Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
Defending Windows Server 2012 R2 and 2016
Published Oct 07 2021 04:03 PM 145K Views
Microsoft

Update: The modern, unified Microsoft Defender for Endpoint solution for Windows Server 2012 R2 and Windows Server 2016 is now generally available as of April 11th, 2022.

 

Ensure you apply the latest updates, including (after installing the MSI package) the new KB5005292 (update category: Microsoft Defender for Endpoint), so your machines receive the latest fixes and features.

 

In addition, Automated deployment and integration of the new solution with Microsoft Defender for Cloud is now available as the default solution with the new Microsoft Defender for Server P1 offering.

For automated deployment using Microsoft Endpoint Configuration Manager, this requires version 2207 or later. 

 

Customers with machines on the existing Microsoft Defender for Server (now labeled P2) offering can either enable the new solution with a toggle, or target the MDE.Windows extension for deployment using the Microsoft Defender for Cloud initiative "Deploy Microsoft Defender for Endpoint agent on applicable images".

 

Introduction

In today's threat landscape protecting all your servers is critical, particularly with human-operated and sophisticated ransomware attacks becoming more prevalent. Our mission for endpoint protection is to cover all endpoints regardless of platform, clients, and servers, and inclusive of mobile, IoT and network devices.

 

Today, we are adding a broad set of prevention, detection and response capabilities, previously only available on Windows Server 2019 and later, to Microsoft Defender for Endpoint on Windows Server 2012R2 and 2016 using a modernized, completely revamped solution stack.

 

Introducing our modernized, unified solution for Windows Server 2012 R2 and 2016!

We are proud to introduce the public preview of a completely revamped Microsoft Defender for Endpoint solution stack for Windows Server 2012 R2 and Windows Server 2016. Whilst keeping up to date and upholding security hygiene is arguably still the best go-to when it comes to increasing resilience and reducing attack surface, we believe this modern, unified solution brings the best of the Microsoft Defender for Endpoint capabilities for prevention, detection, and response - in a single package.

 

PaulHb_0-1635896849196.png

 

Server onboarding steps. 

 

This new unified solution package reduces complexity by removing dependencies and installation steps. It also standardizes capabilities and functionality as it brings a very high level of parity with Microsoft Defender for Endpoint on Windows Server 2019:

 

PaulHb_1-1635896849524.png

Overview of Microsoft Defender for Endpoint capabilities per operating system

Aside from having no specific client prerequisites or dependencies, the solution is functionally equivalent to Microsoft Defender for Endpoint on Windows Server 2019; meaning, all environment requirements around connectivity are the same and you can use the same Group Policy, PowerShell commands and Microsoft Endpoint Configuration Manager* to manage configuration. The solution does not use or require the installation of the Microsoft Monitoring Agent (MMA).

 

Depending on the server that you're onboarding, the unified solution installs Microsoft Defender Antivirus and/or the EDR sensor. The following table indicates what component is installed and what is built in by default (Windows Server 2019 added for comparison only):PaulHb_3-1646863321831.png

 

Improving resiliency against human-operated ransomware attacks

To avoid security controls, we have often seen attackers leveraging machines with older operating systems inside our client’s environments. As such, the endpoint visibility required to detect and prevent modern-day ransomware attacks was at the center of many of our design decisions for this release.

 

Specifically, we modeled across the MITRE tactics which we felt provides the best chances of early alerting and emphasized capturing actionable telemetry across these. Some areas include:

 

  • Initial Access: Servers are often the first point of entry for motivated attackers. The ability to monitor signs of entry via publicly facing, vulnerable services is critical.
  • Credential Access: Servers often contain sensitive credentials in memory from Administrator maintenance or other activities. Enhanced memory protections help identify potential credential theft activities.
  • Lateral Movement: Improved user logon activity allows better mapping of attempted movement across the network to or from Servers
  • Defense Evasion: Improved hardening via tampering protection provides security controls the best chance of preventing Ransomware’s most harmful effects on high value assets, such as Servers.

