Important
Some information relates to prereleased product which may be substantially modified before it’s commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
Note
Always ensure Microsoft Defender Antivirus is fully updated on Windows Server 2016 before proceeding with installation or upgrade. To receive regular product improvements and fixes for the EDR Sensor component, ensure Windows Update KB5005292 gets applied or approved. In addition, to keep protection components updated, please reference Manage Microsoft Defender Antivirus updates and apply baselines.
These instructions apply to the new unified solution and installer package of Microsoft Defender for Endpoint for Windows Server 2012 R2 and Windows Server 2016. This article contains high-level instructions for various possible migration scenarios from the previous to the current solution. These high-level steps are intended as guidelines to be adjusted to the deployment and configuration tools available in your environment.
Note
Operating system upgrades with Microsoft Defender for Endpoint installed are not supported. Please offboard then uninstall before proceeding with an upgrade.
Note
During preview, full Microsoft Endpoint Configuration Manager automation and integration to perform an automated upgrade will be available in the 2111 release of MECM. From the 2107 release, you CAN use the Endpoint Protection node for configuration as well as Group Policy, PowerShell, Microsoft Endpoint Manager tenant attach or local configuration. In addition, you can leverage existing functionality in Microsoft Endpoint Configuration Manager to automate manual upgrade steps; methods for which are described below.
Installer script
To facilitate upgrades when Microsoft Endpoint Configuration Manager or Microsoft Defender for Cloud are not in use or not yet available to perform the upgrade, you can use this upgrade script. It can help automate the following required steps:
- Remove the OMS workspace for Microsoft Defender for Endpoint (OPTIONAL).
- Remove System Center Endpoint Protection client if installed.
- Download and install (Windows Server 2012 R2) prerequisites if required.
- Install Microsoft Defender for Endpoint.
- Apply the onboarding script for use with Group Policy downloaded from Microsoft 365 Defender.
To use the script, download it to an installation directory where you have also placed the installation and onboarding packages (see Configure server endpoints.
EXAMPLE: .\install.ps1 -RemoveMMA <YOUR_WORKSPACE_ID> -OnboardingScript “.\WindowsDefenderATPOnboardingScript.cmd”
Microsoft Endpoint Configuration Manager migration scenarios
You are currently using Microsoft Endpoint Configuration Manager to manage your servers, including System Center Endpoint Protection (SCEP) and are running the Microsoft Monitoring Agent (MMA)-based sensor. You want to upgrade to the Microsoft Defender for Endpoint unified solution preview.
Note
You’ll need Microsoft Endpoint Configuration Manager, version 2107.
Migration steps:
- Fully update the machine including Microsoft Defender Antivirus (Windows Server 2016).
- Create a new collection with membership rules to include machines to be migrated.
- Create an application to perform the following tasks:
- Remove the MMA workspace configuration for Microsoft Defender for Endpoint. See Remove a workspace using PowerShell. This step is optional; the previous EDR sensor will stop running after the newer one becomes active (note this can take several hours).
- Uninstall SCEP.
- Install the prerequisites where applicable.
- Install Microsoft Defender for Endpoint (see Configure server endpoints.
- Apply the onboarding script for use with Group Policy downloaded from Microsoft Defender Security Center.
Tip
You can use the installer script as part of your application to automate the above steps.
- Deploy the application to the new collection.
- Create and/or assign (existing) Endpoint Protection policies to the collection.
- Apply updates.
You are currently using Microsoft Endpoint Configuration Manager to manage your servers, are running a non-Microsoft antivirus solution and the MMA-based sensor. You want to upgrade to the new Microsoft Defender for Endpoint.
Migration steps:
- Fully update the machine including Microsoft Defender Antivirus (Windows Server 2016).
- Create a new collection with membership rules to include machines to be migrated.
- Ensure third-party antivirus management no longer pushes antivirus to these machines.*
- Author your policies in the Endpoint Protection node of MECM and target to the newly created collection.*
- Create an application to perform the following tasks:
- Remove the MMA workspace configuration for Microsoft Defender for Endpoint. See Remove a workspace using PowerShell. This step is optional; the previous EDR sensor will stop running after the newer one becomes active (note this can take several hours).
- Install the prerequisites where applicable.
- Install the Microsoft Defender for Endpoint for Windows Server 2012 R2 and 2016 package and enable passive mode. See Install Microsoft Defender Antivirus using command line.
- Apply the onboarding script for use with Group Policy downloaded from Microsoft 365 Defender.
- Apply updates.
- Remove your non-Microsoft antivirus software by either using the non-Microsoft antivirus console or by using Microsoft Endpoint Configuration Manager as appropriate. Make sure to remove passive mode configuration.*
Tip
You can use the [installer-script](server-migration.md#installer script) as part of your application to automate the above steps. To enable passive mode, apply the -Passive flag. For example, .\install.ps1 -RemoveMMA <YOUR_WORKSPACE_ID> -OnboardingScript “.\WindowsDefenderATPOnboardingScript.cmd” -Passive
*These steps only apply if you intend to replace your non-Microsoft antivirus solution. See Better together: Microsoft Defender Antivirus and Microsoft Defender for Endpoint.
To move a machine out of passive mode, set the following key to 0:
Path: HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection Name: ForceDefenderPassiveMode Type: REG_DWORD Value: 0
Other migration scenarios
You have a server that has been onboarded using the MMA-based Microsoft Defender for Endpoint. It has SCEP installed (Windows Server 2012 R2) or Microsoft Defender Antivirus (Windows Server 2016). This machine is not managed through Microsoft Defender for Cloud, Microsoft Endpoint Manager, or Microsoft Endpoint Configuration Manager.
- Fully update the machine including Microsoft Defender Antivirus (Windows Server 2016).
- Remove the MMA workspace configuration for Microsoft Defender for Endpoint. See Remove a workspace using PowerShell.
- Uninstall System Center Endpoint Protection (Windows Server 2012 R2).
- Install the prerequisites where applicable.
- Install Microsoft Defender for Endpoint (see Configure server endpoints.)
- Apply the onboarding script for use with Group Policy downloaded from Microsoft Defender Security Center.
- Apply updates.
- Create and apply policies using Group Policy, PowerShell, or a 3rd party management solution.
Tip
You can use the installer script to automate the above steps.
You have a server on which you want to install Microsoft Defender for Endpoint. It has a non-Microsoft endpoint protection or endpoint detection and response solution installed. You do not intend to use Microsoft Endpoint Configuration Manager or Microsoft Defender for Cloud. You use your own deployment mechanism.
- Fully update the machine including Microsoft Defender Antivirus (Windows Server 2016).
- Install the Microsoft Defender for Endpoint for Windows Server 2012 R2 & 2016 package and enable passive mode. See Install Microsoft Defender Antivirus using command line.
- Apply the onboarding script, appropriate to your environment, downloaded from Microsoft 365 Defender.
- Remove the non-Microsoft endpoint protection or endpoint detection and response solution, and remove passive mode.*
- Apply updates.
- Create and apply policies using Group Policy, PowerShell, or a 3rd party management solution.
Tip
You can use the installer script to help automate steps 1 through 4. To enable passive mode, apply the -Passive flag which will ensure that Defender Antivirus goes into passive mode before onboarding and does not interfere with a non-Microsoft antimalware solution. Then to ensure Defender Antivirus remains in passive mode after onboarding to support EDR capabilities such as EDR Block make sure to set the “ForceDefenderPassiveMode” registry key. EXAMPLE: .\install.ps1 -OnboardingScript ".\WindowsDefenderATPOnboardingScript.cmd" -Passive
*This step only applies if you intend to replace your non-Microsoft antivirus solution. We recommend using Microsoft Defender Antivirus, included in Microsoft Defender for Endpoint, to provide the full set of capabilities. See Better together: Microsoft Defender Antivirus and Microsoft Defender for Endpoint.
To move a machine out of passive mode, set the following key to 0:
Path: HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection Name: ForceDefenderPassiveMode Type: REG_DWORD Value: 0
Microsoft Defender for Cloud scenarios
You’re using Microsoft Defender for Cloud. The Microsoft Monitoring Agent (MMA) and/or Microsoft Antimalware for Azure (SCEP) are installed and you want to upgrade.
If you’re using Microsoft Defender for Cloud, you can leverage the automated upgrade process. See Protect your endpoints with Defender for Cloud’s integrated EDR solution: Microsoft Defender for Endpoint.
Group Policy configuration
For configuration using Group Policy, ensure you’re using the latest ADMX files in your central store to access the correct Defender for Endpoint policy options. Please reference How to create and manage the Central Store for Group Policy Administrative Templates in Windows and download the latest files for use with Windows 10.