Microsoft announced last week the public preview feature for the new Server 2012R2, Server 2016 unified solution for Defender for Endpoint. The new unified solutions bring the latest security features directly to Windows Server 2012R2 and 2016.

Important: Feature currently in public preview. Article updated 13 October 2021 

Previous method

Previously there was a large gap between the latest Server 2019 build and the down-level OS systems. In comparison with Server 2019 the onboarding process was quite complex with the Microsoft Monitoring Agent. The MMA agent was required as the EDR sensor wasn’t built-in, for Server 2016 en Server 2012R2. 

Server 2016 is by default installed with Microsoft Defender Antivirus. For Server 2012R2 there was no installed AV by default, and you had to install System Centre Endpoint Protection (SCEP). 

With the Microsoft Monitoring Agent and Defender AV/SCEP, there were still some missing protection features – like Attack Surface Reduction, Automated Investigation, Network Protection, and many more protection features. 

Now the good news. Currently in public preview is the new unified solution for Server 2012R2 and Server 2016. The new unified solution reduces complexity by removing dependencies and installation steps – and more important no more SCEP, MMA, and all the latest security features available.

The new unified package brings the following major improvements directly in the new Defender for Endpoint solution:

  • Attack Surface Reduction rules
  • Network protection
  • Controlled Folder Access
  • Potentially Unwanted Application blocking
  • Improved detection capabilities
  • Response capacibiliteits
  • EDR in block mode
  • Automated Investigation and Response (AIR)
  • Tamper Protection
  • Live Response

Overview of all features


Download new Defender for Endpoint agent

The new unified solution is available in one single package for all the down-level systems. A small summary for all the Server OS systems:

Built-in Defender AV and EDR sensor. Only onboarding package needed for onboard

  • Windows Server 1803
  • Windows Server 2019
  • Windows Server 2022

New unified MDE installation package and onboarding package are needed for onboard

  • Windows Server 2012R2
  • Windows Server 2016

For downloading the new source files:

  1. Go to the security.microsoft.com portal
  2. Click on Settings -> Endpoints -> Onboarding
  3. Select Windows Server 2012R2 and 2016 (preview)
    1. Change the deployment method
  4. Download the installation package and onboarding package

When the new Windows Server 2012R2 and Server 2016 (preview) item is not visible. Make sure the preview function is enabled from the portal. For enabling the preview features:

  1. Go to the security.microsoft.com portal
  2. Click on Settings -> Endpoints -> Advanced features
  3. Enable the preview features setting


Prerequisites

For the new unified solution fewer requirements are needed in comparison with the legacy method. The following requirements are needed for correctly onboard Server 2012R2 – Server 2016 and enable the Defender AV agent. 

Network

Ensure connectivity requirements are configured. Network requirements are the same as Windows Server 2019. Important: There is no OMS Gateway support for the new agent. Follow the instructions for configuring the network connectivity. 

Defender AV

On Windows Server 2016, it is important that Microsoft Defender Antivirus is installed and up to date before installing the new installer.  Make sure the Windows-Defender-Feature server role is enabled. 

Updates

Make sure the machines are fully updated with the latest available updates. Check for the following updates if systems are not fully patched with the latest monthly rollup patches: 

2012R2:

  • KB2999226
  • KB3080149
  • KB4645768 ( available after October 12 2021) – improvement MDE network events view

Installation – Manual

Installation of the new Defender for Endpoint agent is quite easy. The md4ws.msi supports silent parameters. 

Installation: Msiexec /i md4ws.msi /quiet

Passive mode

If there is a default non-Microsoft antivirus/antimalware solution available it is directly possible to enable the passive mode for the Microsoft Defender Antivirus components. For enabling passive mode use the following parameter: 

FORCEPASSIVEMODE=1

Or use the following registry key for enabling passive mode after the installation or deploy with the use of any management systems.

  • Path: HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection
  • Name: ForceDefenderPassiveMode
  • Type: REG_DWORD
  • Value: 1

After the md4ws.msi installation – run the Defender for Endpoint onboarding package for completing the Defender for Endpoint onboarding. 


Installation – GitHub Script

Microsoft published a GitHub helper script. Using the script, most of the installation tasks can be automated. The script will do the following:

  1. Remove MMA workspace when the RemovaMMA GUID is filled-in
  2. Uninstall SCEP if present on the system
  3. Install needed hotfix  ( maybe not needed on fully updated servers)
    1. KB2999226
    2. KB3080149
  4. Install Defender for Endpoint MSI
  5. Run onboarding script

Install and remove MMA agent

.\Install.ps1 -RemoveMMA FILLINMMA-ID -OnboardingScript “.\WindowsDefenderATPOnboardingScript.cmd”
 
Install and configure passive mode

.\Install.ps1 -OnboardingScript “.\WindowsDefenderATPOnboardingScript.cmd” -Passive

Install without MMA agent removal

.\Install.ps1 -OnboardingScript “.\WindowsDefenderATPOnboardingScript.cmd”


Installation

During the installation using the MSI or with the script one of the most common error-codes is: Please update Windows Defender. Make sure the latest platform update is installed before running the installer. 

For checking the current platform version. Use the PowerShell command: Get-MpComputerStatus and check the value: AMProductVersion

Result after installing and onboarding with the GitHub script: 

For Server 2012R2 and Server 2016 the Sense service is enabled after completing the MDE onboarding script. 