 

Next steps

You can start testing today by simply visiting the Microsoft 365 Defender portal. If you have enabled preview features, you can download the installation and onboarding packages from the new onboarding page:

 

PaulHb_2-1635896849630.png

 

A screenshot of the new onboarding page option

PaulHb_3-1635896849631.png

 

A screenshot of the new installer

  • Before installation, please ensure your machines are fully updated and continue to apply the latest component updates (including those for Defender Antivirus) containing important security improvements and bug fixes.
  • For the EDR sensor on Windows Server 2012 R2 & 2016, we now have a new update package available: KB5005292. This update is only applicable after initial installationNote that the latest update may already be included in the installer package you obtain from the onboarding page, as this package gets updated continuously.
  • On Windows Server 2016, verify that Microsoft Defender Antivirus is installed, is active and up to date. You can download and install the latest platform version using Windows Update. Alternatively, download the update package manually from the Microsoft Update Catalog or from the Antimalware and cyber security portal .
  • Ensure you meet all connectivity requirements; they match those for Windows Server 2019.
  • You can now use the Group Policy templates for Windows Server 2019 to manage Defender on Windows Server 2012 R2 & 2016.
  • Please take a look at New Windows Server 2012 R2 and 2016 functionality in the modern unified solution  for known issues and limitations.
  • Microsoft Endpoint Configuration Manager 2107 with the hotfix rollup or later is required to support configuration of the preview solution, including through Microsoft Endpoint Configuration Manager tenant attach. Fully automated deployment and onboarding will come in a later version*.

*If you have previously onboarded your servers using the Microsoft Monitoring Agent (MMA) either manually or though Microsoft Endpoint Configuration Manager, follow the guidance provided in Server migration for helpful steps to help you to migrate to the new solution. 

177 Comments
Copper Contributor

Edit: I am pleased to report this was resolved by installing KB5005292 version 10.8048.22439.1065

 

I'm sharing this in case anyone else has experienced the same problem with MD4WS (Public Preview) on Windows Server 2012 R2.

 

After Windows Updates (deployed from WSUS) have applied and the server reboots, it hangs on "Shutting down service: Windows Module Installer".  I left one server for days.  After force rebooting, the server will uninstall updates and then try again, and again.  Eventually all updates will install and the server will successfully reboot.  I will have to wait until next month to see if it happens again.

 

I am mid way through deploying MDE to around 500 Windows Servers as follows:

2008 = SCEP only (MDE is not supported)

2008 R2 = SCEP + MMA

2012 = SCEP only (MDE is not supported)

2012 R2 = MD4WS + WDATP (replacing SCEP + MMA)

2016 = WD (Built in) + WDATP

2019 = WDAV+ATP (Built in)

2022 = MDAV+ATP (Built in)

 

I have 70 2012 R2 servers that have MD4WS installed and they all hang on patching.  I have another 80 almost identical 2012 R2 servers that have 3rd party AV or SCEP installed and none of them hang on patching, neither do any of the other Windows Server versions.

 

I have the following exclusions applied by GPO to the 2012 R2 servers:

Duncan_Clay_1-1635633669979.png

The exclusion documentation at https://docs.microsoft.com/microsoft-365/security/defender-endpoint/configure-server-exclusions-micr... contains some mistakes.  Better documentation can be found at https://support.microsoft.com/topic/virus-scanning-recommendations-for-enterprise-computers-that-are... 

Microsoft

@Duncan_Clay Thanks for the report about this.  If you are willing to share more information with me would you please reach out to me on LinkedIn so we can chat about this?  You should be able to just search my name and find me.  Thanks!

Iron Contributor

When attempting to uninstall Windows Defender for Endpoint on a Windows 2012r2 machine, it rolls back and fails to uninstall. Any suggestions on what is needed to remove it successfully.? I ran the Off Boarding script.

Microsoft

@Anthonymelwhrhs a good option is to use the installer script hosted at microsoft/mdefordownlevelserver (github.com) with the uninstall switch - place the md4ws.msi in the same location as the script. To capture some additional logging, run: .\Install.ps1 -Uninstall -Etl in an elevated (Administrator) PowerShell session. The installer will place the uninstall log (and a trace for support) in the directory you ran the script from, this log should have an entry on why the installer rolled back/why the uninstall was unsuccessful on that machine. If you can reliably reproduce the issue, please log a support case!

 

P.S. make sure the offboarding script you use is recent (not expired) and observe if the Sense service has stopped before uninstall. 

Iron Contributor

@Paul_Huijbregts That script did it for me! Thank you!

Microsoft

We have just released Microsoft Defender for Endpoint update for EDR Sensor KB5005292 with fixes for the EDR sensor and manageability stack.

