Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
Protecting Windows Server with Windows Defender ATP
Published Oct 04 2018 01:16 PM 159K Views
Microsoft

Windows Defender Advanced Threat Protection (Windows Defender ATP) is a unified security platform that covers endpoint protection platform (EPP) and endpoint detection and response (EDR). Initially we released the product for Windows 10 only, but customers have asked for support on other platforms, Windows Server in particular. This year, we've made Windows Defender ATP available to Windows 7 and Windows 8.1 clients, as well as macOS, Linux, and Windows Server. As we continue engineering a unified security platform, you will see a more seamless approach across platforms.

 

This blog is for enterprise customers who want to use the Windows Defender ATP platform on Windows Server and need practical guidance on what needs to be in place for licensing and infrastructure.

 

Screen Shot 2018-10-04 at 21.54.05.png

 Image: Windows Server 2016 onboarded to Windows Defender ATP 

 

The Microsoft-recommended configuration for the best security is staying current with Windows. While we provide support for previous versions of Windows, the latest releases provide superior security capabilities. If you are running previous versions of Windows, one of the most important things you can be doing is getting a plan to update your Windows environment.  

 

Endpoint protection platform

The endpoint protection platform (EPP) of Windows Defender ATP includes two capabilities: (1) Attack surface reduction (ASR), which helps seal the available attack surface that can be leveraged by threat actors as much as possible, and (2) Next generation protection (NGP), which is a cloud-powered antivirus solution.

 

Attack surface reduction is a set of capabilities that helps organizations reduce the available attack surface. The technologies that power ASR are network protection, exploit protection, controlled folder access, and ASR rules. ASR is available on Windows 10 Fall Creators Update or later and on Windows Server 1803 and later.

 

Operating System

License

Deployment

Configuration

Reporting

Windows 10

Windows E5 or Microsoft 365 Enterprise E5

ASR relies on Windows Defender Antivirus, which is built-in and requires no agent installation

If licensed, through Microsoft Intune or System Center Configuration Manager. Alternatively, PowerShell or Group Policies.

Windows Defender Security Center, or if licensed System Center Configuration Manager or Microsoft Intune

Windows Server 1803, Windows Server 2019

Azure Security Center Pay-As-You-Go

ASR relies on Windows Defender Antivirus, which is built-in and requires no agent installation

If licensed, through System Center Configuration Manager. Alternatively, PowerShell or Group Policies.

Windows Defender Security Center, or if licensed System Center Configuration Manager

 

Windows Defender Antivirus is available to enterprise customers starting with Windows 10 Anniversary Update and Windows Server 2016. Previous versions of Windows and Windows Server continue to leverage System Center Endpoint Protection. The following table has information about Windows Defender Antivirus on different Windows versions and Windows Server versions on-premises, on Azure, or on third-party cloud service.

 

Operating System

License

Deployment

Configuration

Reporting

Windows 10

No additional license required to use Windows Defender Antivirus

Windows Defender Antivirus is built-in and requires no agent installation

If licensed, through Microsoft Intune or System Center Configuration Manager. Alternatively, Group Policies or PowerShell.

If licensed, through Windows Defender Security Center, System Center Configuration Manager or Microsoft Intune

Windows 8.1 and Windows 7

System Center Configuration Manager with System Center Endpoint Protection

System Center Endpoint Protection agent can be deployed through System Center Configuration Manager

System Center Configuration Manager

If licensed, through Windows Defender Security Center or System Center Configuration Manager

Windows Server 1803, Windows Server 2019

No additional license required to use Windows Defender Antivirus

Windows Defender Antivirus is built-in and requires no agent installation

If licensed, through System Center Configuration Manager. Alternatively, Group Policies or PowerShell.

If licensed, through Windows Defender Security Center or System Center Configuration Manager

Windows Server 2016

No additional license required to use Windows Defender Antivirus

Windows Defender Antivirus is built-in and requires no agent installation

If licensed, through System Center Configuration Manager. Alternatively, Group Policies or PowerShell.

