008 R2 | Microsoft Defender ATP Onboarding
I am planning to onboard windows server 2012 R2 and 2008 R2 on MDATP. Currently the servers have Trend Micro as existing AV solution and we need to uninstall it.
Request if someone can let me know what is the way to install Defender Antivirus on these servers so that MS services can be leveraged at its best.
P.S. - The servers are not being managed by SCCM.
- Thijs LecomteBronze Contributor
2008/2012 don't support Windows Defender, only SCEP.
You can manage SCEP with GPO or SCCM.
Check out this article from Joe Stocker on this:
https://www.thecloudtechnologist.com/defender-for-endpoint-mdatp-for-windows-servers/
- AnuragSrivastavaIron Contributor
Thijs Lecomte Thanks this is helpful.
Found one more article which says installing Desktop Experience on these servers would enable Defender - https://yellowduckguy.wordpress.com/2012/12/21/windows-server-2012-how-to-add-desktop-experience-feature/
- Thijs LecomteBronze ContributorThis is not the Defender you hope to have then.
I hadn't seen this. But 2012 R2 doesn't support Defender, only SCEP
- KCGraeCopper Contributor
Onboard Windows servers to the Microsoft Defender for Endpoint service
- 03/23/2021
Applies to:
- Windows Server 2008 R2 SP1
- Windows Server 2012 R2
- Windows Server 2016
- Windows Server (SAC) version 1803 and later
- Windows Server 2019 and later
- Windows Server 2019 core edition
from:
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-server-endpoints... not that I have it working yet either...
- Balaji_RCopper ContributorHello,
Antivirus & EDR are different products. Windows Defender for Endpoint is an EDR solution. Where Trendmicro is an Antivirus solution.
If you are planning to use EDR solution (Windows Defender for Endpoint), no need to uninstall Trend Micro..
If you are planning to switch Antivirus in your environment, you can use System Center Endpoint Protection. It will come with SCCM client installation bundle.
- 03/23/2021
- Gregory NeumarkeBrass Contributor
I've run into the same issue where I've got a few older servers that I onboarded into Defender and then realized that was just alerting and telemetry, not a real antivirus. We aren't currently using SCCM.
This is not an approved method, but it seems to be working for me.
First make sure you have purchased additional server licenses for antivirus. The normal licenses that cover Windows 10 and other client endpoints don't apply to servers.
Download the trial package for SCCM
https://www.microsoft.com/en-us/evalcenter/evaluate-system-center-2016
so that you can extract the antivirus installer from it:
scepinstall.exe
found in the folder
\SMSSETUP\CLIENT of the downloaded bundle
remove any other antivirus programs.
run the installer, it shows up as "System Center 2012 Endpoint Protection"
I could only find the 4.7 client install.
In windows update, check the box for "allow checking for other Microsoft products" and run windows update. You should get an update to the latest 4.10 version.
This was ok at first, but the antivirus signatures were not updating. I think the software assumes you will be pushing the updates via SCCM.
To fix that, I went to the registry and changed the key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware\Signature Updates
FallbackOrderto only:
MicrosoftUpdateServer
Note: in order to change that key, I had to temporarily change ownership of the "Signature Updates" node to something like the local administrators account I was logged in as, allow "full control" for that account, make the change, (You might have to move away from the key and come back, or close and reopen regedit so you can change the key with your new permissions.)
The remove the the local admin from having full control, then put the owner back to "SYSTEM."
I then made sure the antivirus was set to do real time scanning, a quick scan every night, and "check for signatures" before each scan.
Obviously this is a sketchy install, but so far it seems to be working and hopefully will hold up until we get everything to Server 2016+