Microsoft

@Anthonymelwhrhs a friend in the SCCM team wanted me to remind you that the SCCM client should also be updated, not just the hotfix rollup applied to SCCM, can you verify?

Iron Contributor

@Paul_Huijbregts Yes the server's client software has been updated for a few days now.

Copper Contributor

Hello Paul,

 

I am trying to install this new solution via group policy,  I was able to deploy to a test server using GPO computer config=>software settings=> software installation, but I couldn't onboard the VM to the portal with the .cmd file

I have now come across the GitHub Upgrade script PowerShell file, and i am trying to deploy as start-up script, but this doesn't seem to be working.

David1972001_0-1636037461636.png

 

 

Can you please advise.

 

Thanks in advance.

Microsoft

@David1972001 a one-time task should suffice, make sure it runs with administrative permissions. Please ensure for onboarding you are using the onboarding script for use with group policy, downloaded from the onboarding page (same page you download the installer). The installer script from GitHub helps you by executing the onboarding script right after installation with the -OnboardingScript parameter (again, make sure to use the group policy variant as the local script requires user interaction). In your case, as it seems installation was completed, only the onboarding script still needs to run. 

 

Onboard Windows devices to Microsoft Defender for Endpoint via Group Policy | Microsoft Docs these instructions apply - they are the same for 2012 R2/216 with the package installed, as for 2019 with the components already built into the operating system.

Microsoft

There's a single page in the docs referring to something called "Microsoft Defender for Endpoint for Server"

 

melvynadam_0-1636362440538.png

 

Other than this page, I can find no mention of it. Is this an actual product?

Copper Contributor

We've detected some issues with the installation on Server 2012 R2.

The Setup starts and do some portion of the setup without checking for reboot pending

The setup already registers a service WinDefend.

Right in the middle of the setup the setup checks for reboot pending and unroll most of the changes, but not the service registration.

the next setup fails with a kind of "service already registered" message.

After manually deleting the service "WinDefend" from HKLM\CurrentControlSet\Services and a reboot we were able to successfully install the Defender

Microsoft

@melvynadam it's not a separate product but a reference to the difference in licensing in the screenshot you shared. It's also a way to talk about Microsoft Defender for Endpoint in the context of the integration with Microsoft Defender for Cloud: Microsoft Defender for servers - the benefits and features | Microsoft Docs.

Microsoft

@Simon Scharschinger thanks for reporting this, we will look into it - it would help if can you reproduce and provide us with logs? You can do this by using the installer script with the -log -etl options (microsoft/mdefordownlevelserver (github.com). 

Copper Contributor

Hi,

I'm trying to find the answer in all the previously asked questions, but can't seem to do so.  I apologize if this was already covered.  I am trying to understand how we keep Defender updated on Windows Server 2012r2?  I see I can run a command manually to update the virus definitions.  We have quite a few Windows Server 2012r2 machines, and I'm trying to learn the best way to accomplish updating not only the virus definitions daily but any engine components that need updating as well for that OS.  

 

Thanks in advance for any help.

Gina

 

Microsoft

@Gina Komoroske it's covered in our updated public documentation - long story short you would update in the same way you update 2016 and later using the same KB's, and there's a new KB for the EDR sensor component.

 

The solution has 3 updateable components:

 

-Defender platform KB4052623

-Defender security intelligence KB2267602

-EDR Sensor KB5005292

 

From Onboard Windows servers to the Microsoft Defender for Endpoint service | Microsoft Docs:

New update package for Microsoft Defender for Endpoint on Windows Server 2012 R2 and 2016

To receive regular product improvements and fixes for the EDR Sensor component, ensure Windows Update KB5005292 gets applied or approved. In addition, to keep protection components updated, see Manage Microsoft Defender Antivirus updates and apply baselines.

 

Hope this helps!

Copper Contributor

Hi @Paul_Huijbregts 

Thanks for the quick response.  I'm a bit confused.  Our 2016 servers are updating automatically, but our 2012r2 are not.  I have used the onboarding package from the security portal.  I am not sure what we are missing.  Our Security team told me that the servers reach out to MSFT to get their updates.  It appears it's working for our 2016 and 2019 server OS's, but not the 2012r2.  If I run that manual command it will update.  I just am trying to avoid running that manual command on every 2012r2 server we have every day.  So I was hoping to understand how we can update the definitions and any engine updates on an automated, daily basis.  