If licensed, Windows Defender Security Center, System Center Configuration Manager or Azure Security Center

Windows Server 2012 R2

System Center Configuration Manager with System Center Endpoint Protection

System Center Endpoint Protection agent can be deployed with System Center Configuration Manager

System Center Configuration Manager

System Center Configuration Manager or if licensed, through Windows Defender Security Center or Azure Security Center

Windows Server 2012, Windows Server 2008 R2, Windows Server 2008

 System Center Configuration Manager with System Center Endpoint Protection

System Center Endpoint Protection agent can be deployed with System Center Configuration Manager

System Center Configuration Manager

System Center Configuration Manager or if licensed, through Azure Security Center

(Windows Defender Security Center is the web portal available for Windows Defender ATP customers (requires Windows E5 or Microsoft 365 Enterprise E5)

 

In addition to Windows Defender Antivirus and System Center Endpoint Protection, enterprise customers can use Microsoft Antimalware for Azure for virtual machines that are hosted on Microsoft Azure. Note that If you are a Windows Defender ATP customer you should assess which Antivirus solution best fits your needs.

 

Supporting Documentation:

 

Endpoint detection and response

Endpoint detection and response (EDR) capabilities in Windows Defender ATP were first available to enterprise customers as a built-in solution starting with Windows 10 Anniversary Update and Windows Server 1803, but these capabilities have since expanded to support previous versions of Windows and Windows Server. The following table has information about Windows Defender ATP on different Windows versions and Windows Server versions on-premises, on Azure, or on third-party cloud service.

 

Operating System

License

Deployment

Configuration

Reporting

Windows 10

Windows E5 or Microsoft 365 Enterprise E5

Windows Defender ATP is built-in to the operating system

Local script, Group Policies, System Center Configuration Manager, or Microsoft Intune

Windows Defender Security Center

Windows 8.1 and Windows 7

Windows E5 or Microsoft 365 Enterprise E5

Windows Defender ATP on legacy operating system requires installation of an agent

Agent deployment can be through any preferred deployment method such as System Center Configuration Manager

Windows Defender Security Center

Windows Server 1803, Windows Server 2019

Azure Security Center Pay-As-You-Go

Windows Defender ATP is built-in to the operating system

Local script, group policies and, if licensed, through System Center Configuration Manager

Windows Defender Security Center

Windows Server 2016, Windows Server 2012 R2

Azure Security Center Pay-As-You-Go

Windows Defender ATP on legacy operating system requires installation of an agent

Agent deployment can be through any preferred deployment method such as System Center Configuration Manager

Windows Defender Security Center and Azure Security Center

 

Support for Windows Server 2019 and Windows Server 1803 is currently in public preview for Windows Defender ATP.

 

Supporting Documentation:

 

Windows Defender ATP unified endpoint security platform

Windows Defender ATP is a unified platform that helps keep your business data and users safe from advanced attacks. And with expanded support for Windows Server, previous versions of Windows, and additional client hardware, you can protect a wider array of devices, servers, and endpoints. Your feedback is important to us as we continue to make improvements to Windows Defender ATP.

 

WDATP.png

54 Comments

So is the Server 2019 ATP in a different console than the workstations console?  https://securitycenter.windows.com/dashboard

Microsoft

Hi! It is the same console securitycenter.windows.com. Once Azure Security Center support this Server build it will be the same reporting story like other versions.

Pardon for the additional question, is the threat console information available outside of the security center, or is there a way to get alerted when a new post goes up?  Also can one share this data with other team members/people?

Microsoft

Hi! Happy to help. Both Windows Defender ATP and Azure Security Center can send email notifications when new stuff happens. Check out: (WDATP) https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/configure-e... and (ASC) https://blogs.msdn.microsoft.com/azuresecurity/2016/11/22/tip-of-the-day-azure-security-center-email...

