New protection capabilities for Microsoft Defender for Endpoint (MDE) customers landed in public preview, Oct 7th 2021, for Windows Server 2012 R2 and Windows Server 2016. With the public preview, Windows Server 2012 R2 and 2016 gain ‘functional equivalence‘ to Windows Server 2019, thanks to a new agent that is being described as the ‘unified solution’.
Previously, as detailed in Understanding Microsoft Defender for Endpoint and How It Protects Your Data on Petri and here on my own blog, there was a large feature gap between Windows Server 2019 and these “down-level” OSs.
The onboarding process was also different. To get devices into MDE, you had to deploy the Microsoft Monitoring Agent (MMA). This was required as the EDR sensor wasn’t built-in, unlike with Server 2019.
While Server 2016 shipped with Microsoft Defender Antivirus (MDAV) installed already, to get any kind of scanning and endpoint protection capability in Server 2012 R2, you had to install System Centre Endpoint Protection (SCEP).
Even after onboarding and having either MDAV or SCEP, you still didn’t get the full capabilities of MDE that you did with Windows Server 2019. Key among the features missing were attack surface reduction (ASR) rules and automated investigation and response (AIR).
On the portal, you also couldn’t perform actions such as live response or file responses. As of today, in public preview, you can.
With the improved feature parity, Microsoft remove a blocker for many organizations adopting MDE on servers, close the gap with competitors with enhanced protection, and make IT/security pros lives a little easier with consistent onboarding and tools. This does, however, for now, still leave Windows Server 2008 R2 in the same old place.
The features previously unavailable that you can now leverage include, but aren’t limited to, ASR rules, network protection, Controlled Folder Access (CFA), AIR, tamper protection, and device actions in the Microsoft 365 Defender portal, such as device isolation, but not app execution restriction.
The new features include the PowerShell cmdlets to manage them, such as Set-MpPreference -AttackSurfaceReductionRules_Ids.
AIR is of particular note, as it’s what many customers perceive to be the R in EDR. Note that ASR rules won’t function in warn mode and not all are available: block JavaScript and VBScript from launching downloadable executable content didn’t make it to Server 2012 R2, and neither server gets the rules to block Win32 API calls from Office macros or block persistence through WMI event subscription. This is more down to intrinsic differences in the operating system, though.
To install the new Microsoft Defender for Endpoint agent on Windows Server 2012 R2 or Windows Server 2016, you need to:
Both the most thorough and simple way to deploy the new agent I’ve found, for most environments, is through the upgrade helper script that Microsoft has published to GitHub. This automates a few steps that otherwise would be done separately.
1. First, in the Microsoft 365 Defender portal, you’ll find an onboarding option for Windows Server 2012 R2 and 2016 (Preview). From here, choose to download the Group Policy installation and onboarding packages.
2. Store the script, MSI, and onboarding package in a place accessible by the server(s) you’ll be upgrading or deploying to. I have found that network paths are not supported so you may want to consider ways to execute with local paths.
3. Now, you’ll run the script with some parameters. How you run it depends on your own environment: for example, you may scale it using a centralised management tool or manually on a server.
The RemoveMMA parameter is required if upgrading from the MMA agent (i.e. not a new install), where you’d replace ABCDE with the workspace ID (you can find this in Control Panel > Microsoft Monitoring Agent > Azure Log Analytics). This command assumes the MSI and onboarding script are in the same directory as the PowerShell script.
.Install.ps1 -RemoveMMA ABCDE -OnboardingScript ".WindowsDefenderATPOnboardingScript.CMD"
As the script runs, it gets rid of that workspace it no longer needs, checks for SCEP and uninstalls if present, applies some prerequisite patches (which may not be needed on fully updated servers), installs the agent, then connects it to the MDE instance identified in the onboarding package.
The script’s output will confirm success or failure (if, for example, it can’t find the MMA workspace).
Reviewing a server before and after the upgrade, we can see new features light-up within minutes in Microsoft 365 Defender. The device itself is preserved, as are alerts, incidents, and the timeline. Features previously unavailable, such as ASR rules, now are.
We can confirm that Windows Server 2016 is processing our ASR rules with Microsoft 365 Defender’s advanced hunting.
If you’re in a position to deploy or upgrade MDE on servers using the public preview agent, check out these key points of interest so that you know what to expect and have your prerequisites in order.
Both 2012 R2 and 2016
2016
2012 R2