Gina

 

Microsoft

@Gina Komoroske you may want to check if automatic updates have been enabled on those machines, that there's no group policy in place that influences the update cadence and that the machine is actively installing other updates.

 

I can confirm that the expectation is that if set up correctly, updates for Defender should arrive just like they would on 2016+.:

PaulHb_0-1636656823815.png

If update-mpsignature does work for you, this tells me that Microsoft Update indeed works as an update source so the next thing to verify would be if automatic updates are enabled using Microsoft Update, and how the machine is configured to update if you are using eg WSUS (it may not be configured to use Microsoft Update or automatic updates may be disabled). A consideration here is that there may be a group policy with update settings applied to 2016+ in your environment that is not currently applied to your 2012 R2 machines or that different settings apply.

Manage how and where Microsoft Defender Antivirus receives updates | Microsoft Docs for reference. 

 

Copper Contributor

We have preview features enabled, and in device onboarding, choosing the 2008R2/2012R2/2016 from the dropdown there are no downloads for the new MSI files. Am I missing something?

Microsoft

HI @chipmaffeus, if you are not seeing the below dropdown then somehow preview features may not be successfully enabled:

PaulHb_0-1636661721474.png

Please doublecheck, perhaps refresh/log out or use a different browser - else hit the help & support button!

Copper Contributor

Thanks, I had preview features enabled under Settings>Microsoft 365 Defender>Preview Features, instead of Settings>Endpoints>Advanced Features>Preview Features. All good now.

Copper Contributor

@Paul_Huijbregts Thanks for all the assistance, I am at a point now were i have deployed and  successfully onboarded Windows 2012 servers via GPO.  I am currently facing an issue with 2016 server because of the required upgrade of Windows Defender using KB4052623.  We use a WSUS for all our updates and this particular update refuses to download (all other updates are not affected).  It keeps timing out I have been trying to download this for 2 days now and it keeps getting stuck at 68%.

 

Any assistance you can offer will be greatly appreciated.

 

Thanks

Microsoft

@david1972980 that KB is the platform update that applies to all Defender Antivirus supported OS (including 10, 2016, 2019 and 2012 R2 now) - you will want to have this working regardless. You can use the link I provided to apply the update manually but you will want this to flow on a monthly basis. Suggest you troubleshoot your WSUS setup and reach out to support if you keep having issues.

Copper Contributor

@Paul_Huijbregts

 - thanks for the response.  we don't have automatic updates turned on for any of our servers.  we use a tool called "BigFix" to deploy OS security and rollup packages.  this allows us to do it in a controlled fashion as we have quite a few servers to update each month and our reboot times need to be controlled.  anyway, the point really is that we don't have automatic updates on any of our OS's.  yet, the 2016 and 2019 servers are able to update their defs and engines w/out intervention.  when we started deploying Defender (preview) on 2012r2, however, we are trying to understand what we need to do to get the updates in an automated fashion.  I did set up a file share and created the task to update the files in that share location and then updated group policy to include that file share location to see if works.  i did a gpupdate /force but nothing happened as far as getting updates, but I do see it configured in the gpo when I do an rsop.  When I ran a manual pull the server did look to the file share first and updated.  I just need to understand how that'll happen automatically.

 

 

Copper Contributor

Hello all,

 

Is anyone using WSUS to deploy KB4052623 to other machines? 

 

I have this problem were the updates never gets past 72% and then it fails.  I have tried resetting WSUS, restarting the download, but none of this has worked.  Any suggestions will be highly appreciated.

 

Thank you

Copper Contributor

@Paul_Huijbregts - I was hoping over the weekend the Win2012r2 servers would get their updates but they did not.  Again, if I do a manual pull using MpCmdRun.exe -SignatureUpdate, it does work to pull the definitions from the file share I created.  

 

Our servers are managed at the Azure tenant level, does something have to be configured there to get the 2012r2 servers to automatically update?  

Thanks in advance for any help.

Gina

 

Copper Contributor

@Gina Komoroske  - I believe you have conflicting GPO settings - one that tells it to gets it updates from online, and another that says to get them locally. I use WSUS for controlled update releases to rings, together with a file share (on the WSUS server) to supply definition updates hourly to endpoints, and ran into a similar issue a month ago with 2012 R2.  Server 2016 onwards does not have this problem for some reason.