Alerts I get, I want to get notified when there are new threat analytics posted to the console. 

A couple of questions:

 

  • About the Secure Socore in Windows Defender ATP (securitycenter.windows.com). The Security Controls (EDR, Antivirus, OS Security Updates, Exploint Guard, etc) currently applied to Windows 10 machines. Will those controles also apply for Windows Server Machines? (I've attached a screenshot of the controls to clarify.)

 

  • Now Azure Security Center has it's own Secure Score, with recommanations for Virtual Machines (ex: Apply disk encryption, Install endpoint protection, etc). If I have a Windows Server Machine with WDATP for Server and also onboarded on Azure Security Center, will I have to check out both securitycenter.windows.com and Azure Security Center for Score / Security Controles / Recommanations?

 

 

Microsoft

Good suggestion Susan. I will defiantly pass it to my colleague who is responsible for threat analytics.

Microsoft
Certainly something we started to discuss between the Azure Security Center and Windows Defender ATP team. For now you want to make sure you look for WDATP when it comes to endpoint and ASC for server security recommendation.
Copper Contributor

saber lidar com a diversidade, não é aceitar as diferenças, é estar apto e seguro de si proprio e saber deixar as pessoas livres dentro da tecnologia porque lá e onde a muita diversidade de generos de varios modos

Copper Contributor

Não deixe a diversidade se transformar em adversidade porque a tecnologia já é a diferença 

Copper Contributor
EDR for Server 2012/2016 and EPP for Server 2019 states that "Azure Security Center Pay-As-You-Go" license is required. The onboarding instructions for WDATP state Install the MMA and configured it for the Defender Workspace ID. If you attempt to onboard to Azure Security Center you receive a separate Workspace ID. We want all of our devices to be managed from the "Windows Defender Security Center" as the WDATP technical instructions specify. In this case what license is required as the device does not appear in the Azure Security Center?
Microsoft

Hi D8234842, the licensing model for Windows Defender ATP EDR on Server is through Azure Security Center. For the successful on-boarding you will want to ensure that the servers are first added to Azure Security Center and have the integration between Azure Security Center and Windows Defender ATP enabled. If that's the case all your Servers in Azure Security Center will automatically show up in the Windows Defender Security Center.

Iron Contributor

@Milad Aslaner thank you.  I am still a little unclear about which workspace ID to install MMA to.  I already have servers with the OMS agent (now MMA) installed using my log analytics workspace ID.  How do I onboard these same servers to ATP now?

Copper Contributor

Hi @Milad Aslaner ,

I'm confused over licencing here - there is no such product as security centre 'Pay as you go' - how is the licence actually working here?

 

For example if I just connect all my Azure servers to the Defender ATP workspace directly and don't use security centre at all - what licence is required for that?

 

Thanks,

Rich

Microsoft

@Richard Harrison the pay as you go subscription information can be found here: https://azure.microsoft.com/en-us/offers/ms-azr-0003p/

 

Regarding the second part of your question... to be compliant with MDATP licensing for servers, each server needs to have an Azure Security Center Standard (per node) license. There are two ways to license ASC: Pay-as-you-go or ASC reservations. 

Copper Contributor

@Chris Jones- The ASC pay-as-you-go pricing for servers put MDATP out of reach for us (literally 6x vs. two other EDR products we had quoted), but I just went looking for the reservations you mentioned and can't find any info in Azure portal or the pricing calculator.  Do you have a link to the ASC reservations?

 

Thanks,

Joe

Microsoft

Hi @Joe Sanders - I understand your concern regarding the pricing. I'd recommend reaching out to your Microsoft account team or reseller regarding this. There are benefits if you have MDATP client licensing that should be able to help on the server side of things from a cost perspective.

 

Regarding the reservations, it's really just another term for an Azure Monetary Commitment that is done through an Enterprise Agreement. If you don't have one, you can speak with someone about setting one up here.