Checking AV Running mode/ passive state

The new unified solution supports the Passive and EDR in Block mode. The following modes are available:

  • Active
  • Passive
  • EDR in Block

When using the passive parameter/ registry key in the previous steps – the Defender for Endpoint installation will run in passive mode. For checking the passive mode use the following PowerShell command: Get-MpComputerStatus

Get-MpComputerStatus  Active state

Get-MpComputerStatus  EDR in block / Passive

The AV mode is not directly visible in the portal. The AVMode is now available with the use of Advanced Hunting. 


Differences in portal

After onboarding, the new features are visible on the device page. The following actions are now available in comparison with the legacy MMA situation:

  • Isolate devices
  • Run Antivirus Scan
  • Collect Investigation Package
  • Initiate Live Response Session (now supported)
  • Initiate Automated Investigation (now supported)

Server 2016 ( legacy MMA)

Server 2016 (new MDE unified solution agent)


Configuration

With the new Unified Solutions all the Group Policy, PowerShell commands, and other management options similar to Server 2019 are available for Server 2012R2 and Server 2016. You can use the Group Policy templates for Server 2019 to manage Defender on Windows Server 2012R2 and 2016. 

The PowerShell Defender cmdlet is supported for Server 2016 and 2012R2. 


Configuration – Attack Surface Reduction

Attack Surface Reduction is with the new unified solution available. Based on the Server OS there are some differences in the ASR support. 

ASR Rule

ID

Server 2016

Server 2012R2

Block abuse of exploited vulnerable signed drivers

56a863a9-875e-4185-98a7-b882c64b5ce5

Yes

Yes

Block Adobe Reader from creating child processes

7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c

Yes

Yes

Block all Office applications from creating child processes

d4f940ab-401b-4efc-aadc-ad5f3c50688a

Yes

Yes

Block credential stealing from the Windows local security authority subsystem (lsass.exe)

9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2

Yes

Yes

Block executable content from email client and webmail

be9ba2d9-53ea-4cdc-84e5-9b1eeee46550

Yes

Yes

Block executable files from running unless they meet a prevalence, age, or trusted list criterion

01443614-cd74-433a-b99e-2ecdc07bfc25

Yes

Yes

Block execution of potentially obfuscated scripts

5beb7efe-fd9a-4556-801d-275e5ffc04cc

Yes

Yes

Block JavaScript or VBScript from launching downloaded executable content

d3e037e1-3eb8-44c8-a917-57927947596d

Yes

No

Block Office applications from creating executable content

3b576869-a4ec-4529-8536-b80a7769e899

Yes

Yes

Block Office applications from injecting code into other processes

75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84

Yes

Yes

Block Office communication application from creating child processes

26190899-1602-49e8-8b27-eb1d0a1ce869

Yes

Yes

Block process creations originating from PSExec and WMI commands

d1e49aac-8f56-4280-b9ba-993a6d77406c

Yes

Yes

Block untrusted and unsigned processes that run from USB

b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4

Yes

Yes

Use advanced protection against ransomware

c1db55ab-c21a-4637-bb3f-a12568109d35

Yes

Yes

Block Win32 API calls from Office macros

92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b

No

No

Block persistence through WMI event subscription

e6db77e5-3df2-4cf1-b95a-636979351e5b

No

No

Below the example for PowerShell, ASR configuration is possible based on the same Server 2019 methods. 

Enabled: 

Set-MpPreference -AttackSurfaceReductionRules_Ids <rule ID> -AttackSurfaceReductionRules_Actions Enabled

AuditMode: 

Add-MpPreference -AttackSurfaceReductionRules_Ids <rule ID> -AttackSurfaceReductionRules_Actions AuditMode

 


Configuration – Network Protection

For enabling Network Protection, additional configuration is required.  For Server 2012R2 and Server 2016 additional configuration is needed for Network protection.  Use the below PowerShell commands for enabling the NetworkProtection feature.  

  • Set-MpPreference -EnableNetworkProtection Enabled
  • Set-MpPreference -AllowNetworkProtectionOnWinServer 1
  • Set-MpPreference -AllowNetworkProtectionDownLevel 1
  • Set-MpPreference -AllowDatagramProcessingOnWinServer 1


Result: Automated Investigation & Response AIR

Server 2016:

Server 2012R2:

Result: Live Response 

Server 2016:

Server 2012R2:


Good to know

Other platforms

Azure Defender: Azure Defender integration is coming to public preview in Q1 of 2022. Whilst you can install the new solution on these machines, no alerts will be displayed in Azure Security Center.

Known issues and limitations

View the issues and limitations.

Update package for EDR sensor

The current installation contains the most up-to-date version of the EDR sensor.KB5005292  is the update package for the new EDR sensor. Make sure the update is approved and deployed for the environment. 

MMA workspace

When installing the new solution, the MMA will no longer be used by Microsoft Defender for Endpoint. If you have multiple workspaces – for Azure Sentinel or other data collectors, they will continue to work. 

In-place upgrade of the OS

Should you do an in-place upgrade of the OS (from 2012 R2 to 2016, or 2016 to 2019) you will need to first offboard Defender for Endpoint and then onboard again.


Conclusion

The new Defender for Endpoint preview for Server 2012R2 and 2016 works way more easier in comparison with the legacy MMA onboarding method. The new unified solution package reduces complexity by removing dependencies and installation steps. It also standardizes capabilities and functionality for the complete Defender for Endpoint stack. 

Oh.. and it is always a good idea to upgrade Server 2012R2 and 2016 to one of the latest Server versions. Don’t stay behind if you can upgrade easily to Server 2019 or higher.