Forum Discussion

AnuragSrivastava's avatar
AnuragSrivastava
Iron Contributor
Dec 09, 2020

Windows Defender AV for Server 2012 R2 and 2008 R2 | Microsoft Defender ATP Onboarding

I am planning to onboard windows server 2012 R2 and 2008 R2 on MDATP. Currently the servers have Trend Micro as existing AV solution and we need to uninstall it.   Request if someone can let me kno...
Gregory Neumarke's avatar
Gregory Neumarke
Brass Contributor
Sep 10, 2021

AnuragSrivastava 

I've run into the same issue where I've got a few older servers that I onboarded into Defender and then realized that was just alerting and telemetry, not a real antivirus. We aren't currently using SCCM.

This is not an approved method, but it seems to be working for me.

First make sure you have purchased additional server licenses for antivirus. The normal licenses that cover Windows 10 and other client endpoints don't apply to servers.

Download the trial package for SCCM

https://www.microsoft.com/en-us/evalcenter/evaluate-system-center-2016

so that you can extract the antivirus installer from it:

scepinstall.exe

found in the folder

\SMSSETUP\CLIENT of the downloaded bundle

remove any other antivirus programs.

run the installer, it shows up as "System Center 2012 Endpoint Protection"

I could only find the 4.7 client install.

In windows update, check the box for "allow checking for other Microsoft products" and run windows update. You should get an update to the latest 4.10 version.

This was ok at first, but the antivirus signatures were not updating. I think the software assumes you will be pushing the updates via SCCM.

To fix that, I went to the registry and changed the key

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware\Signature Updates
FallbackOrder

to only:

MicrosoftUpdateServer

Note: in order to change that key, I had to temporarily change ownership of the "Signature Updates" node to something like the local administrators account I was logged in as, allow "full control" for that account, make the change, (You might have to move away from the key and come back, or close and reopen regedit so you can change the key with your new permissions.) 

The remove the the local admin from having full control, then put the owner back to "SYSTEM."

 

I then made sure the antivirus was set to do real time scanning,  a quick scan every night, and "check for signatures" before each scan.

Obviously this is a sketchy install, but so far it seems to be working and hopefully will hold up until we get everything to Server 2016+

Resources