New protection capabilities for Microsoft Defender for Endpoint (MDE) customers have landed in public preview, Oct 7 ‘21, for Windows Server 2012 R2 and Windows Server 2016.  With the public preview released today, Windows Server 2012 R2 and 2016 gain ’ functional equivalence’ to 2019, thanks to the use of a new agent that is being described as the ‘unified solution’.

Historically, a significant gap

Previously, as I’ve detailed here and here, there was a large feature gap between Windows Server 2019 and these “down-level” OSs. The onboarding process was also different.  To get devices into MDE, you had to deploy the Microsoft Monitoring Agent (MMA).  This was required as the EDR sensor wasn’t built-in, unlike with Server 2019.  While Server 2016 shipped with Microsoft Defender Antivirus (MDAV) installed already, to get any kind of scanning and endpoint protection capability in Server 2012 R2, you had to install System Centre Endpoint Protection.

Even after onboarding and having either MDAV or SCEP, you still didn’t get the full capabilities of MDE that you did with Server 2019.  Key among the features missing were attack surface reduction (ASR) rules and automated investigation and response (AIR).  On the portal, you also couldn’t perform actions such as live response or file responses. As of today, in public preview, you can.

Improvements now in public preview

With the improved feature parity, Microsoft remove a blocker for many organisations adopting MDE on servers, close the gap with competitors with enhanced protection, and make IT/security pros lives a little easier with consistent onboarding and tools.  This does, however, for now, still leave Windows Server 2008 R2 in the same old place.

The features previously unavailable that you can now leverage include ASR rules, network protection, Controlled Folder Access (CFA), AIR, tamper protection, and device actions in the Microsoft 365 Defender portal, such as device isolation, but not app execution restriction.  Note that not all ASR rules are available: block JavaScript and VBScript from launching downloadable executable content didn’t make it to Server 2012 R2, and neither server gets the rules to block Win32 API calls from Office macros or block persistence through WMI event subscription.  This is more down to intrinsic differences in the operating system, though.

How to deploy the new unified solution

Both the most thorough and simple way to deploy the new agent I’ve found, for most environments, is through the upgrade helper script that Microsoft has published to GitHub.  This automates a few steps that otherwise would be done separately.

  1. First, in the Microsoft 365 Defender portal, you’ll find an onboarding option for Windows Server 2012 R2 and 2016 (Preview).  From here, choose to download the Group Policy installation and onboarding packages.
  2. Store the script, MSI, and onboarding package in a place accessible by the server(s) you’ll be upgrading or deploying to.  I have found that network paths are not supported so you may want to consider ways to execute with local paths.
  3. Now, you’ll run the script with some parameters.  How you run it depends on your own environment: for example, you may scale it using a centralised management tool or manually on a server.  The RemoveMMA parameter is required if upgrading from the MMA agent (i.e. not a new install), where you’d replace ABCDE with the workspace ID (you can find this in Control Panel > Microsoft Monitoring Agent > Azure Log Analytics).  This command assumes the MSI and onboarding script are in the same directory as the PowerShell script.
 .\Install.ps1 -RemoveMMA ABCDE -OnboardingScript ".\WindowsDefenderATPOnboardingScript.CMD"

As the script runs, it gets rid of that workspace it no longer needs, checks for SCEP and uninstalls if present, applies some prerequisite patches (which may not be needed on fully updated servers), installs the agent, then connects it to the MDE instance identified in the onboarding package.

Important points to note

Without getting into the minutia and intricacies of deployments, if you’re now in a position to deploy or upgrade MDE on servers using the public preview agent, check out these key points of interest.

Both 2012 R2 and 2016

  • You no longer onboard with MMA.  Instead, you install an MSI agent that provides those missing capabilities.
  • Network requirements are the same as Windows Server 2019, rather than what they previously may have been for MMA.  This is most significant if your servers connect via a proxy.
  • Network protection, a feature now available, must be enabled manually using Set-MpPreference; it is not on by default.
  • You should make sure all Windows updates are applied.  For example, KB5005292 is needed to get the updated MsSense.exe sensor.
  • Should you do an in-place upgrade of the OS (e.g. from 2012 R2 to 2016, or 2016 to 2019) you will need to first offboard then onboard again.

2016

  • Defender Antivirus, which is built-in, must be up to date before you deploy.

2012 R2

  • You no longer need SCEP.  The agent includes Microsoft Defender Antivirus.
  • If you have SCEP installed, installing the new agent will automatically replace it if you use the script described in this article.
  • After installation, unlike with SCEP, there is no UI on the server.
  • As already mentioned, it’s best practice to get the server fully updated before deploying, but in particular for 2012 R2, if you don’t, network events may not populate in the device’s timeline in Microsoft 365 Defender.