Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Applies to:
- Microsoft Defender for Endpoint for servers
- Microsoft Defender for Servers Plan 1 or Plan 2
Note
On Windows Server 2016, always ensure the operating system and Microsoft Defender Antivirus are fully updated before proceeding with installation or upgrade. To receive regular product improvements and fixes for the EDR Sensor component, ensure Windows Update KB5005292 gets applied or approved after installation. In addition, to keep protection components updated, please reference Manage Microsoft Defender Antivirus updates and apply baselines.
These instructions apply to the new unified solution and installer (MSI) package of Defender for Endpoint for Windows Server 2012 R2 and Windows Server 2016. This article contains high-level instructions for various possible migration scenarios from the previous to the current solution. These high-level steps are intended as guidelines to be adjusted to the deployment and configuration tools available in your environment.
If you are using Microsoft Defender for Cloud to perform deployment, you can automate installation and upgrade. See Defender for Servers Plan 2 now integrates with MDE unified solution
Note
Operating system upgrades with Defender for Endpoint installed aren't supported. Offboard, uninstall, upgrade the operating system, and then proceed with installation.
Installer script
Note
Make sure the machines you run the script on isn't blocking the execution of the script. The recommended execution policy setting for PowerShell is Allsigned. This requires importing the script's signing certificate into the Local Computer Trusted Publishers store if the script is running as SYSTEM on the endpoint.
To facilitate upgrades when Microsoft Endpoint Configuration Manager isn't yet available or updated to perform the automated upgrade, you can use this upgrade script. Download it by selection the "Code" button and downloading the .zip file, then extracting install.ps1. It can help automate the following required steps:
Remove the OMS workspace for Defender for Endpoint (OPTIONAL).
Remove System Center Endpoint Protection (SCEP) client if installed.
Review the Prerequisites for Windows Server 2016 and 2012 R2.
Enable and update the Microsoft Defender Antivirus feature on Windows Server 2016.
Install Defender for Endpoint.
Apply the onboarding script for use with Group Policy downloaded from the Microsoft Defender portal.
To use the script, download it to an installation directory where you have also placed the installation and onboarding packages (see Onboard servers).
EXAMPLE:
.\install.ps1 -RemoveMMA <YOUR_WORKSPACE_ID> -OnboardingScript ".\WindowsDefenderATPOnboardingScript.cmd"
For more information on how to use the script, use the PowerShell command get-help .\install.ps1.
Microsoft Endpoint Configuration Manager migration scenarios
Note
You'll need Configuration Manager, version 2107 or later to perform Endpoint Protection policy configuration. From version 2207 or later deployment and upgrades can be fully automated.
For instructions on how to migrate using Configuration Manager older than version 2207, see Migrating servers from Microsoft Monitoring Agent to the unified solution.
If you are running a non-Microsoft antivirus solution
Fully update the machine including Microsoft Defender Antivirus (Windows Server 2016) ensuring Prerequisites for Windows Server 2016 and 2012 R2 are met.
Ensure your non-Microsoft antivirus management solution no longer pushes antivirus agents to these machines.
Author your policies for the protection capabilities in Defender for Endpoint and target those to the machine in the tool of your choice.
Install the Defender for Endpoint package for Windows Server 2012 R2 and Windows Server 2016, and set it to passive mode.
Apply the onboarding script for use with Group Policy downloaded from the Microsoft Defender portal.
Apply updates.
Remove your non-Microsoft antivirus software by either using the non-Microsoft antivirus console or by using Configuration Manager as appropriate. Make sure to remove passive mode configuration.
To move a machine out of passive mode, set the following key:
Path:
HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat ProtectionName:ForceDefenderPassiveModeType:REG_DWORDValue:0
Tip
You can use the [installer-script](server-migration.md#installer script) as part of your application to automate the above steps. To enable passive mode, apply the -Passive flag. For example, .\install.ps1 -RemoveMMA <YOUR_WORKSPACE_ID> -OnboardingScript ".\WindowsDefenderATPOnboardingScript.cmd" -Passive.
In the preceding procedure, steps 2 and 7 apply only if you intend to replace your non-Microsoft antivirus solution. See Better together: Microsoft Defender Antivirus and Microsoft Defender for Endpoint.
If you are running System Center Endpoint Protection but aren't managing the machine using Configuration Manager (MECM/ConfigMgr)
Fully update the device, including Microsoft Defender Antivirus (on Windows Server 2016) ensuring Prerequisites for Windows Server 2016 and 2012 R2 are met.
Create and apply policies using Group Policy, PowerShell, or a non-Microsoft management solution.
Uninstall System Center Endpoint Protection (Windows Server 2012 R2).
Install Microsoft Defender for Endpoint (see Onboard Windows Server 2012 R2 and Windows Server 2016 to Microsoft Defender for Endpoint)
Apply the onboarding script for use with Group Policy downloaded from the Microsoft Defender portal.
Apply updates.
Tip
You can use the installer script to automate the steps in the preceding procedure.
Microsoft Defender for Cloud scenarios
You're using Microsoft Defender for Cloud. The Microsoft Monitoring Agent (MMA) and/or Microsoft Antimalware for Azure (SCEP) are installed and you want to upgrade.
If you're using Microsoft Defender for Cloud, you can use the automated upgrade process. See Protect your endpoints with Defender for Cloud's integrated EDR solution: Microsoft Defender for Endpoint.
Group Policy configuration
For configuration using Group Policy, ensure you're using the latest ADMX files in your central store to access the correct Defender for Endpoint policy options. For reference, see How to create and manage the Central Store for Group Policy Administrative Templates in Windows and download the latest files for use with Windows 10.
Tip
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.