Copper Contributor

Hi @Chris_Jones,

Now you are making things even more confusing :)

 

What on earth are ASC reservations? There are various things you can reserve in Azure but ASC is not one of them?

 

I think the statement needs to be to use windows defender ATP portal for 'servers' in Azure they have to attached to an Azure Security Centre standard subscription - as simple as that?

 

Cheers,

Rich

Copper Contributor

Hi, I don't quite understand the server licencing for on premise servers. are they still required to have azure PAYG? They would be from versions 2008R2 to 2019. Also, I presume I can deploy the agent manually or via GPO?

Steel Contributor

What is the pricing model for On-Prem Windows servers we're monitoring through the Azure Security Center? The pricing wasn't explained here: https://azure.microsoft.com/en-us/blog/azure-security-center-extends-advanced-threat-protection-to-h...

Iron Contributor

Hi @Chris_JonesMilad Aslaner,

 

Has there been any clarification on the Licensing costs for running MDATP on Servers either onPrem or in AWS or Azure?

My simple take on this discussion is that they need to be attached/registered/monitored by ASC to be valid?

And if a Customer is already using MDATO either via M365 E5 or has Windows 10 E5 licenses then they need to check with their account rep to get a "deal"?

 

Is this the case? Just trying to simplify it for a customer at this end...

 

Regards,

Dave C 

 

Iron Contributor

First you need the M365 E5 or the Windows E5, then you need to pay ~15$ usd per machine for data storage in your log analytics workspace attached to Security Centre, alternatively you can pay a per GB cost for data storage.  Either way you need to pay for storage based on how long you wish to retain it.

Microsoft

Having E5 is not a requirement to onboard servers into MDATP.  Servers that are licensed for ASC can be onboarded into MDATP.  The data is retained in MDATP for both servers or workstations up to a maximum of 6 months.

Copper Contributor

Within my tenant: I have a Pay as you Go subscription, and a CSP subscription.  I have a Log Analytics workspace in each.  When I go to the defender portal > settings > onboarding it has a Workspace ID and Workspace key to a Log Analytics workspace that I can't identify as being in my Tenants resources (I got to All Resources and look for it, and can't find it, wondering if it is a 'special' MDATP workspace that isn't in my normal resources).  I am confused:  am I supposed to point MMA at the Log Analytics space of my choice? or the one defaulted by defender portal > settings > onboarding?  Of course, I would rather only be billed for one space per machine per month.  But since I don't even see the one workspace, I don't even know if that's charged or not.

Iron Contributor

Hi Ron, my understanding is that the Log Analytics piece in the MD ATP is effectively hidden and you don't access it directly.

The storage consumed by this solution is not charged to your billing ;)

Microsoft

Yes that's correct, the workspace is separate and won't appear within your resources.  If you are using the MMA (only required for older platforms) then you should point it to the workspace specified in the MDATP portal.

Copper Contributor

On-prem licensing question. If you go to defender security center and select server 2019 on-boarding, it just gives you a script to run on the server. This doesn't appear to actually bring the server into Azure security center so that I can pay my $15/month for it. So in this case do I need to manually add this server to Azure Security center, create a new workspace, set the price tier of the workspace to standard, install the monitoring agent on the server then it should automatically be added to defender security center? Just not sure why build the EDR engine into server 2019 then require the monitoring agent to be installed.

 

Thanks.

Copper Contributor

MDATP is ~$15 per server/month regardless of whether it is on-prem or in Azure. I highlighted the important stuff below.

 

see this link: https://azure.microsoft.com/en-us/pricing/details/security-center/

 

clipboard_image_2.png

clipboard_image_0.png

clipboard_image_1.png

Copper Contributor

Hi All,

 

I have small doubt and help from you that here we are deploying Windows Defender on Windows Server 2008 R2 ,2012,2016 servers . Do we need license for use Windows defender on Servers opertaing system?

My second question is will windows server 2019 will support windows defernder?

 

 

I am sure Windows Server 2003,2000 will not support Windows defender but need your help.

 

Thanks & Regards,

Devendra Singh 

 

Microsoft

On Server 2008 and above you do need a separate license for MDATP (older versions are not supported). Currently this licensing model is via a subscription to Azure Security Center; however a dedicated MDATP server license is coming.

If you are just talking about Windows Defender (the AV only component) then this is built into Server 2016 and above (including 2019).  On older versions you would need to use System Center Endpoint Protection (https://docs.microsoft.com/en-us/configmgr/protect/deploy-use/endpoint-protection
)

Hope this helps.

 

Copper Contributor

Is there any other way to mange license or Onboarding machines except Azure security center.

You mean on Windows 2008 R2 and 2012 R2 we need to installed System Endpoint Protection because Inbuild operating system it is not coming?

 

If I installed MDM agent on Servers manually still I required license for WDATP?

 

Thanks in advance.

 

Regards,

 

Microsoft

As I said we are going to be releasing a standalone server license for MDATP.  This is coming soon.

Yes on 2008 or 2012 there is no built in Defender AV.

 

What do you mean "MDM agent"?

Copper Contributor

Hi Steve,

 

As you know there two option for onboarding machines.

 

One through Azure security center and another one is from WDATP portal.

So if I select WDATP portal onboarding machine for servers ,how I will use licensing part.

 

Please clear my doubt about licensing part 

Microsoft

Ok so either way you need a license.

Prior to today the only licensing mechanism for MDATP on servers was via ASC.  In terms of onboarding if you onboarded a server into ASC then it would automatically onboard it through into MDATP.

The other onboarding mechanism allows you to onboard a server directly into MDATP, but you would still need an ASC license, meaning you would then need to onboard into ASC.

However we now have the option for a standalone MDATP license for servers meaning that you can purchase this and onboard the server directly into MDATP without involving ASC.

Hope this helps.

Copper Contributor

I'm really confused, and even the Microsoft engineers replying to my helpdesk ticket don't seem to fully understand it either.  When accessing https://securitycenter.windows.com/dashboard I get the message, "no subscriptions found".  Microsoft are telling me I need to have an E5 licence, but all I want to manage are on-prem servers on 2019.  The chart indicates that I need an azure pay as you go, as does my reseller.  What do I need to do please?  Ideally I'd also like it on the desktops, but it's a user licence only (no device) and we have 11,000 users but only 1,500 desktops (we're a college running mostly zero thin client terminals).

Microsoft

You either need an Azure pay as you go subscription for the servers (it doesn't matter if they are on-prem or in the cloud) or a dedicated MDATP for Servers license which was only announced at the beginning of this month.

For your desktops there are some exceptions we can make for education to make this a per-device license.  You should talk to your MS account manager about this.

Copper Contributor

@Steve Newby can you please provide the dedicated MDATP for Servers license Sku?

I was searching everywhere, but I can't find it.

Thanks in advance.

Pedro

Copper Contributor

@Steve Newby Yes, please clarify the requirements for MD ATP on servers with the new SKU. I found this article which states "However, the MDATP Server license is only available if you purchase a combined minimum of 50 seats for any of the following: Windows 10 E5 / Microsoft 365 E5 / Microsoft 365 E5 Security." Is this correct?

Microsoft

Version compatibility -  DS runs some older Windows servers, and it looks like Defender platform updates are only available for Windows Server 2016 & 2019.  Are there any features or functionality unavailable if an older version of Defender is used on older server operating systems (like Windows 2012)?

Copper Contributor

@Milad Aslaner - A document (https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/configure...) doesn't say that it applies to Windows Server 2012. Is there any reason for this is missing here.

Iron Contributor

@joinimran @Milad Aslaner Server 2012 is *NOT* covered, bummer - but that's the numbers game for you - we also ran into this.

I'm afraid it is what it is...

Copper Contributor

Hi, 

We have MDATP for server license purchased and servers are on boarded to both Defender ATP and ASC. 

I assigned "MDATP  for servers" licenses to an AD Group which contains the on-prem servers as members of the group.

but still number of assigned license is showing 0. how can we make sure that, servers are licensed and compliance? do we need to sync the server object to assign the license? Please clarify on this.

Copper Contributor

So I have a couple questions here on Security Center and how Azure Defender is incorporated for non-Azure resources.  We have added the on-premise resources per instructions with the agent installation and can see all of those resources in the Inventory within Security Center.  What I am looking to understand here, how can I view those same on-premise resources under Azure Defender?  The only resources that show up there are items within Azure?  Just making sure that the vulnerability assessments for the on-premise servers are using the same process as VMs in Azure?  If that is the case, where can that information be reviewed from an on-premise server?

 

On the licensing/pricing piece, I see the server count listed there includes both on-premise and Azure resources and has been turned on.  Just to make sure I have this right, if licenses were purchased separately prior to using Azure Security Center, those would not need to be renewed and just move forward with the monthly cost using Azure Defender within Azure Security Center?

 

I understand that things are being updated/changed within Azure Security Center (https://www.microsoft.com/security/blog/?p=91813) from September 22, 2020 to now by Microsoft 365 Defender.  The challenges we are seeing is around the non-Azure resources right now and looking to get a better handle on how to view that information in Security Center today?

 

Thank you,

-Bob

Copper Contributor

We are managing the on-premise servers in Windows Defender Security Center with E5. Currently having connectivity issues with servers hosted in AWS during defender rollout (different server OSs). Are there any limitations when managing these servers in WDSC or does it require a different configuration to have them report to the portal? Or is Azure Security center is the only solution? Thank you.

@Milad Aslaner hope you are fine and can still help on this old thread. Since 2018 many things have apparently changed to the better.

many questions still arise for newbs in to this topic

2020 Ignite

- announced Azure Security Center - is this merging the capability to manage Windows Server and Client at a single dashboard

- Why there is still a need for Microsoft 365 Defender dashboard in M365 admin center 

- Now as I understood Server could be licensed with M365 prerequisites to a standalone ATP license it is not described in the docs how to do this.

- your tables from 2018 already stated that on-premises Windows server LTSC 2016 / 2019 do not need any agent to work with Azure Security Center

Windows Defender Antivirus is built-in and requires no agent installation"

yet the docs still talk about you need to install a MMA Monitoring agent even in Option 2, so we apparently still need to install something.
Onboard Windows servers to the Microsoft Defender ATP service - Windows security | Microsoft Docs

Thank you very much for you time!

as editing capabilities has been removed for posts / replies:
Microsoft 365 Defender dashboard > Microsoft 365 Security dashboard

@Milad Aslaner there is also another thing that is not easy to understand

Using the Microsoft Defender for Endpoint license included with Azure Security Center | Microsoft Do...

It says that EDR is only supported for 2016 and older and exclude Server 2019 and Windows 10 to be supported (Article is dated from 20.10.2020)

 

Iron Contributor

Is EDR supported on Windows Server 2012? Documentation states MMA agent is deployed but isn't MMA agent is just a read-only log analytics agent and all it can do is report the server status in security center but can't take any actions on the server.

Brass Contributor

The instructions for setting up onboarding for a server are poor in Microsoft Docs. To setup the Log Analytics for MDE you are given a link to the generic Log Analytics workspace instructions. At no point does it point you to the Defender portal to pick up the Workspace ID and key.   

@Milad Aslaner @Terry Hugill onboarding has become easier using Windows Admin Center. It is still quite confusing and I hope that the 15 $ per server will be something that can be reduced by Azure Reservations, especially for non-profit there are no rebates and the costs are too high (even if they are legitimate in terms of security level). Budgets are budgets.

Any news on the new license that have been discussed here? 

Co-Authors
Version history
Last update:
‎Jun 09 2021 02:45 PM
Updated by: