Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Applies to:
- Microsoft Defender for Endpoint for servers
- Microsoft Defender for Servers Plan 1 or Plan 2
Overview
Defender for Endpoint can help protect your organization's servers with capabilities that include posture management, threat protection, and endpoint detection and response. Defender for Endpoint provides your security team with deeper insight into server activities, coverage for kernel and memory attack detection, and the ability to take response actions when necessary. Defender for Endpoint also integrates with Microsoft Defender for Cloud, providing your organization with a comprehensive server protection solution.
Depending on your particular environment, you can choose from several options to onboard servers to Defender for Endpoint. This article describes available options for Windows Server and Linux, important points to consider, how to run a detection test after onboarding, and how to offboard servers.
Tip
As a companion to this article, see our Security Analyzer setup guide to review best practices and learn to fortify defenses, improve compliance, and navigate the cybersecurity landscape with confidence. For a customized experience based on your environment, you can access the Security Analyzer automated setup guide in the Microsoft 365 admin center.
Server plans
To onboard servers to Defender for Endpoint, server licenses are required. You can choose from these options:
- Microsoft Defender for Servers Plan 1 or Plan 2 (as part of the Defender for Cloud) offering
- Microsoft Defender for Endpoint for servers
- Microsoft Defender for Business servers (for small and medium-sized businesses only)
Integration with Microsoft Defender for Servers
Defender for Endpoint integrates seamlessly with Defender for Servers (in Defender for Cloud). If your subscription includes Defender for Servers Plan 1 or Plan 2, you can:
- Onboard servers automatically
- Have servers that are monitored by Defender for Cloud appear in the Microsoft Defender portal, in the device inventory
- Conduct detailed investigations as a Defender for Cloud customer
Here are a few things to keep in mind:
- When you use Defender for Cloud to monitor servers, a Defender for Endpoint tenant is created automatically. Data collected by Defender for Endpoint is stored in the geographical location of the tenant, identified during provisioning. (For example, in the US for customers in the USA; in EU for European customers; and in the UK for customers in the United Kingdom.)
- If you use Defender for Endpoint before using Defender for Cloud, your data is stored in the location you specified when you created your tenant, even if you integrate with Defender for Cloud at a later time.
- Once configured, you can't change the location of where your data is stored. To move your data to another location, contact support to reset your tenant.
- Server endpoint monitoring utilizing this integration isn't currently available for Office 365 GCC customers.
- Linux servers onboarded through Defender for Cloud have their initial configuration set to run Microsoft Defender Antivirus in passive mode. For information on how to deploy Defender for Endpoint on Linux server, start with the Prerequisites for Microsoft Defender for Endpoint on Linux.
For more information, see Protect your endpoints with Defender for Endpoint integration with Defender for Cloud.
Important information for non-Microsoft antivirus/anti-malware solutions
If you intend to use a non-Microsoft anti-malware solution, you need to run Microsoft Defender Antivirus in passive mode. Make sure to set passive mode during the installation and onboarding process. For more information, see Windows Server and passive mode.
Important
If you're installing Defender for Endpoint on servers running McAfee Endpoint Security or VirusScan Enterprise, the McAfee platform version might need to be updated to ensure that Microsoft Defender Antivirus isn't removed or disabled. For more information on specific version numbers required, see the McAfee Knowledge Center article.
Server onboarding options
You can choose from several deployment methods and tools to onboard servers, as summarized in the following table:
| Operating system | Deployment method |
|---|---|
| Windows Server 2025 Windows Server 2022 Windows Server 2019 Windows Server, version 1803 Windows Server 2016 Windows Server 2012 R2 |
Local script (uses an onboarding package) Defender for Servers Microsoft Configuration Manager Group Policy VDI scripts Onboarding with Defender for Cloud Modern, unified solution for Windows Server 2016 and 2012 R2 |
| Linux | Installer script based deployment Ansible script based deployment Chef script based deployment Puppet script based deployment Saltstack script based deployment Manual deployment (uses a local script) Direct onboarding with Defender for Cloud Connect your non-Azure machines to Microsoft Defender for Cloud with Defender for Endpoint Deployment guidance for Defender for Endpoint on Linux for SAP |
Onboard Windows Server, version 1803, Windows Server 2019, and Windows Server 2025
Make sure to review the Minimum requirements for Defender for Endpoint.
