Updating MMA on Windows devices for Microsoft Defender for Endpoint
If you've arrived on this page as a result of clicking on a notification at the Microsoft Defender portal (https://security.microsoft.com), you have devices in your environment with outdated agents, and you need to take action (described in this article) to avoid service disruption. For more details, please reference message center post MC598631 (requires access to Message Center).
- Microsoft Defender for Endpoint Plan 1
- Microsoft Defender for Endpoint Plan 2
- Microsoft Defender XDR
If you're using the Microsoft Monitoring Agent (MMA) on Windows devices, it's important to keep this agent updated. For Windows Server 2012 R2 and Windows Server 2016, Microsoft recommends upgrading to the new, unified agent for Defender for Endpoint. This article describes how to:
- Update the MMA on your devices (for devices running Windows 7 SP1 Enterprise, Windows 7 SP1 Pro, Windows 8.1 Pro, Windows 8.1 Enterprise, and Windows Server 2008 R2 SP1).
- Upgrade to the new, unified agent for Defender for Endpoint (for devices running Windows Server 2012 R2 and Windows Server 2016).
Update MMA on your devices
This option applies to devices running Windows 7 SP1 Enterprise, Windows 7 SP1 Pro, Windows 8.1 Pro, Windows 8.1 Enterprise, and Windows Server 2008 R2 SP1.
To help you identify older versions of the MMA inside of your organization, you can use the "EOSDate" column in advanced hunting. Or, follow the instructions in Plan for end-of-support software and software versions to use the vulnerability management feature inside of Microsoft Defender for Endpoint to track remediation.
See Manage and maintain the Log Analytics agent for Windows and Linux for instructions on how to upgrade the agent using Azure Automation or a command-line approach to use with various deployment tools and methods.
Download the MMA setup file:
Upgrade to the new, unified agent for Defender for Endpoint
This option applies to servers running Windows Server 2012 R2 and Windows Server 2016.
A new agent was released in April 2022 for Windows Server 2012 R2 and Windows Server 2016. The new agent doesn't depend on MMA. There are significant benefits to moving to this new agent, such as a vastly extended feature set. To learn more, see Tech Community Blog: Defending Windows Server 2012 R2 and 2016.
Microsoft Defender Vulnerability Management provides an assessment (SCID-2030) titled "Update Microsoft Defender for Endpoint core components" that allows you to track which Windows Server 2012 R2 or Windows Server 2016 machines haven't been upgraded yet.
See Server migration scenarios from the previous, MMA-based Microsoft Defender for Endpoint solution to understand your options for upgrading to the new agent.
If you're using Microsoft Endpoint Configuration Manager (SCCM/ConfigMgr) 2107 or later to manage your servers running Windows Server 2012 R2 or Windows Server 2016, see Migrating servers from Microsoft Monitoring Agent to the unified solution to perform an orchestrated upgrade.
If you're using Microsoft Endpoint Configuration Manager (SCCM/ConfigMgr) 2207 or later to manage your servers running Windows Server 2012 R2 or Windows Server 2016, see Onboarding to Microsoft Defender for Endpoint with Configuration Manager 2207 and later versions to perform an automated upgrade.
If you're using Microsoft Defender for Cloud with servers running Windows Server 2012 R2 or Windows Server 2016, you can automate the upgrade by selecting Enable unified solution. See Users with Defender for Servers enabled and Microsoft Defender for Endpoint deployed.
Important information about MMA
If you've determined that you aren't using the MMA for Defender for Endpoint, or you've already updated your agent, no other steps are needed.
If you are, however, still using MMA for other purposes (such as Log Analytics), MMA is currently set to retire in August 2024. See We're retiring the Log Analytics agent in Azure Monitor on 31 August 2024. Depending on your particular scenario, now might be a good time to upgrade to Azure Monitoring Agent, the successor of MMA.
Devices running Windows 7 SP1, Windows 8.1, or Windows Server 2008 R2 remain dependent on MMA.
Devices running Windows Server 2012 R2 or Windows Server 2016 should be upgraded to the new, unified solution so that they no longer require the use of MMA.
AMA cannot be used as a substitute for Defender for Endpoint.
- Make the switch from non-Microsoft endpoint protection to Microsoft Defender for Endpoint
- Microsoft Defender for Endpoint deployment overview
- Onboard to the Microsoft Defender for Endpoint service
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.