Tips for onboarding servers to Defender for Endpoint

This week is all about Microsoft Defender for Endpoint (MDE). It's very easy to onboard workstations (Windows 10/11) to MDE. Intune does that automatically for you.

Navigate to Endpoint Security > Endpoint detection and response, create the policy and assign to all devices. 

There is a little more to do for servers as they are not supported for enrollment in Intune.

First, how would you know if your server was already onboarded to MDE? Obviously you could search for the server in the Microsoft 365 Defender portal, but how can you tell on the server itself?

Look at the services. If the Windows Defender Advanced Threat Protection Service (Service name: Sense) is Automatic and Running, then the server has been onboarded. The screenshot above shows a server that has not been onboarded. The behaviour and the onboarding steps are slightly different depending on the server operating system.

Note: when you use Microsoft Defender for Cloud to monitor servers, they are automatically onboarded to Defender for Endpoint. For this blog post, I'm assuming you are not using Defender for Cloud. 

Windows Server 2012R2

2012R2 servers do not include Defender Antivirus or Defender for Endpoint natively. You must install the unified Defender solution on these servers.

Onboarding steps are as follows:

• Install the unified Defender client (this is downloaded from MDE portal). This installs Microsoft Defender Antivirus and the EDR sensor. It creates the Windows Defender Advanced Threat Protection Service. The service is not started and is set to Manual.
• Install the unified Defender client update package (KB5005292 - download here). This updates the EDR sensor, which communicates with MDE.
• Run the MDE onboarding script (this is downloaded from MDE portal). This onboards the server to MDE. It starts the Windows Defender Advanced Threat Protection Service and configures it to be Automatic.

Windows Server 2016

2016 servers natively include Defender Antivirus (as long as the Defender feature is added) but not Defender for Endpoint. You must install the unified Defender solution on these servers.

Onboarding steps are as follows:

• Verify that the Defender feature is added and updated. Defender must also be turned on.
• Run updateplatform hotfix (download here from Microsoft Malware Protection Center (MMPC)). This updates Defender to the latest version.
• Install the unified Defender client (this is downloaded from MDE portal). This installs the EDR sensor. It creates the Windows Defender Advanced Threat Protection Service. The service is not started and is set to Manual.
• Install the unified Defender client update package (KB5005292 - download here). This updates the EDR sensor, which communicates with MDE.
• Run the MDE onboarding script (this is downloaded from MDE portal). This onboards the server to MDE. It starts the Windows Defender Advanced Threat Protection Service and configures it to be Automatic.

You will get this error if you don't update the platform before you install the unified Defender client.

Please update Windows Defender Antivirus (KB4052623) to the latest version.

Windows Server 2019 (and 2022)

These servers already include Defender AV and the EDR sensor. The Windows Defender Advanced Threat Protection Service already exists but is not running and is set to Manual.

There is one onboarding step:

• Run the MDE onboarding script (this is downloaded from MDE portal). This onboards the server to MDE. It starts the Windows Defender Advanced Threat Protection Service and configures it to be Automatic.

The steps above can be automated using your server management solution. 

You've now onboarded the server and the Windows Defender Advanced Threat Protection Service is running. Where can you see the onboarding details?

You need to look in the registry. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SenseCM. Here you can see the Tenant ID and enrollment status. You should see EnrollmentStatus = 1.

I hope this helps. Until next time......