Blog Post

Microsoft Defender for Endpoint Blog

5 MIN READ

Protecting Windows Server with Windows Defender ATP

Microsoft

Oct 04, 2018

Windows Defender Advanced Threat Protection (Windows Defender ATP) is a unified security platform that covers endpoint protection platform (EPP) and endpoint detection and response (EDR). Initially we released the product for Windows 10 only, but customers have asked for support on other platforms, Windows Server in particular. This year, we've made Windows Defender ATP available to Windows 7 and Windows 8.1 clients, as well as macOS, Linux, and Windows Server. As we continue engineering a unified security platform, you will see a more seamless approach across platforms.

This blog is for enterprise customers who want to use the Windows Defender ATP platform on Windows Server and need practical guidance on what needs to be in place for licensing and infrastructure.

Image: Windows Server 2016 onboarded to Windows Defender ATP

The Microsoft-recommended configuration for the best security is staying current with Windows. While we provide support for previous versions of Windows, the latest releases provide superior security capabilities. If you are running previous versions of Windows, one of the most important things you can be doing is getting a plan to update your Windows environment.

Endpoint protection platform

The endpoint protection platform (EPP) of Windows Defender ATP includes two capabilities: (1) Attack surface reduction (ASR), which helps seal the available attack surface that can be leveraged by threat actors as much as possible, and (2) Next generation protection (NGP), which is a cloud-powered antivirus solution.

Attack surface reduction is a set of capabilities that helps organizations reduce the available attack surface. The technologies that power ASR are network protection, exploit protection, controlled folder access, and ASR rules. ASR is available on Windows 10 Fall Creators Update or later and on Windows Server 1803 and later.

Operating System	License	Deployment	Configuration	Reporting
Windows 10	Windows E5 or Microsoft 365 Enterprise E5	ASR relies on Windows Defender Antivirus, which is built-in and requires no agent installation	If licensed, through Microsoft Intune or System Center Configuration Manager. Alternatively, PowerShell or Group Policies.	Windows Defender Security Center, or if licensed System Center Configuration Manager or Microsoft Intune
Windows Server 1803, Windows Server 2019	Azure Security Center Pay-As-You-Go	ASR relies on Windows Defender Antivirus, which is built-in and requires no agent installation	If licensed, through System Center Configuration Manager. Alternatively, PowerShell or Group Policies.	Windows Defender Security Center, or if licensed System Center Configuration Manager

Windows Defender Antivirus is available to enterprise customers starting with Windows 10 Anniversary Update and Windows Server 2016. Previous versions of Windows and Windows Server continue to leverage System Center Endpoint Protection. The following table has information about Windows Defender Antivirus on different Windows versions and Windows Server versions on-premises, on Azure, or on third-party cloud service.

Operating System	License	Deployment	Configuration	Reporting
Windows 10	No additional license required to use Windows Defender Antivirus	Windows Defender Antivirus is built-in and requires no agent installation	If licensed, through Microsoft Intune or System Center Configuration Manager. Alternatively, Group Policies or PowerShell.	If licensed, through Windows Defender Security Center, System Center Configuration Manager or Microsoft Intune
Windows 8.1 and Windows 7	System Center Configuration Manager with System Center Endpoint Protection	System Center Endpoint Protection agent can be deployed through System Center Configuration Manager	System Center Configuration Manager	If licensed, through Windows Defender Security Center or System Center Configuration Manager
Windows Server 1803, Windows Server 2019	No additional license required to use Windows Defender Antivirus	Windows Defender Antivirus is built-in and requires no agent installation	If licensed, through System Center Configuration Manager. Alternatively, Group Policies or PowerShell.	If licensed, through Windows Defender Security Center or System Center Configuration Manager
Windows Server 2016	No additional license required to use Windows Defender Antivirus	Windows Defender Antivirus is built-in and requires no agent installation	If licensed, through System Center Configuration Manager. Alternatively, Group Policies or PowerShell.	If licensed, Windows Defender Security Center, System Center Configuration Manager or Azure Security Center
Windows Server 2012 R2	System Center Configuration Manager with System Center Endpoint Protection	System Center Endpoint Protection agent can be deployed with System Center Configuration Manager	System Center Configuration Manager	System Center Configuration Manager or if licensed, through Windows Defender Security Center or Azure Security Center
Windows Server 2012, Windows Server 2008 R2, Windows Server 2008	System Center Configuration Manager with System Center Endpoint Protection	System Center Endpoint Protection agent can be deployed with System Center Configuration Manager	System Center Configuration Manager	System Center Configuration Manager or if licensed, through Azure Security Center

