Windows Defender AV for Server 2012 R2 and 2008 R2 | Microsoft Defender ATP Onboarding

%3CLINGO-SUB%20id%3D%22lingo-sub-1971121%22%20slang%3D%22en-US%22%3EWindows%20Defender%20AV%20for%20Server%202012%20R2%20and%202008%20R2%20%7C%20Microsoft%20Defender%20ATP%20Onboarding%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1971121%22%20slang%3D%22en-US%22%3E%3CP%3EI%20am%20planning%20to%20onboard%20windows%20server%202012%20R2%20and%202008%20R2%20on%20MDATP.%20Currently%20the%20servers%20have%20Trend%20Micro%20as%20existing%20AV%20solution%20and%20we%20need%20to%20uninstall%20it.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERequest%20if%20someone%20can%20let%20me%20know%20what%20is%20the%20way%20to%20install%20Defender%20Antivirus%20on%20these%20servers%20so%20that%20MS%20services%20can%20be%20leveraged%20at%20its%20best.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EP.S.%20-%20The%20servers%20are%20not%20being%20managed%20by%20SCCM.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1974826%22%20slang%3D%22en-US%22%3ERe%3A%20Windows%20Defender%20AV%20for%20Server%202012%20R2%20and%202008%20R2%20%7C%20Microsoft%20Defender%20ATP%20Onboarding%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1974826%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F879527%22%20target%3D%22_blank%22%3E%40AnuragSrivastava%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E2008%2F2012%20don't%20support%20Windows%20Defender%2C%20only%20SCEP.%3C%2FP%3E%3CP%3EYou%20can%20manage%20SCEP%20with%20GPO%20or%20SCCM.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECheck%20out%20this%20article%20from%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F5941%22%20target%3D%22_blank%22%3E%40Joe%20Stocker%3C%2FA%3E%26nbsp%3Bon%20this%3A%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fwww.thecloudtechnologist.com%2Fdefender-for-endpoint-mdatp-for-windows-servers%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.thecloudtechnologist.com%2Fdefender-for-endpoint-mdatp-for-windows-servers%2F%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1978546%22%20slang%3D%22en-US%22%3ERe%3A%20Windows%20Defender%20AV%20for%20Server%202012%20R2%20and%202008%20R2%20%7C%20Microsoft%20Defender%20ATP%20Onboarding%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1978546%22%20slang%3D%22en-US%22%3EThis%20is%20not%20the%20Defender%20you%20hope%20to%20have%20then.%3CBR%20%2F%3E%3CBR%20%2F%3EI%20hadn't%20seen%20this.%20But%202012%20R2%20doesn't%20support%20Defender%2C%20only%20SCEP%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2235748%22%20slang%3D%22en-US%22%3ERe%3A%20Windows%20Defender%20AV%20for%20Server%202012%20R2%20and%202008%20R2%20%7C%20Microsoft%20Defender%20ATP%20Onboarding%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2235748%22%20slang%3D%22en-US%22%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F186539%22%20target%3D%22_blank%22%3E%40Thijs%20Lecomte%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CFONT%20size%3D%225%22%3E%3CSTRONG%3EOnboard%20Windows%20servers%20to%20the%20Microsoft%20Defender%20for%20Endpoint%20service%3C%2FSTRONG%3E%3C%2FFONT%3E%3C%2FP%3E%3CUL%20class%3D%22metadata%20page-metadata%22%3E%3CLI%3E03%2F23%2F2021%3CDIV%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLI%3E%3C%2FUL%3E%3CP%3E%3CSTRONG%3EApplies%20to%3A%3C%2FSTRONG%3E%3C%2FP%3E%3CUL%3E%3CLI%3EWindows%20Server%202008%20R2%20SP1%3C%2FLI%3E%3CLI%3EWindows%20Server%202012%20R2%3C%2FLI%3E%3CLI%3EWindows%20Server%202016%3C%2FLI%3E%3CLI%3EWindows%20Server%20(SAC)%20version%201803%20and%20later%3C%2FLI%3E%3CLI%3EWindows%20Server%202019%20and%20later%3C%2FLI%3E%3CLI%3EWindows%20Server%202019%20core%20edition%3C%2FLI%3E%3C%2FUL%3E%3CP%3Efrom%3A%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fsecurity%2Fdefender-endpoint%2Fconfigure-server-endpoints%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fsecurity%2Fdefender-endpoint%2Fconfigure-server-endpoints%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3CP%3E...%20not%20that%20I%20have%20it%20working%20yet%20either...%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2237623%22%20slang%3D%22en-US%22%3ERe%3A%20Windows%20Defender%20AV%20for%20Server%202012%20R2%20and%202008%20R2%20%7C%20Microsoft%20Defender%20ATP%20Onboarding%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2237623%22%20slang%3D%22en-US%22%3EHello%2C%3CBR%20%2F%3EAntivirus%20%26amp%3B%20EDR%20are%20different%20products.%20Windows%20Defender%20for%20Endpoint%20is%20an%20EDR%20solution.%20Where%20Trendmicro%20is%20an%20Antivirus%20solution.%3CBR%20%2F%3E%3CBR%20%2F%3EIf%20you%20are%20planning%20to%20use%20EDR%20solution%20(Windows%20Defender%20for%20Endpoint)%2C%20no%20need%20to%20uninstall%20Trend%20Micro..%3CBR%20%2F%3E%3CBR%20%2F%3EIf%20you%20are%20planning%20to%20switch%20Antivirus%20in%20your%20environment%2C%20you%20can%20use%20System%20Center%20Endpoint%20Protection.%20It%20will%20come%20with%20SCCM%20client%20installation%20bundle.