Skip to main content

Windows Defender Antivirus on Windows Server 2020



    Applies to:
    Windows Defender Antivirus is available on Windows Server 2016. In some instances it is referred to as Endpoint Protection - however, the protection engine is the same.
    While the functionality, configuration, and management is largely the same for Windows Defender AV either on Windows 10 or Windows Server 2016, there are a few key differences:
    • In Windows Server 2016, automatic exclusions are applied based on your defined Server Role.
    • In Windows Server 2016, Windows Defender AV will not disable itself if you are running another antivirus product.
    This topic includes the following instructions for setting up and running Windows Defender AV on a server platform:
    • Enable the interface
    • Verify Windows Defender AV is running
    • Update antimalware Security intelligence
    • Submit Samples
    • Configure automatic exclusions

    Enable or disable the interface on Windows Server 2016

    By default, Windows Defender AV is installed and functional on Windows Server 2016. The user interface is installed by default on some SKUs, but is not required.
       Note

    You can't uninstall the Windows Security app, but you can disable the interface with these instructions.
    If the interface is not installed, you can add it in the Add Roles and Features Wizard at the Featuresstep, under Windows Defender Features by selecting the GUI for Windows Defender option.
    Add roles and feature wizard showing the GUI for Windows Defender option
    See the Install or uninstall roles, role services, or features topic for information on using the wizard.
    The following PowerShell cmdlet will also enable the interface:
    PowerShell
    Install-WindowsFeature -Name Windows-Defender-GUI
    To hide the interface, use the Remove Roles and Features Wizard and deselect the GUI for Windows Defender option at the Features step, or use the following PowerShell cmdlet:
    PowerShell
    Uninstall-WindowsFeature -Name Windows-Defender-GUI
      Important

    Windows Defender AV will still run normally without the user interface, but the user interface cannot be enabled if you disable the core Windows Defender feature.

    Install or uninstall Windows Defender AV on Windows Server 2016

    You can also uninstall Windows Defender AV completely with the Remove Roles and Features Wizardby deselecting the Windows Defender Features option at the Features step in the wizard.
    This is useful if you have a third-party antivirus product installed on the machine already. Multiple AV products can cause problems when installed and actively running on the same machine. See the question "Should I run Microsoft security software at the same time as other security products?" on the Windows Defender Security Intelligence Antivirus and antimalware software FAQ.
     Note
    Deselecting Windows Defender on its own under the Windows Defender Features section will automatically prompt you to remove the interface option GUI for Windows Defender.
    The following PowerShell cmdlet will also uninstall Windows Defender AV on Windows Server 2016:
    PS
    Uninstall-WindowsFeature -Name Windows-Defender
    To install Windows Defender AV again, use the Add Roles and Features Wizard and ensure the Windows Defender feature is selected. You can also enable the interface by selecting the GUID for Windows Defender option.
    You can also use the following PowerShell cmdlet to install Windows Defender AV:
    PS
    Install-WindowsFeature -Name Windows-Defender
    Tip
    Event messages for the antimalware engine included with Windows Defender AV can be found in Windows Defender AV Events.

    Verify Windows Defender is running

    To verify that Windows Defender AV is running on the server, run the following command from a command prompt:
    DOS
    sc query Windefend
    The sc query command returns information about the Windows Defender service. If Windows Defender is running, the STATE value displays RUNNING.

    Update antimalware Security intelligence

    In order to get updated antimalware Security intelligence , you must have the Windows Update service running. If you use an update management service, like Windows Server Update Services (WSUS), make sure that updates for Windows Defender Antivirus Security intelligence are approved for the computers you manage.
    By default, Windows Update does not download and install updates automatically on Windows Server 2016. You can change this configuration by using one of the following methods:
    • Windows Update in Control Panel.
      • Install updates automatically results in all updates being automatically installed, including Windows Defender Security intelligence updates.
      • Download updates but let me choose whether to install them allows Windows Defender to download and install Security intelligence updates automatically, but other updates are not automatically installed.
    • Group Policy. You can set up and manage Windows Update by using the settings available in Group Policy, in the following path: Administrative Templates\Windows Components\Windows Update\Configure Automatic Updates
    • The AUOptions registry key. The following two values allow Windows Update to automatically download and install Security intelligence updates.
      • 4 Install updates automatically. This value results in all updates being automatically installed, including Windows Defender Security intelligence updates.
      • 3 Download updates but let me choose whether to install them. This value allows Windows Defender to download and install Security intelligence updates automatically, but other updates are not automatically installed.
    To ensure that protection from malware is maintained, we recommend that you enable the following services:
    • Windows Error Reporting service
    • Windows Update service
    The following table lists the services for Windows Defender and the dependent services.
    Service NameFile LocationDescription
    Windows Defender Service (Windefend)C:\Program Files\Windows Defender\MsMpEng.exeThis is the main Windows Defender Antivirus service that needs to be running at all times.
    Windows Error Reporting Service (Wersvc)C:\WINDOWS\System32\svchost.exe -k WerSvcGroupThis service sends error reports back to Microsoft.
    Windows Defender Firewall (MpsSvc)C:\WINDOWS\system32\svchost.exe -k LocalServiceNoNetworkWe recommend leaving the Windows Defender Firewall service enabled.
    Windows Update (Wuauserv)C:\WINDOWS\system32\svchost.exe -k netsvcsWindows Update is needed to get Security intelligence updates and antimalware engine updates

    Submit Samples

    Sample submission allows Microsoft to collect samples of potentially malicious software. To help provide continued and up-to-date protection, Microsoft researchers use these samples to analyze suspicious activities and produce updated antimalware Security intelligence.
    We collect program executable files, such as .exe files and .dll files. We do not collect files that contain personal data, like Microsoft Word documents and PDF files.

    Enable automatic sample submission

    • To enable automatic sample submission, start a Windows PowerShell console as an administrator, and set the SubmitSamplesConsent value data according to one of the following settings:
      • 0 Always prompt. The Windows Defender service prompts you to confirm submission of all required files. This is the default setting for Windows Defender, but is not recommended for Windows Server 2016 installations without a GUI.
      • 1 Send safe samples automatically. The Windows Defender service sends all files marked as "safe" and prompts for the remainder of the files.
      • 2 Never send. The Windows Defender service does not prompt and does not send any files.
      • 3 Send all samples automatically. The Windows Defender service sends all files without a prompt for confirmation.

    Configure automatic exclusions

    To help ensure security and performance, certain exclusions are automatically added based on the roles and features you install when using Windows Defender AV on Server 2016.

    Comments

    Post a Comment

    Popular posts from this blog

    Configure Block At First Sight Windows Defender Antivirus _Enable Block Windows 10

    Applies to: Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) Block at first sight is a feature of next gen protection that provides a way to detect and block new malware within seconds. It is enabled by default when certain pre-requisite settings are also enabled. In most cases, these pre-requisite settings are also enabled by default, so the feature is running without any intervention. You can  specify how long the file should be prevented from running  while the cloud-based protection service analyzes the file. You can also  customize the message displayed on users' desktops  when a file is blocked. You can change the company name, contact information, and message URL.   Tip You can also visit the Microsoft Defender ATP demo website at  demo.wd.microsoft.com  to confirm the features are working and see how they work. How it works When Windows Defender Antivirus encounters a suspicious but u...
    4 comments
    Read more

    Review event logs and error codes to troubleshoot issues with Windows Defender Antivirus Windos 10

    Applies to: Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) If you encounter a problem with Windows Defender Antivirus, you can search the tables in this topic to find a matching issue and potential solution. The tables list: Windows Defender Antivirus event IDs  (these apply to both Windows 10 and Windows Server 2016) Windows Defender Antivirus client error codes Internal Windows Defender Antivirus client error codes (used by Microsoft during development and testing)  Tip You can also visit the Microsoft Defender ATP demo website at  demo.wd.microsoft.com  to confirm the following features are working: Cloud-delivered protection Fast learning (including Block at first sight) Potentially unwanted application blocking Windows Defender Antivirus event IDs Windows Defender Antivirus records event IDs in the Windows event log. You can directly view the event log, or if you have a third-party security information and...
    1 comment
    Read more

    FULL MATCH - Roman Reigns vs. The Undertaker - No Holds Barred Match: WrestleMania 33 2019

    Post a Comment
    Read more