Defender for Endpoint extends support to include down-level operating systems, providing advanced attack detection and investigation capabilities on supported Windows versions.
To onboard down-level Windows client endpoints to Defender for Endpoint, you need to:
Defender for Endpoint standalone server license is required, per node, in order to onboard a Windows server through Microsoft Monitoring Agent (Option 1). Alternatively, a Microsoft Defender for servers license is required, per node, in order to onboard a Windows server through Microsoft Defender for Cloud (Option 2), see Supported features available in Microsoft Defender for Cloud.
Configure and update System Center Endpoint Protection clients
Defender for Endpoint integrates with System Center Endpoint Protection to provide visibility to malware detections and to stop propagation of an attack in your organization by banning potentially malicious files or suspected malware.
The following steps are required to enable this integration:
If you're a US Government customer, under "Azure Cloud", you need to choose "Azure US Government" if using the setup wizard, or if using a command line or a script - set the "OPINSIGHTS_WORKSPACE_AZURE_CLOUD_TYPE" parameter to 1.
If you're using a proxy to connect to the Internet see the Configure proxy and Internet connectivity settings section.
Once completed, you should see onboarded endpoints in the portal within an hour.
Configure proxy and Internet connectivity settings
If your servers need to use a proxy to communicate with Defender for Endpoint, use one of the following methods to configure the MMA to use the proxy server:
If a proxy or firewall is in use, ensure that servers can access all of the Microsoft Defender for Endpoint service URLs directly and without SSL interception. For more information, see enable access to Microsoft Defender for Endpoint service URLs. Use of SSL interception prevents the system from communicating with the Defender for Endpoint service.
Once completed, you should see onboarded Windows servers in the portal within an hour.
Onboard Windows servers through Microsoft Defender for Cloud
In the Microsoft Defender XDR navigation pane, select Settings > Endpoints > Device management > Onboarding.
Select Windows Server 2008 R2 SP1 as the operating system.
Click Onboard Servers in Microsoft Defender for Cloud.
For onboarding via Microsoft Defender for servers to work as expected, the server must have an appropriate workspace and key configured within the Microsoft Monitoring Agent (MMA) settings.
Once configured, the appropriate cloud management pack is deployed on the machine and the sensor process (MsSenseS.exe) will be deployed and started.
This is also required if the server is configured to use an OMS Gateway server as proxy.
Verify onboarding
Verify that Microsoft Defender Antivirus and Microsoft Defender for Endpoint are running.
Note
Running Microsoft Defender Antivirus is not required but it is recommended. If another antivirus vendor product is the primary endpoint protection solution, you can run Defender Antivirus in Passive mode. You can only confirm that passive mode is on after verifying that Microsoft Defender for Endpoint sensor (SENSE) is running.
Note
As Microsoft Defender Antivirus is only supported for Windows 10 and Windows 11, step 1 does not apply when running Windows Server 2008 R2 SP1.
Run the following command to verify that Microsoft Defender Antivirus is installed:
dos
sc.exe query Windefend
If the result is 'The specified service doesn't exist as an installed service', then you'll need to install Microsoft Defender Antivirus. For more information, see Microsoft Defender Antivirus in Windows 10.
Create a new group policy specifically for onboarding devices such as "Microsoft Defender for Endpoint Onboarding".
Create a Group Policy Folder named "c:\windows\MMA"
This will add a new folder on every server that gets the GPO applied, called MMA, and will be stored in c:\windows. This will contain the installation files for the MMA, prerequisites, and install script.
Create a Group Policy Files preference for each of the files stored in Net logon.
It copies the files from DOMAIN\NETLOGON\MMA\filename to
C:\windows\MMA\filename - so the installation files are local to the server:
Repeat the process but create item level targeting on the COMMON tab, so the file only gets copied to the appropriate platform/Operating system version in scope:
For Windows Server 2008 R2 you'll need (and it will only copy down) the following:
Windows6.1-KB3080149-x64.msu
Windows6.1-KB3154518-x64.msu
Windows6.1-KB4075598-x64.msu
Once this is done, you'll need to create a start-up script policy:
The name of the file to run here is c:\windows\MMA\DeployMMA.cmd.
Once the server is restarted as part of the start-up process it will install the Update for customer experience and diagnostic telemetry KB, and then install the MMA Agent, while setting the Workspace ID and Key, and the server will be onboarded.
You could also use an immediate task to run the deployMMA.cmd if you don't want to reboot all the servers.
This could be done in two phases. First create the files and the folder in GPO - Give the system time to ensure the GPO has been applied, and all the servers have the install files. Then, add the immediate task. This will achieve the same result without requiring a reboot.
As the Script has an exit method and won't re-run if the MMA is installed, you could also use a daily scheduled task to achieve the same result. Similar to a Configuration Manager compliance policy it will check daily to ensure the MMA is present.
As mentioned in the onboarding documentation for Server specifically around Server 2008 R2 please see below:
For Windows Server 2008 R2 SP1, ensure that you fulfill the following requirements:
Please check the KBs are present before onboarding Windows Server 2008 R2. This process allows you to onboard all the servers if you don't have Configuration Manager managing Servers.
Offboard endpoints
You have two options to offboard Windows endpoints from the service:
Uninstall the MMA agent
Remove the Defender for Endpoint workspace configuration
Note
Offboarding causes the Windows endpoint to stop sending sensor data to the portal but data from the endpoint, including reference to any alerts it has had will be retained for up to 6 months.
Uninstall the MMA agent
To offboard the Windows endpoint, you can uninstall the MMA agent or detach it from reporting to your Defender for Endpoint workspace. After offboarding the agent, the endpoint will no longer send sensor data to Defender for Endpoint.
For more information, see To disable an agent.
Remove the Defender for Endpoint workspace configuration
You can use either of the following methods:
Remove the Defender for Endpoint workspace configuration from the MMA agent
Run a PowerShell command to remove the configuration
Remove the Defender for Endpoint workspace configuration from the MMA agent
In the Microsoft Monitoring Agent Properties, select the Azure Log Analytics (OMS) tab.
Select the Defender for Endpoint workspace, and click Remove.
Run a PowerShell command to remove the configuration
Get your Workspace ID:
In the navigation pane, select Settings > Onboarding.
Select the relevant operating system and get your Workspace ID.
Open an elevated PowerShell and run the following command. Use the Workspace ID you obtained and replacing WorkspaceID:
PowerShell
$AgentCfg = New-Object -ComObject AgentConfigManager.MgmtSvcCfg
# Remove OMS Workspace$AgentCfg.RemoveCloudWorkspace("WorkspaceID")
# Reload the configuration and apply changes$AgentCfg.ReloadConfiguration()
This module examines how Microsoft Defender for Endpoint helps enterprise networks prevent, detect, investigate, and respond to advanced threats by using endpoint behavioral sensors, cloud security analytics, and threat intelligence. MS-102
Plan and execute an endpoint deployment strategy, using essential elements of modern management, co-management approaches, and Microsoft Intune integration.