In the Microsoft Defender portal, go to Settings > Endpoints, and then, under Device management, select Onboarding.
In the Select operating system to start onboarding process list, select Windows Server 2019, 2022, and 2025.
Under Connectivity type, select either Streamlined or Standard. (See prerequisites for streamlined connectivity.)
Under Deployment method, select an option, and then download the onboarding package.
Follow the instructions in one of the following articles for your deployment method:
Onboard Windows Server 2016 and Windows Server 2012 R2
Make sure to review the Minimum requirements for Defender for Endpoint and Prerequisites for Windows Server 2016 and 2012 R2.
In the Microsoft Defender portal, go to Settings > Endpoints, and then, under Device management, select Onboarding.
In the Select operating system to start onboarding process list, select Windows Server 2016 and Windows Server 2012 R2.
Under Connectivity type, select either Streamlined or Standard. (See prerequisites for streamlined connectivity.)
Under Deployment method, select an option, and then download the installation package and onboarding package.
Note
The installation package is updated monthly. Be sure to download the latest package before usage. To update after installation, you don't have to run the installer package again. If you do, the installer asks you to offboard first as that is a requirement for uninstallation. See Update packages for Defender for Endpoint on Windows Server 2012 R2 and 2016.
Follow the instructions in one of the following articles for your deployment method:
Prerequisites for Windows Server 2016 and 2012 R2
- It's recommended to install the latest available Servicing Stack Update (SSU) and Latest Cumulative Update (LCU) on the server.
- The SSU from September 14, 2021 or later must be installed.
- The LCU from September 20, 2018 or later must be installed.
- Enable the Microsoft Defender Antivirus feature and ensure it's up to date. For more information on enabling Defender Antivirus on Windows Server, see Re-enable Defender Antivirus on Windows Server if it was disabled and Re-enable Defender Antivirus on Windows Server if it was uninstalled.
- Download and install the latest platform version using Windows Update. Alternatively, download the update package manually from the Microsoft Update Catalog or from MMPC.
- On Windows Server 2016, Microsoft Defender Antivirus must be installed as a feature and fully updated before installation.
Update packages for Windows Server 2016 or Windows Server 2012 R2
To receive regular product improvements and fixes for the Defender for Endpoint component, ensure Windows Update KB5005292 gets applied or approved. In addition, to keep protection components updated, see Manage Microsoft Defender Antivirus updates and apply baselines.
If you're using Windows Server Update Services (WSUS) and/or Microsoft Configuration Manager, this new "Microsoft Defender for Endpoint update for EDR Sensor" is available under the category "Microsoft Defender for Endpoint."
Functionality in the modern unified solution for Windows Server 2016 and Windows Server 2012 R2
The previous implementation (before April 2022) of onboarding Windows Server 2016 and Windows Server 2012 R2 required the use of Microsoft Monitoring Agent (MMA). The modern, unified solution package makes it easier to onboard servers by removing dependencies and installation steps. It also provides a much expanded feature set. For more information, see the following resources:
- Server migration scenarios from the previous, MMA-based Microsoft Defender for Endpoint solution
- Tech Community Blog: Defending Windows Server 2012 R2 and 2016
Depending on the server that you're onboarding, the unified solution installs Defender for Endpoint and/or the EDR sensor on the server. The following table indicates what component is installed and what is built in by default.
| Server version | Microsoft Defender Antivirus | EDR sensor |
|---|---|---|
| Windows Server 2012 R2 |  |
|
| Windows Server 2016 | Built-in | |
| Windows Server 2019 and later | Built-in | Built-in |
Known issues and limitations in the modern unified solution
The following points apply to Windows Server 2016 and Windows Server 2012 R2:
Always download the latest installer package from the Microsoft Defender portal (https://security.microsoft.com) before performing a new installation and ensure prerequisites are met. After installation, ensure to regularly update using component updates described in the section Update packages for Defender for Endpoint on Windows Server 2012 R2 and 2016.
