Defender Antivirus and Microsoft Defender for Endpoint (ATP) for Servers

Copper Contributor


Hi All,


Our company is looking into migrating our antivirus solution for our server estate from Sophos to Microsoft Defender Antivirus and Microsoft Defender for Endpoint (ATP). Was hoping to get some advice on the best way to approach this. I have listed some points below which I was hoping to get some clarity on.

- Servers that are considered as “down-level devices” that do not have MS Defender preinstalled by default i.e. 2008R2, 2012 and 2012R2 what would the best Microsoft solution to provide security. Have been looking at Microsoft’s System Center Endpoint Protection (SCEP) as a solution. Is there any services that can be used from Azure to protect on-prem servers?


- We have a Hybrid Azure AD setup. None of our on-premise servers are HAADJ. Do we need to have server as a Azure resource for us to manage Defender AV and ATP (Server 2016 +). We currently manage our W10 workstation using the MEM - Microsoft Defender for Endpoint Baseline.

- Majority of our servers do not have any internet access. To tighten the firewall rule, is there a list of IPs and URLs that are associated with Defender ATP so the servers can only communicate to these IPs etc.


- Is there any pre-req work needed for servers such as 2008R2, 2012 and 2012R2 before on-boarding to ATP. Install updates, telemetry services updates etc


- Anyone that is using defender ATP for servers that are on-prem. What type of setup do you have and any recommendations.


Thank you


2 Replies
In regards to your first question, you can use Azure Arc to register your old servers, then use Azure Security Center to evaluate their security posture, When you do this, those machines get Defender for Endpoint automatically, see to get started
Migrating your antivirus solution from Sophos to Microsoft Defender Antivirus and Microsoft Defender for Endpoint (ATP) is a good choice, as it provides comprehensive security features for your server estate. Let's address your questions and concerns:

Servers without MS Defender preinstalled: For servers running operating systems like Windows Server 2008 R2, 2012, and 2012 R2, Microsoft System Center Endpoint Protection (SCEP) is indeed a suitable solution. SCEP provides antivirus and antimalware protection for down-level devices. Additionally, you can explore Azure Security Center's capabilities to protect on-premises servers. Azure Security Center offers threat protection and security monitoring for both cloud and on-premises environments.

Hybrid Azure AD setup and managing Defender AV and ATP: To manage Defender Antivirus and ATP for your servers, having the servers as Azure resources is not a strict requirement. While Azure integration provides additional capabilities, you can still manage Defender AV and ATP for your on-premises servers using other methods. For example, you can leverage Group Policy to configure Defender settings centrally. You can also utilize Microsoft Endpoint Manager (MEM) to manage Defender Antivirus and ATP for your servers, similar to how you manage your Windows 10 workstations.

Servers without internet access: If your servers do not have internet access, you can still utilize Defender ATP by configuring a hybrid setup. In this configuration, you can deploy an ATP sensor on a server with internet access, and it will act as a relay for collecting security data from the servers without direct internet connectivity. You can find detailed instructions in the Microsoft documentation for Defender ATP.

Prerequisites for onboarding servers: Before onboarding servers to ATP, it's recommended to ensure that they have the latest updates and patches installed. This includes both operating system updates and relevant telemetry services updates. It's important to keep the servers up to date to benefit from the latest security features and improvements in ATP.

Recommendations for on-premises server setup with Defender ATP: When setting up Defender ATP for on-premises servers, it's crucial to follow security best practices. Here are a few recommendations:
Implement a strong patch management strategy to keep servers up to date.
Configure appropriate network segmentation to isolate critical server workloads.
Regularly review and fine-tune ATP policies based on security analytics and alerts.
Integrate ATP with other security solutions, such as SIEM (Security Information and Event Management), for centralized monitoring and response.

It's also advisable to refer to the official Microsoft documentation for detailed guidance on deploying and configuring Defender Antivirus and ATP for your specific server environment.