 

Computer Configuration - Policies - Administrative Templates - Windows Components - Microsoft Defender Antivirus - Security Intelligence Updates

Allow security intelligence updates from Microsoft Update = Disabled

If you disable this setting, security updates will be downloaded from the configured download source

 

Define the file shares for downloading security intelligence updates = \\windowsupdate.mycompany.com\DefinitionUpdates$

(ensure either 'Domain Computers' or 'Authenticated Users' has read access to the files and to the share)

 

Define the order of sources for downloading security intelligence updates = FileShares|MicrosoftUpdateServer|MMPC

 

Copper Contributor

@Paul_Huijbregts I am trying to deploy the Github script, https://github.com/microsoft/mdefordownlevelserver, through MECM and ran into an error on our 2016 servers, build 14393.4704.  It looks like the install/uninstall path for SCEP is not the same as the script is using and is installed at "$env:ProgramFiles\Managed Defender\", oddly enough our 2012r2 servers do have SCEP installed along the expected path in the script.  Not sure why that is, but parsing out the install/uninstall string might be a better way to be sure if SCEP is installed along any path that it can be uninstalled using the Git script.  Replacing line 257 with this should do the trick without having to make any other edits.

 

$Uninst = (Get-ItemProperty -Path:$path -Name:'uninstallstring').uninstallstring
$Pattern = '(?<=\").+?(?=\")'
$command.FilePath = [regex]::matches($Uninst, $pattern).value

Microsoft

@BSmith8010 on Windows Server 2016, SCEP is only a management component (on top of Defender Antivirus) installed by SCCM; it should not get/be in the way (unlike on 2012 R2 where it would be an active AV as well, which is the difference you are experiencing). 

 

What error are you getting exactly? 

Copper Contributor

@Paul_Huijbregts  Understood.  However the script fails because it detects the SCEP install though the registry key being present then tries to uninstall.  That uninstall then fails, and fails the script, because the hard coded path in the script is not where it is installed.

 

BSmith8010_0-1637019350354.png

 

Microsoft

Thanks for that @BSmith8010 - we will modify the script to allow it to handle this in a better way!

 

Update: we have updated the script, please test with the latest version from microsoft/mdefordownlevelserver (github.com).

Copper Contributor

@Duncan_Clay - thank you SO much for that information about the group policy (Allow security intelligence updates from Microsoft Update = Disabled).  I was REALLY hopeful that was it, because, yes, I did not have that first setting configured (set to Disabled).  So I changed it, did a gpupdate /force, waited, and rebooted, waited some more, waited over night, and still no updates.  If I run the command to update it, then it does look to the file share and does the update.  I just really don't want to run the command to update it.  I am very perplexed at what I'm missing.  Our devices are managed in our Azure tenant, which is in turn managed by our Security Technical team, so I don't have good visibility into any settings there.  Do you think there is a setting there that is overriding this?  I know a member of that team made a mention that you can't temporarily disable real - time protection on our devices based on a setting at the Azure tenant level, so I wonder if there's something set there overriding group policy?    I just want this to be easy like our other OS's!  

 

Thanks in advance for all the suggestions and help so far.  Hoping something sticks soon, unfortunately, Windows 2012r2 is our largest server deployment and I really don't want to manage updating the signatures and engines manually.  

 

Copper Contributor

@chipmaffeus  

 

"I had preview features enabled under Settings>Microsoft 365 Defender>Preview Features, instead of Settings>Endpoints>Advanced Features>Preview Features. All good now."

Thank you so much for that - was driving me nuts:smile:

Microsoft

@Gina Komoroske @Duncan_Clay 

 

Hi,

 

Circling back on this. We have found a difference in behavior on Windows Server 2012 R2 vs 2016: Defender does not perform an automated daily security intelligence update when Windows Update is configured other than the default “Install updates automatically (recommended)” - it respects the WU configuration (and there is no patch management solution scheduling/applying updates to modify this behavior). On Windows Server 2016 and later, Defender will check for and apply security intelligence updates daily.

 

The expectation is for the fix to roll out broadly with the next platform update (KB4052623), November release 4.18.2111.X with an ETA of mid December.

 

If you would like to test earlier, you can consider setting a/some machines to participate in Beta (current phase) or Preview channels for gradual rollout of the platform update:

 

Set-MpPreference -PlatformUpdatesChannel Beta

 

(revert the change to default with Remove-MPPreference -PlatformUpdatesChannel)

 

More information on configuring your own gradual rollout at Create a custom gradual rollout process for Microsoft Defender updates | Microsoft Docs.