An operating system update can introduce an installation issue on machines with slower disks due to a time out with service installation. Installation fails with the message
Couldn't find c:\program files\windows defender\mpasdesc.dll, - 310 WinDefend. Use the latest installation package, and the latest install.ps1 script to help clear the failed installation if necessary.The user interface on Windows Server 2016 and Windows Server 2012 R2 only allows for basic operations. To perform operations on a device locally, refer to Manage Defender for Endpoint with PowerShell, WMI, and MPCmdRun.exe. As a result, features that specifically rely on user interaction, such as where the user is prompted to make a decision or perform a specific task, might not work as expected. It's recommended to disable or not enable the user interface nor require user interaction on any managed server as it may impact protection capability.
Not all attack surface reduction rules are applicable to all operating systems. See Attack surface reduction rules.
Operating system upgrades aren't supported. Offboard then uninstall before upgrading. The installer package can only be used to upgrade installations that haven't yet been updated with new anti-malware platform or EDR sensor update packages.
To automatically deploy and onboard the new solution using Microsoft Endpoint Configuration Manager (MECM) you need to be on version 2207 or later. You can still configure and deploy using version 2107 with the hotfix rollup, but this requires extra deployment steps. See Microsoft Endpoint Configuration Manager migration scenarios for more information.
Onboard Linux servers
To onboard servers running Linux, follow these steps:
Make sure to review the Prerequisites for Microsoft Defender for Endpoint on Linux.
Choose a deployment method. Depending on your particular environment, you can choose from several options:
- Installer script based deployment
- Ansible based deployment
- Chef based deployment
- Puppet based deployment
- Saltstack based deployment
- Manual deployment (uses a local script)
- Direct onboarding with Defender for Cloud
- Connect your non-Azure machines to Microsoft Defender for Cloud with Defender for Endpoint
- Deployment guidance for Defender for Endpoint on Linux for SAP
Configure your capabilities. See Configure security settings in Microsoft Defender for Endpoint on Linux.
Run a detection test to verify onboarding
After onboarding the device, you can choose to run a detection test to verify that a device is properly onboarded to the service. For more information, see Run a detection test on a newly onboarded Defender for Endpoint device.
Note
Running Microsoft Defender Antivirus isn't required but it's recommended. If another antivirus vendor product is the primary endpoint protection solution, you can run Defender Antivirus in Passive mode. You can only confirm that passive mode is on after verifying that Defender for Endpoint sensor (SENSE) is running.
On Windows Server devices that should have Microsoft Defender Antivirus installed in active mode, run the following command:
sc.exe query WindefendIf the result is, "The specified service doesn't exist as an installed service," then you need to install Microsoft Defender Antivirus.
Run the following command to verify that Defender for Endpoint is running:
sc.exe query senseThe result should show it's running. If you encounter issues with onboarding, see Troubleshoot onboarding.
Offboard Windows servers
You can offboard Windows servers by using the same methods that are available for Windows client devices:
- Offboard devices using Configuration Manager
- Offboard devices using Mobile Device Management tools
- Offboard devices using Group Policy
- Offboard devices using a local script
After offboarding, you can proceed to uninstall the unified solution package on Windows Server 2016 and Windows Server 2012 R2. For previous versions of Windows Server, you have two options to offboard Windows servers from the service:
- Uninstall the MMA agent
- Remove the Defender for Endpoint workspace configuration
Note
These offboarding instructions for other Windows Server versions also apply if you're running the previous Defender for Endpoint for Windows Server 2016 and Windows Server 2012 R2 that requires the MMA. Instructions to migrate to the new unified solution are at Server migration scenarios in Defender for Endpoint.
Next steps
See also
- Onboard Windows and Mac client devices to Microsoft Defender for Endpoint
- Configure proxy and Internet connectivity settings
- Run a detection test on a newly onboarded Defender for Endpoint device
- Troubleshooting Defender for Endpoint onboarding issues
- Troubleshoot onboarding issues related to Security Management for Defender for Endpoint
- Microsoft Defender for Endpoint - Mobile Threat Defense (for iOS and Android devices)