(Windows Defender Security Center is the web portal available for Windows Defender ATP customers (requires Windows E5 or Microsoft 365 Enterprise E5)

In addition to Windows Defender Antivirus and System Center Endpoint Protection, enterprise customers can use Microsoft Antimalware for Azure for virtual machines that are hosted on Microsoft Azure. Note that If you are a Windows Defender ATP customer you should assess which Antivirus solution best fits your needs.

Supporting Documentation:

Endpoint detection and response

Endpoint detection and response (EDR) capabilities in Windows Defender ATP were first available to enterprise customers as a built-in solution starting with Windows 10 Anniversary Update and Windows Server 1803, but these capabilities have since expanded to support previous versions of Windows and Windows Server. The following table has information about Windows Defender ATP on different Windows versions and Windows Server versions on-premises, on Azure, or on third-party cloud service.

Operating System	License	Deployment	Configuration	Reporting
Windows 10	Windows E5 or Microsoft 365 Enterprise E5	Windows Defender ATP is built-in to the operating system	Local script, Group Policies, System Center Configuration Manager, or Microsoft Intune	Windows Defender Security Center
Windows 8.1 and Windows 7	Windows E5 or Microsoft 365 Enterprise E5	Windows Defender ATP on legacy operating system requires installation of an agent	Agent deployment can be through any preferred deployment method such as System Center Configuration Manager	Windows Defender Security Center
Windows Server 1803, Windows Server 2019	Azure Security Center Pay-As-You-Go	Windows Defender ATP is built-in to the operating system	Local script, group policies and, if licensed, through System Center Configuration Manager	Windows Defender Security Center
Windows Server 2016, Windows Server 2012 R2	Azure Security Center Pay-As-You-Go	Windows Defender ATP on legacy operating system requires installation of an agent	Agent deployment can be through any preferred deployment method such as System Center Configuration Manager	Windows Defender Security Center and Azure Security Center

Support for Windows Server 2019 and Windows Server 1803 is currently in public preview for Windows Defender ATP.

Supporting Documentation:

Windows Defender ATP unified endpoint security platform

Windows Defender ATP is a unified platform that helps keep your business data and users safe from advanced attacks. And with expanded support for Windows Server, previous versions of Windows, and additional client hardware, you can protect a wider array of devices, servers, and endpoints. Your feedback is important to us as we continue to make improvements to Windows Defender ATP.

Updated Jun 09, 2021

Version 6.0

Backward support

Milad Aslaner

Microsoft

Joined July 28, 2017

View Profile

Microsoft Defender for Endpoint Blog

When evaluating various solutions, your peers value hearing from people like you who’ve used the product. Review Defender for Endpoint by filling out a Gartner Peer Insights survey and receive a $25 USD gift card (for customers only). Microsoft Privacy Statement

Steve Newby
Microsoft
Jan 06, 2020
Yes that's correct, the workspace is separate and won't appear within your resources. If you are using the MMA (only required for older platforms) then you should point it to the workspace specified in the MDATP portal.
Steve Newby
Microsoft
Apr 01, 2020
Ok so either way you need a license.

Prior to today the only licensing mechanism for MDATP on servers was via ASC. In terms of onboarding if you onboarded a server into ASC then it would automatically onboard it through into MDATP.

The other onboarding mechanism allows you to onboard a server directly into MDATP, but you would still need an ASC license, meaning you would then need to onboard into ASC.

However we now have the option for a standalone MDATP license for servers meaning that you can purchase this and onboard the server directly into MDATP without involving ASC.

Hope this helps.
Terry Hugill
Brass Contributor
Sep 21, 2021
The instructions for setting up onboarding for a server are poor in Microsoft Docs. To setup the Log Analytics for MDE you are given a link to the generic Log Analytics workspace instructions. At no point does it point you to the Defender portal to pick up the Workspace ID and key.
crodriguez1
Brass Contributor
Oct 09, 2018
A couple of questions:

About the Secure Socore in Windows Defender ATP (securitycenter.windows.com). The Security Controls (EDR, Antivirus, OS Security Updates, Exploint Guard, etc) currently applied to Windows 10 machines. Will those controles also apply for Windows Server Machines? (I've attached a screenshot of the controls to clarify.)

Now Azure Security Center has it's own Secure Score, with recommanations for Virtual Machines (ex: Apply disk encryption, Install endpoint protection, etc). If I have a Windows Server Machine with WDATP for Server and also onboarded on Azure Security Center, will I have to check out both securitycenter.windows.com and Azure Security Center for Score / Security Controles / Recommanations?
- Milad Aslaner
  Microsoft
  Oct 16, 2018
  Certainly something we started to discuss between the Azure Security Center and Windows Defender ATP team. For now you want to make sure you look for WDATP when it comes to endpoint and ASC for server security recommendation.
Joe Sanders
Copper Contributor
Jun 28, 2019
Chris Jones- The ASC pay-as-you-go pricing for servers put MDATP out of reach for us (literally 6x vs. two other EDR products we had quoted), but I just went looking for the reservations you mentioned and can't find any info in Azure portal or the pricing calculator. Do you have a link to the ASC reservations?

Thanks,
Joe
Chris Jones
Microsoft
Jun 28, 2019
Hi Joe Sanders - I understand your concern regarding the pricing. I'd recommend reaching out to your Microsoft account team or reseller regarding this. There are benefits if you have MDATP client licensing that should be able to help on the server side of things from a cost perspective.

Regarding the reservations, it's really just another term for an Azure Monetary Commitment that is done through an Enterprise Agreement. If you don't have one, you can speak with someone about setting one up here.
Richard Harrison
Copper Contributor
Jun 28, 2019
Hi Chris_Jones,
Now you are making things even more confusing :-)

What on earth are ASC reservations? There are various things you can reserve in Azure but ASC is not one of them?

I think the statement needs to be to use windows defender ATP portal for 'servers' in Azure they have to attached to an Azure Security Centre standard subscription - as simple as that?

Cheers,
Rich
Paul Youngberg
Steel Contributor
Aug 31, 2019
What is the pricing model for On-Prem Windows servers we're monitoring through the Azure Security Center? The pricing wasn't explained here: https://azure.microsoft.com/en-us/blog/azure-security-center-extends-advanced-threat-protection-to-hybrid-cloud-workloads/
David Caddick
Iron Contributor
Sep 17, 2019
Hi @Chris_Jones, & Milad Aslaner,

Has there been any clarification on the Licensing costs for running MDATP on Servers either onPrem or in AWS or Azure?
My simple take on this discussion is that they need to be attached/registered/monitored by ASC to be valid?
And if a Customer is already using MDATO either via M365 E5 or has Windows 10 E5 licenses then they need to check with their account rep to get a "deal"?

Is this the case? Just trying to simplify it for a customer at this end...

Regards,
Dave C
Steve Newby
Microsoft
Sep 20, 2019
Having E5 is not a requirement to onboard servers into MDATP. Servers that are licensed for ASC can be onboarded into MDATP. The data is retained in MDATP for both servers or workstations up to a maximum of 6 months.