Microsoft announced last week the public preview feature for the new Server 2012R2, Server 2016 unified solution for Defender for Endpoint. The new unified solutions bring the latest security features directly to Windows Server 2012R2 and 2016.
Important: Feature currently in public preview. Article updated 13 October 2021
Previous method
Previously there was a large gap between the latest Server 2019 build and the down-level OS systems. In comparison with Server 2019 the onboarding process was quite complex with the Microsoft Monitoring Agent. The MMA agent was required as the EDR sensor wasn’t built-in, for Server 2016 en Server 2012R2.
Server 2016 is by default installed with Microsoft Defender Antivirus. For Server 2012R2 there was no installed AV by default, and you had to install System Centre Endpoint Protection (SCEP).
With the Microsoft Monitoring Agent and Defender AV/SCEP, there were still some missing protection features – like Attack Surface Reduction, Automated Investigation, Network Protection, and many more protection features.
Now the good news. Currently in public preview is the new unified solution for Server 2012R2 and Server 2016. The new unified solution reduces complexity by removing dependencies and installation steps – and more important no more SCEP, MMA, and all the latest security features available.
The new unified package brings the following major improvements directly in the new Defender for Endpoint solution:
- Attack Surface Reduction rules
- Network protection
- Controlled Folder Access
- Potentially Unwanted Application blocking
- Improved detection capabilities
- Response capacibiliteits
- EDR in block mode
- Automated Investigation and Response (AIR)
- Tamper Protection
- Live Response
Download new Defender for Endpoint agent
The new unified solution is available in one single package for all the down-level systems. A small summary for all the Server OS systems:
Built-in Defender AV and EDR sensor. Only onboarding package needed for onboard
- Windows Server 1803
- Windows Server 2019
- Windows Server 2022
New unified MDE installation package and onboarding package are needed for onboard
- Windows Server 2012R2
- Windows Server 2016
For downloading the new source files:
- Go to the security.microsoft.com portal
- Click on Settings -> Endpoints -> Onboarding
- Select Windows Server 2012R2 and 2016 (preview)
- Change the deployment method
- Download the installation package and onboarding package
When the new Windows Server 2012R2 and Server 2016 (preview) item is not visible. Make sure the preview function is enabled from the portal. For enabling the preview features:
- Go to the security.microsoft.com portal
- Click on Settings -> Endpoints -> Advanced features
- Enable the preview features setting
Prerequisites
For the new unified solution fewer requirements are needed in comparison with the legacy method. The following requirements are needed for correctly onboard Server 2012R2 – Server 2016 and enable the Defender AV agent.
Network
Ensure connectivity requirements are configured. Network requirements are the same as Windows Server 2019. Important: There is no OMS Gateway support for the new agent. Follow the instructions for configuring the network connectivity.
Defender AV
On Windows Server 2016, it is important that Microsoft Defender Antivirus is installed and up to date before installing the new installer. Make sure the Windows-Defender-Feature server role is enabled.
Updates
Make sure the machines are fully updated with the latest available updates. Check for the following updates if systems are not fully patched with the latest monthly rollup patches:
2012R2:
- KB2999226
- KB3080149
- KB4645768 ( available after October 12 2021) – improvement MDE network events view
Installation – Manual
Installation of the new Defender for Endpoint agent is quite easy. The md4ws.msi supports silent parameters.
Installation: Msiexec /i md4ws.msi /quiet
Passive mode
If there is a default non-Microsoft antivirus/antimalware solution available it is directly possible to enable the passive mode for the Microsoft Defender Antivirus components. For enabling passive mode use the following parameter:
FORCEPASSIVEMODE=1
Or use the following registry key for enabling passive mode after the installation or deploy with the use of any management systems. When running the MDE onboarding below registry key is needed to force the passive mode state.
- Path:
HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection
- Name:
ForceDefenderPassiveMode
- Type:
REG_DWORD
- Value:
1
After the md4ws.msi installation – run the Defender for Endpoint onboarding package for completing the Defender for Endpoint onboarding.
Installation – GitHub Script
Microsoft published a GitHub helper script. Using the script, most of the installation tasks can be automated. The script will do the following:
- Remove MMA workspace when the RemovaMMA GUID is filled-in
- Uninstall SCEP if present on the system
- Install needed hotfix ( maybe not needed on fully updated servers)
- KB2999226
- KB3080149
- Install Defender for Endpoint MSI
- Run onboarding script
Install and remove MMA agent
.\Install.ps1 -OnboardingScript “.\WindowsDefenderATPOnboardingScript.cmd” -Passive
Install without MMA agent removal
.\Install.ps1 -OnboardingScript “.\WindowsDefenderATPOnboardingScript.cmd”
Installation
During the installation using the MSI or with the script one of the most common error-codes is: Please update Windows Defender. Make sure the latest platform update is installed before running the installer.
For checking the current platform version. Use the PowerShell command: Get-MpComputerStatus and check the value: AMProductVersion
Result after installing and onboarding with the GitHub script:
For Server 2012R2 and Server 2016 the Sense service is enabled after completing the MDE onboarding script.
Checking AV Running mode/ passive state
The new unified solution supports the Passive and EDR in Block mode. The following modes are available:
- Active
- Passive
- EDR in Block
When using the passive parameter/ registry key in the previous steps – the Defender for Endpoint installation will run in passive mode. For checking the passive mode use the following PowerShell command: Get-MpComputerStatus
Get-MpComputerStatus Active state
Get-MpComputerStatus EDR in block / Passive
The AV mode is not directly visible in the portal. The AVMode is now available with the use of Advanced Hunting.
Differences in portal
After onboarding, the new features are visible on the device page. The following actions are now available in comparison with the legacy MMA situation:
- Isolate devices
- Run Antivirus Scan
- Collect Investigation Package
- Initiate Live Response Session (now supported)
- Initiate Automated Investigation (now supported)
Server 2016 ( legacy MMA)
Server 2016 (new MDE unified solution agent)
Configuration
With the new Unified Solutions all the Group Policy, PowerShell commands, and other management options similar to Server 2019 are available for Server 2012R2 and Server 2016. You can use the Group Policy templates for Server 2019 to manage Defender on Windows Server 2012R2 and 2016.
The PowerShell Defender cmdlet is supported for Server 2016 and 2012R2.
Configuration – Attack Surface Reduction
Attack Surface Reduction is with the new unified solution available. Based on the Server OS there are some differences in the ASR support.
ASR Rule | ID | Server 2016 | Server 2012R2 |
Block abuse of exploited vulnerable signed drivers | 56a863a9-875e-4185-98a7-b882c64b5ce5 | Yes | Yes |
Block Adobe Reader from creating child processes | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c | Yes | Yes |
Block all Office applications from creating child processes | d4f940ab-401b-4efc-aadc-ad5f3c50688a | Yes | Yes |
Block credential stealing from the Windows local security authority subsystem (lsass.exe) | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 | Yes | Yes |
Block executable content from email client and webmail | be9ba2d9-53ea-4cdc-84e5-9b1eeee46550 | Yes | Yes |
Block executable files from running unless they meet a prevalence, age, or trusted list criterion | 01443614-cd74-433a-b99e-2ecdc07bfc25 | Yes | Yes |
Block execution of potentially obfuscated scripts | 5beb7efe-fd9a-4556-801d-275e5ffc04cc | Yes | Yes |
Block JavaScript or VBScript from launching downloaded executable content | d3e037e1-3eb8-44c8-a917-57927947596d | Yes | No |
Block Office applications from creating executable content | 3b576869-a4ec-4529-8536-b80a7769e899 | Yes | Yes |
Block Office applications from injecting code into other processes | 75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84 | Yes | Yes |
Block Office communication application from creating child processes | 26190899-1602-49e8-8b27-eb1d0a1ce869 | Yes | Yes |
Block process creations originating from PSExec and WMI commands | d1e49aac-8f56-4280-b9ba-993a6d77406c | Yes | Yes |
Block untrusted and unsigned processes that run from USB | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 | Yes | Yes |
Use advanced protection against ransomware | c1db55ab-c21a-4637-bb3f-a12568109d35 | Yes | Yes |
Block Win32 API calls from Office macros | 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b | No | No |
Block persistence through WMI event subscription | e6db77e5-3df2-4cf1-b95a-636979351e5b | No | No |
Below the example for PowerShell, ASR configuration is possible based on the same Server 2019 methods.
Enabled:
Set-MpPreference -AttackSurfaceReductionRules_Ids <rule ID> -AttackSurfaceReductionRules_Actions Enabled
AuditMode:
Add-MpPreference -AttackSurfaceReductionRules_Ids <rule ID> -AttackSurfaceReductionRules_Actions AuditMode
Configuration – Network Protection
For enabling Network Protection, additional configuration is required. For Server 2012R2 and Server 2016 additional configuration is needed for Network protection. Use the below PowerShell commands for enabling the NetworkProtection feature.
- Set-MpPreference -EnableNetworkProtection Enabled
- Set-MpPreference -AllowNetworkProtectionOnWinServer 1
- Set-MpPreference -AllowNetworkProtectionDownLevel 1
- Set-MpPreference -AllowDatagramProcessingOnWinServer 1
Result: Automated Investigation & Response AIR
Server 2016:
Server 2012R2:
Result: Live Response
Server 2016:
Server 2012R2:
Good to know
Other platforms
Azure Defender: Azure Defender integration is coming to public preview in Q1 of 2022. Whilst you can install the new solution on these machines, no alerts will be displayed in Azure Security Center.
Known issues and limitations
View the issues and limitations.
Update package for EDR sensor
The current installation contains the most up-to-date version of the EDR sensor.KB5005292 is the update package for the new EDR sensor. Make sure the update is approved and deployed for the environment.
MMA workspace
When installing the new solution, the MMA will no longer be used by Microsoft Defender for Endpoint. If you have multiple workspaces – for Azure Sentinel or other data collectors, they will continue to work.
In-place upgrade of the OS
Should you do an in-place upgrade of the OS (from 2012 R2 to 2016, or 2016 to 2019) you will need to first offboard Defender for Endpoint and then onboard again.
Conclusion
The new Defender for Endpoint preview for Server 2012R2 and 2016 works way more easier in comparison with the legacy MMA onboarding method. The new unified solution package reduces complexity by removing dependencies and installation steps. It also standardizes capabilities and functionality for the complete Defender for Endpoint stack.
Oh.. and it is always a good idea to upgrade Server 2012R2 and 2016 to one of the latest Server versions. Don’t stay behind if you can upgrade easily to Server 2019 or higher.
Sources
- Microsoft: Defending Windows Server 2012 R2 and 2016
- Microsoft: New functionality in the modern unified solution for Windows Server 2012 R2 and 2016 Preview
- Microsoft: Onboard Windows servers to the Microsoft Defender for Endpoint service
- Microsoft: Attack Surface Reduction (ASR) rules
- GitHub: MDE helper script