 

Update: this fix has been live since mid-December, please update! @Gina Komoroske.

Brass Contributor

@Paul_Huijbregts _ I went through all the comments and a lot of my doubts got cleared. Thank you for taking the time to answer every question.

I would like to clarify one confusion with your help. We have procured Azure defender for servers licenses (Now it is Microsoft defender for servers). Below are my questions.

1. MD for servers license only provides EDR functionalities to the server OS. If we need AV then we have to use a unified solution. Is that right?

2. Is it mandatory to use a dedicated log analytics workspace if I want to use MD for servers? If not, then can I simply use the MDE workspace id to onboard the servers?

3. MD for servers provides threat and vulnerability management module but if it is covered in MDE then what am I losing here?

4. It looks like technically possible to onboard servers without having MD for server license so what exactly the license requirements are?

Microsoft

Hi @mohan_infosec

 

1 & 3: Microsoft Defender for Endpoint (for servers) is not just EDR, see Microsoft Defender for Endpoint | Microsoft Security for an overview. The unified solution replaces the previous one, no longer uses a log analytics workspace or the agent for it (regardless of how you onboard), and, adds Windows Defender Antivirus as well as EDR to Windows Server 2012 R2. On Windows Server 2016 Defender AV is already built in and it only installs the EDR sensor; on Windows Server 2019 and later both are built in.

 

2 & 4: There are two ways to get Microsoft Defender for Endpoint functionality for your servers and to make it super clear they each have a pay and onboard step that are tied together. One is through an Azure subscription (pay) and Microsoft Defender for Cloud (onboard); the other is through purchasing (pay) a specific subscription license in your license agreement and by onboarding (onboard) directly to security.microsoft.com. 

 

1. Using the Microsoft Defender for Endpoint license included with Microsoft Defender for Cloud | Mi... - Microsoft Defender for Cloud includes a Microsoft Defender for Endpoint license for your servers (and much more functionality on top of this!!!). Billing is performed pay-as-you-go through your Azure subscription (pay), onboarding is performed using Microsoft Defender for Cloud (onboard) and it does use a log analytics workspace even if this is not used by the agent (note that the topic of this blog, the preview, is not yet integrated into Microsoft Defender for Cloud). 

 

2. There is also a Microsoft Defender for Endpoint - server standalone license (1 license per server). This is what is required to onboard servers directly to your Microsoft Defender for Endpoint environment (security.microsoft.com, onboard) without going through Microsoft Defender for Cloud. These licenses should be purchased (pay) through a licensing agreement, please reach out to your Microsoft rep. 

 

Hi @Paul_Huijbregts @Prasidh_Arora the docs describe the onboarding very well but not using Windows Admin Center Azure Arc  > Azure Security. Has it been tested to onboard with WAC and will the security extension follow these new rules not being tied to MMA / Log Analytics?

Just asking as we noticed that for (offtopic) Azure Monitoring there is a new monitoring agent and and old one and WAC rolls out the old agent.

kwesterebbinghausbusiness_0-1639046975227.png

 

 

Thank you for a brief confirmation that using WAC Azure Security onboarding to Defender for Endpoint does follow the improved procedure.

 

Microsoft

@kwester-ebbinghaus-business we will be working to finalize integration with Microsoft Defender for Cloud in the coming months and will share details as soon as we can. There is indeed no dependency on the MMA.

Copper Contributor

two questions:

 

1) Has anyone had any luck getting 2012R2 enabled for Tamper Protection using new MDE agent + SCCM tenant attach +Intune Windows Security Experience config policy? I upgraded a few 2012R2 servers to new MDE agent that we manage with SCCM 2107 hotfix version and have them Tenant attached so we could apply the tamper protection enable settings policy from Intune to them. All our 2016 servers with new MDE agent show as Tamper Protected from same policy but 2012R2 servers dont apply the tamper policy.

 

Running get-mpcomputerstatus locally on all 2012R2 shows:

 

Istamperprotected=false 

TamperProtectionSource = E5 Transition

 

2) About ASR rules, with the new MDE agent on 2016\2012R2 servers we manage with SCCM 2107 do we have the ability to set ASR configurations using SCCM Exploit Guard Policies? I tested creating an ASR rule set using SCCM and deployed it to new 2016\2012R2 MDE agents and it doesnt work. I just want to know if this is supported or if we will have to keep manually setting ASR rules for 2016\2012R2 using GPO or PowerShell. Thanks 

Silver Contributor

@Paul_Huijbregts thank you very much for your dedication to answering all of these questions. This is one of the more thorough set of responses that I have ever seen from anyone. Don't know who your manager is, but I'd like to let them know what a great job you have been doing.

Copper Contributor

Hi @Paul_Huijbregts 

 

I am using the updated script and I see that SCEP is no longer being uninstalled and Defender installed on Server 2016.  In the Microsoft doc under the "Known issues and limitations" it sounds like we now need to install Defender Antivirus separately.  Is there a reason why this is not being done in the script?

Dear @Paul_Huijbregts thanks for keeping this valuable thread updated and alive. 
in the docs, not very prominently though, I have noted this disclaimer

 

  • Operating system upgrades are not supported. Offboard then uninstall before upgrading.

Can you please check with the Windows Server / Client Team how this could be improved? 

For Windows Clients and Windows Server in-place upgrade, especially of Window Server core installation option are solid upgrade paths to newer version and encouraged by the Windows Server team to use this path. 

Microsoft

@GeoffMauch 

 

#1: we are looking into this, thanks for flagging

 

#2: you would use the same method as on 2019+, and we aim to support ASR rule configuration using MEM (all channels) in the short term

Microsoft

@Dean Gross appreciate it! 

Microsoft

@BSmith8010 the script does not add the Windows Defender Antivirus feature to Windows Server 2016 (it never has) - it checks to see if it is in an updateable state and if so, can download and apply the latest platform update.

Microsoft

@kwester-ebbinghaus-business thanks for the input, appreciate it. From a security perspective, getting to the newest OS yields the biggest benefits and anything that supports this deserves our attention.

Microsoft Defender for Endpoint being built into newer operating systems presents a large part of the security value (and adds to the complexity of a smooth upgrade as the components are not built-in on Windows Server 2012 R2 and 2016). 

The installation helper script provides an option to automate the offboarding and uninstall steps to make it easier to get the OS in an upgradeable state. As security monitoring will be interrupted during the upgrade period and a new machine object created, please ensure your security operations are aware of this!

Hello @Paul_Huijbregts thanks for your reply! I understand the reasons for IPU from 2012R2/2016 and the necessity of offboarding. I did not expect though that though be a blocker for upgrades from 2019 to 2022 which contain the security components. From what I understood from the docs this limitation exists regardless of the OS version, or it is not stated otherwise. Can you confirm that offboarding for upgrades from 2019 to 2022 is needed?

Copper Contributor

Hello @Paul_Huijbregts,

 

When following the instructions for onboarding devices using GPO, it is required that a schedule tasks is created to run WindowsDefenderATPOnboardingScript.cmd file to successfully onboard the machines to the defender portal.

I have the following questions:

1. Does the schedule need to remain on the clients devices, once the machine has been onboarded?

2. If not can, is there a means to delete the schedule task by gpo from the machines?

 

Thanks

 

 

Microsoft

@kwester-ebbinghaus-business 2019->later in place upgrade, can you point to docs stating this does not work? The statement I'm familiar with and included in the docs are particular to the unified solution on Windows Server 2012 R2 & 2016 and contained in the OS specific section (if it's not clear, I'm happy to expand the sentence there, let me know).

Hi @Paul_Huijbregts I have double checked the docs and found it here

Onboard Windows servers to the Microsoft Defender for Endpoint service | Microsoft Docs in the Known issues and limitations section of the first chapter. 

While the article does apply for all OS, I would suggest to use the existing chapter per OS (additionally) or eventually add a note

 

>[!NOTE]
>- Operating system upgrades are not supported on Windows Server xxxxxx. Offboard then uninstall before upgrading.
>The installation helper script (link) provides an option to automate the offboarding and uninstall steps to make it easier to get the OS in an upgradeable state. As security monitoring will be interrupted during the upgrade period and a new machine object created, please ensure your security operations are aware of this!

 

I would create a PR on github, but I cannot contribute which OS would be supported in that case and which not, so I refrain to do so.

Co-Authors
Version history
Last update:
‎Oct 07 2022 07:04 PM
Updated by: