The script’s output will confirm success or failure (if, for example, it can’t find the MMA workspace). This command assumes the MSI and onboarding script are in the same directory as the PowerShell script.\Install.ps1 -RemoveMMA ABCDE -OnboardingScript ".\WindowsDefenderATPOnboardingScript.CMD"Īs the script runs, it gets rid of that workspace it no longer needs, checks for SCEP and uninstalls if present, applies some prerequisite patches (which may not be needed on fully updated servers), installs the agent, then connects it to the MDE instance identified in the onboarding package. not a new install), where you’d replace ABCDE with the workspace ID (you can find this in Control Panel > Microsoft Monitoring Agent > Azure Log Analytics). The RemoveMMA parameter is required if upgrading from the MMA agent (i.e. How you run it depends on your own environment: for example, you may scale it using a centralised management tool or manually on a server. Now, you’ll run the script with some parameters. I have found that network paths are not supported so you may want to consider ways to execute with local paths.ģ. Store the script, MSI, and onboarding package in a place accessible by the server(s) you’ll be upgrading or deploying to. From here, choose to download the Group Policy installation and onboarding packages.Ģ.
First, in the Microsoft 365 Defender portal, you’ll find an onboarding option for Windows Server 2012 R (Preview). This automates a few steps that otherwise would be done separately.ġ. And then run the downloaded PowerShell script with some additional parameters.īoth the most thorough and simple way to deploy the new agent I’ve found, for most environments, is through the upgrade helper script that Microsoft has published to GitHub.Save the files in an accessible location.Download the Group Policy installation and onboarding packages.To install the new Microsoft Defender for Endpoint agent on Windows Server 2012 R2 or Windows Server 2016, you need to: How to install the new unified Defender for Endpoint agent This is more down to intrinsic differences in the operating system, though.
Note that ASR rules won’t function in warn mode and not all are available: block JavaScript and VBScript from launching downloadable executable content didn’t make it to Server 2012 R2, and neither server gets the rules to block Win32 API calls from Office macros or block persistence through WMI event subscription. The new features include the PowerShell cmdlets to manage them, such as Set-MpPreference -AttackSurfaceReductionRules_Ids.ĪIR is of particular note, as it’s what many customers perceive to be the R in EDR. The features previously unavailable that you can now leverage include, but aren’t limited to, ASR rules, network protection, Controlled Folder Access (CFA), AIR, tamper protection, and device actions in the Microsoft 365 Defender portal, such as device isolation, but not app execution restriction. This does, however, for now, still leave Windows Server 2008 R2 in the same old place. With the improved feature parity, Microsoft remove a blocker for many organizations adopting MDE on servers, close the gap with competitors with enhanced protection, and make IT/security pros lives a little easier with consistent onboarding and tools. On the portal, you also couldn’t perform actions such as live response or file responses. Key among the features missing were attack surface reduction (ASR) rules and automated investigation and response (AIR). While Server 2016 shipped with Microsoft Defender Antivirus (MDAV) installed already, to get any kind of scanning and endpoint protection capability in Server 2012 R2, you had to install System Centre Endpoint Protection (SCEP).Įven after onboarding and having either MDAV or SCEP, you still didn’t get the full capabilities of MDE that you did with Windows Server 2019. This was required as the EDR sensor wasn’t built-in, unlike with Server 2019.
To get devices into MDE, you had to deploy the Microsoft Monitoring Agent (MMA). The onboarding process was also different. Previously, as detailed in Understanding Microsoft Defender for Endpoint and How It Protects Your Data on Petri and here on my own blog, there was a large feature gap between Windows Server 2019 and these “down-level” OSs. With the public preview, Windows Server 2012 R gain ‘ functional equivalence‘ to Windows Server 2019, thanks to a new agent that is being described as the ‘unified solution’. New protection capabilities for Microsoft Defender for Endpoint (MDE) customers landed in public preview, Oct 7th 2021, for Windows Server 2012 R2 and Windows Server 2016.