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2473305%22%20slang%3D%22en-US%22%3ERe%3A%20Windows%20Defender%20AV%20for%20Server%202012%20R2%20and%202008%20R2%20%7C%20Microsoft%20Defender%20ATP%20Onboarding%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2473305%22%20slang%3D%22en-US%22%3EHi%20Balaji%2C%20if%20we%20don't%20have%20sccm%20in%20environment%2C%20can%20defender%20av%20configured%20for%20win2008r2%2Fwin2012%20environment%20by%20installing%20scep%3F%20In%20other%20words%2C%20can%20we%20install%20scep%20agent%20without%20sccm%20endpoint%20protection%20subscription%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1975724%22%20slang%3D%22en-US%22%3ERe%3A%20Windows%20Defender%20AV%20for%20Server%202012%20R2%20and%202008%20R2%20%7C%20Microsoft%20Defender%20ATP%20Onboarding%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1975724%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F186539%22%20target%3D%22_blank%22%3E%40Thijs%20Lecomte%3C%2FA%3E%26nbsp%3BThanks%20this%20is%20helpful.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFound%20one%20more%20article%20which%20says%20installing%20Desktop%20Experience%20on%20these%20servers%20would%20enable%20Defender%20-%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fyellowduckguy.wordpress.com%2F2012%2F12%2F21%2Fwindows-server-2012-how-to-add-desktop-experience-feature%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fyellowduckguy.wordpress.com%2F2012%2F12%2F21%2Fwindows-server-2012-how-to-add-desktop-experience-feature%2F%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2741437%22%20slang%3D%22en-US%22%3ERe%3A%20Windows%20Defender%20AV%20for%20Server%202012%20R2%20and%202008%20R2%20%7C%20Microsoft%20Defender%20ATP%20Onboarding%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2741437%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F879527%22%20target%3D%22_blank%22%3E%40AnuragSrivastava%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI've%20run%20into%20the%20same%20issue%20where%20I've%20got%20a%20few%20older%20servers%20that%20I%20onboarded%20into%20Defender%20and%20then%20realized%20that%20was%20just%20alerting%20and%20telemetry%2C%20not%20a%20real%20antivirus.%20We%20aren't%20currently%20using%20SCCM.%3C%2FP%3E%3CP%3EThis%20is%20not%20an%20approved%20method%2C%20but%20it%20seems%20to%20be%20working%20for%20me.%3C%2FP%3E%3CP%3EFirst%20make%20sure%20you%20have%20purchased%20additional%20server%20licenses%20for%20antivirus.%20The%20normal%20licenses%20that%20cover%20Windows%2010%20and%20other%20client%20endpoints%20don't%20apply%20to%20servers.%3C%2FP%3E%3CP%3EDownload%20the%20trial%20package%20for%20SCCM%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fwww.microsoft.com%2Fen-us%2Fevalcenter%2Fevaluate-system-center-2016%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.microsoft.com%2Fen-us%2Fevalcenter%2Fevaluate-system-center-2016%3C%2FA%3E%3C%2FP%3E%3CP%3Eso%20that%20you%20can%20extract%20the%20antivirus%20installer%20from%20it%3A%3C%2FP%3E%3CP%3E%3CSPAN%3Escepinstall.exe%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3Efound%20in%20the%20folder%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E%5CSMSSETUP%5CCLIENT%20of%20the%20downloaded%20bundle%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3Eremove%20any%20other%20antivirus%20programs.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3Erun%20the%20installer%2C%20it%20shows%20up%20as%20%22System%20Center%202012%20Endpoint%20Protection%22%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EI%20could%20only%20find%20the%204.7%20client%20install.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EIn%20windows%20update%2C%20check%20the%20box%20for%20%22allow%20checking%20for%20other%20Microsoft%20products%22%20and%20run%20windows%20update.%20You%20should%20get%20an%20update%20to%20the%20latest%204.10%20version.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EThis%20was%20ok%20at%20first%2C%20but%20the%20antivirus%20signatures%20were%20not%20updating.%20I%20think%20the%20software%20assumes%20you%20will%20be%20pushing%20the%20updates%20via%20SCCM.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3ETo%20fix%20that%2C%20I%20went%20to%20the%20registry%20and%20changed%20the%20key%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EHKEY_LOCAL_MACHINE%5CSOFTWARE%5CMicrosoft%5CMicrosoft%20Antimalware%5CSignature%20Updates%3CBR%20%2F%3EFallbackOrder%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3Eto%20only%3A%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EMicrosoftUpdateServer%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3ENote%3A%20in%20order%20to%20change%20that%20key%2C%20I%20had%20to%20temporarily%20change%20ownership%20of%20the%20%22Signature%20Updates%22%20node%20to%20something%20like%20the%20local%20administrators%20account%20I%20was%20logged%20in%20as%2C%20allow%20%22full%20control%22%20for%20that%20account%2C%20make%20the%20change%2C%20(You%20might%20have%20to%20move%20away%20from%20the%20key%20and%20come%20back%2C%20or%20close%20and%20reopen%20regedit%20so%20you%20can%20change%20the%20key%20with%20your%20new%20permissions.)%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EThe%20remove%20the%20the%20local%20admin%20from%20having%20full%20control%2C%20then%20put%20the%20owner%20back%20to%20%22SYSTEM.%22%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EI%20then%20made%20sure%20the%20antivirus%20was%20set%20to%20do%20real%20time%20scanning%2C%26nbsp%3B%20a%20quick%20scan%20every%20night%2C%20and%20%22check%20for%20signatures%22%20before%20each%20scan.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EObviously%20this%20is%20a%20sketchy%20install%2C%20but%20so%20far%20it%20seems%20to%20be%20working%20and%20hopefully%20will%20hold%20up%20until%20we%20get%20everything%20to%20Server%202016%2B%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Frequent Contributor

I am planning to onboard windows server 2012 R2 and 2008 R2 on MDATP. Currently the servers have Trend Micro as existing AV solution and we need to uninstall it.

 

Request if someone can let me know what is the way to install Defender Antivirus on these servers so that MS services can be leveraged at its best.

 

P.S. - The servers are not being managed by SCCM.

7 Replies

@AnuragSrivastava 

 

2008/2012 don't support Windows Defender, only SCEP.

You can manage SCEP with GPO or SCCM.

 

Check out this article from @Joe Stocker on this:

https://www.thecloudtechnologist.com/defender-for-endpoint-mdatp-for-windows-servers/

@Thijs Lecomte Thanks this is helpful.

 

Found one more article which says installing Desktop Experience on these servers would enable Defender - https://yellowduckguy.wordpress.com/2012/12/21/windows-server-2012-how-to-add-desktop-experience-fea... 

This is not the Defender you hope to have then.

I hadn't seen this. But 2012 R2 doesn't support Defender, only SCEP

 

 

@Thijs Lecomte 

Onboard Windows servers to the Microsoft Defender for Endpoint service

Applies to:

  • Windows Server 2008 R2 SP1
  • Windows Server 2012 R2
  • Windows Server 2016
  • Windows Server (SAC) version 1803 and later
  • Windows Server 2019 and later
  • Windows Server 2019 core edition

from:
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-server-endpoints

... not that I have it working yet either...

Hello,
Antivirus & EDR are different products. Windows Defender for Endpoint is an EDR solution. Where Trendmicro is an Antivirus solution.

If you are planning to use EDR solution (Windows Defender for Endpoint), no need to uninstall Trend Micro..

If you are planning to switch Antivirus in your environment, you can use System Center Endpoint Protection. It will come with SCCM client installation bundle.
Hi Balaji, if we don't have sccm in environment, can defender av configured for win2008r2/win2012 environment by installing scep? In other words, can we install scep agent without sccm endpoint protection subscription?

@AnuragSrivastava 

I've run into the same issue where I've got a few older servers that I onboarded into Defender and then realized that was just alerting and telemetry, not a real antivirus. We aren't currently using SCCM.

This is not an approved method, but it seems to be working for me.

First make sure you have purchased additional server licenses for antivirus. The normal licenses that cover Windows 10 and other client endpoints don't apply to servers.

Download the trial package for SCCM

https://www.microsoft.com/en-us/evalcenter/evaluate-system-center-2016

so that you can extract the antivirus installer from it:

scepinstall.exe

found in the folder

\SMSSETUP\CLIENT of the downloaded bundle

remove any other antivirus programs.

run the installer, it shows up as "System Center 2012 Endpoint Protection"

I could only find the 4.7 client install.

In windows update, check the box for "allow checking for other Microsoft products" and run windows update. You should get an update to the latest 4.10 version.

This was ok at first, but the antivirus signatures were not updating. I think the software assumes you will be pushing the updates via SCCM.

To fix that, I went to the registry and changed the key

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware\Signature Updates
FallbackOrder

to only:

MicrosoftUpdateServer

Note: in order to change that key, I had to temporarily change ownership of the "Signature Updates" node to something like the local administrators account I was logged in as, allow "full control" for that account, make the change, (You might have to move away from the key and come back, or close and reopen regedit so you can change the key with your new permissions.) 

The remove the the local admin from having full control, then put the owner back to "SYSTEM."

 

I then made sure the antivirus was set to do real time scanning,  a quick scan every night, and "check for signatures" before each scan.

Obviously this is a sketchy install, but so far it seems to be working and hopefully will hold up until we get everything to Server 2016+