Switch to Microsoft Defender for Endpoint – Phase 2: Setup

0
(0)

Reinstall/enable Microsoft Defender Antivirus on your endpoints

On certain versions of Windows, Microsoft Defender Antivirus was likely uninstalled or disabled when your non-Microsoft antivirus/antimalware solution was installed. When endpoints running Windows are onboarded to Defender for Endpoint, Microsoft Defender Antivirus can run in passive mode alongside a non-Microsoft antivirus solution. To learn more, see Antivirus protection with Defender for Endpoint.

As you’re making the switch to Defender for Endpoint, you might need to take certain steps to reinstall or enable Microsoft Defender Antivirus. The following table describes what to do on your Windows clients and servers.

Endpoint type What to do
Windows clients (such as endpoints running Windows 10 and Windows 11) In general, you do not need to take any action for Windows clients (unless Microsoft Defender Antivirus has been uninstalled). Here’s why:

Microsoft Defender Antivirus should still be installed, but is most likely disabled at this point of the migration process.

When a non-Microsoft antivirus/antimalware solution is installed and the clients are not yet onboarded to Defender for Endpoint, Microsoft Defender Antivirus is disabled automatically.

Later, when the client endpoints are onboarded to Defender for Endpoint, if those endpoints are running a non-Microsoft antivirus solution, Microsoft Defender Antivirus goes into passive mode.

If the non-Microsoft antivirus solution is uninstalled, Microsoft Defender Antivirus goes into active mode automatically.
Windows servers On Windows Server, you’ll need to reinstall Microsoft Defender Antivirus, and set it to passive mode manually. On Windows servers, when a non-Microsoft antivirus/antimalware is installed, Microsoft Defender Antivirus cannot run alongside the non-Microsoft antivirus solution. In those cases, Microsoft Defender Antivirus is disabled or uninstalled manually.

To reinstall or enable Microsoft Defender Antivirus on Windows Server, perform the following tasks:
– Set DisableAntiSpyware to false on Windows Server (only if necessary)
– Reinstall Microsoft Defender Antivirus on Windows Server 2016
– Reinstall Microsoft Defender Antivirus on Windows Server, version 1803 or later
– Set Microsoft Defender Antivirus to passive mode on Windows Server

If you run into issues reinstalling or re-enabling Microsoft Defender Antivirus on Windows Server, see Troubleshooting: Microsoft Defender Antivirus is getting uninstalled on Windows Server.

 Tip

To learn more about Microsoft Defender Antivirus states with non-Microsoft antivirus protection, see Microsoft Defender Antivirus compatibility.

Set DisableAntiSpyware to false on Windows Server

The DisableAntiSpyware registry key was used in the past to disable Microsoft Defender Antivirus, and deploy another antivirus product, such as McAfee, Symantec, or others. In general, you should not have this registry key on your Windows devices and endpoints; however, if you do have DisableAntiSpyware configured, here’s how to set its value to false:

  1. On your Windows Server device, open Registry Editor.
  2. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender.
  3. In that folder, look for a DWORD entry called DisableAntiSpyware.
    • If you do not see that entry, you’re all set.
    • If you do see DisableAntiSpyware, proceed to step 4.
  4. Right-click the DisableAntiSpyware DWORD, and then choose Modify.
  5. Set the value to 0. (This action sets the registry key’s value to false.)

 Tip

To learn more about this registry key, see DisableAntiSpyware.

Re-enable Microsoft Defender Antivirus on Windows Server 2016

You can use the Malware Protection Command-Line Utility to re-enable Microsoft Defender Antivirus on Windows Server 2016.

  1. As a local administrator on the server, open Command Prompt.
  2. Run the following command: MpCmdRun.exe -wdenable
  3. Restart the device.

Re-enable Microsoft Defender Antivirus on Windows Server, version 1803 or later

 Important

The following procedure applies only to endpoints or devices that are running the following versions of Windows:

  • Windows Server 2019
  • Windows Server 2022
  • Windows Server, version 1803 (core-only mode)
  1. As a local administrator on the server, open Windows PowerShell.
  2. Run the following PowerShell cmdlets:
    PowerShell

    # For Windows Server 2016
Dism /online /Enable-Feature /FeatureName:Windows-Defender-Features
Dism /online /Enable-Feature /FeatureName:Windows-Defender
Dism /online /Enable-Feature /FeatureName:Windows-Defender-Gui
# For Windows Server 2019 and Windows Server 2022
Dism /online /Enable-Feature /FeatureName:Windows-Defender

    When using the DISM command within a task sequence running PowerShell, the following path to cmd.exe is required. Example:

    PowerShell

    c:\windows\sysnative\cmd.exe /c Dism /online /Enable-Feature /FeatureName:Windows-Defender-Features
c:\windows\sysnative\cmd.exe /c Dism /online /Enable-Feature /FeatureName:Windows-Defender
  3. Restart the device.

Set Microsoft Defender Antivirus to passive mode on Windows Server

 Tip

You can now run Microsoft Defender Antivirus in passive mode on Windows Server 2012 R2 and 2016. For more information, see Options to install Microsoft Defender for Endpoint.

  1. Open Registry Editor, and then navigate to
    text

    Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection
  2. Edit (or create) a DWORD entry called ForceDefenderPassiveMode, and specify the following settings:
    • Set the DWORD’s value to 1.
    • Under Base, select Hexadecimal.

 Note

After onboarding to Defender for Endpoint, you might have to set Microsoft Defender Antivirus to passive mode on Windows Server. To validate that passive mode was set as expected, search for event 5007 in the Microsoft-Windows-Windows Defender Operational log (located at C:\Windows\System32\winevt\Logs), and confirm that either the ForceDefenderPassiveMode or PassiveMode registry keys were set by to 0x1.

Are you using Windows Server 2012 R2 or Windows Server 2016?

You can now run Microsoft Defender Antivirus in passive mode on Windows Server 2012 R2 and 2016 using the method above. For more information, see Options to install Microsoft Defender for Endpoint.

Configure Defender for Endpoint

This step of the migration process involves configuring Microsoft Defender Antivirus for your endpoints. We recommend using Intune; however, you can any of the methods that are listed in the following table:

Method What to do
Intune

NOTE: Intune is now part of Microsoft Endpoint Manager.

 1. Go to the Microsoft Endpoint Manager admin center and sign in.

2. Select Devices > Configuration profiles, and then select the profile type you want to configure. If you haven’t yet created a Device restrictions profile type, or if you want to create a new one, see Configure device restriction settings in Microsoft Intune.

3. Select Properties, and then select Configuration settings: Edit

4. Expand Microsoft Defender Antivirus.

5. Enable Cloud-delivered protection.

6. In the Prompt users before sample submission dropdown, select Send all samples automatically.

7. In the Detect potentially unwanted applications dropdown, select Enable or Audit.

8. Select Review + save, and then choose Save.

TIP: For more information about Intune device profiles, including how to create and configure their settings, see What are Microsoft Intune device profiles?.
Microsoft Endpoint Configuration Manager See Create and deploy antimalware policies for Endpoint Protection in Configuration Manager.

When you create and configure your antimalware policies, make sure to review the real-time protection settings and enable block at first sight.
Control Panel in Windows Follow the guidance here: Turn on Microsoft Defender Antivirus. (You might see Windows Defender Antivirus instead of Microsoft Defender Antivirus in some versions of Windows.)
Advanced Group Policy Management

or

Group Policy Management Console

 1. Go to Computer configuration > Administrative templates > Windows components > Microsoft Defender Antivirus.

2. Look for a policy called Turn off Microsoft Defender Antivirus.

3. Choose Edit policy setting, and make sure that policy is disabled. This action enables Microsoft Defender Antivirus.
(You might see Windows Defender Antivirus instead of Microsoft Defender Antivirus in some versions of Windows.)

 Tip

You can deploy the policies before your organization’s devices are onboarded.

Add Microsoft Defender for Endpoint to the exclusion list for your existing solution

This step of the setup process involves adding Defender for Endpoint to the exclusion list for your existing endpoint protection solution and any other security products your organization is using.

 Tip

To get help configuring exclusions, refer to your solution provider’s documentation.

The specific exclusions to configure will depend on which version of Windows your endpoints or devices are running, and are listed in the following table.

OS Exclusions
Windows 11

Windows 10, version 1803 or later (See Windows 10 release information)

Windows 10, version 1703 or 1709 with KB4493441 installed

Windows Server 2022

Windows Server 2019

Windows Server 2016

Windows Server 2012 R2

Windows Server, version 1803

 C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe

C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe

C:\Program Files\Windows Defender Advanced Threat Protection\SenseSampleUploader.exe

C:\Program Files\Windows Defender Advanced Threat Protection\SenseIR.exe

C:\Program Files\Windows Defender Advanced Threat Protection\SenseCM.exe

In addition, on Windows Server 2012 R2 and 2016 running the modern, unified solution the following exclusions are required after updating the Sense EDR component using KB5005292:

C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Platform\*\MsSense.exe

C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Platform\*\SenseCnCProxy.exe

C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Platform\*\SenseIR.exe

C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Platform\*\SenseCE.exe

C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Platform\*\SenseSampleUploader.exe

C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Platform\*\SenseCM.exe
Windows 8.1

Windows 7

Windows Server 2008 R2 SP1

 C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\Monitoring Host Temporary Files 6\45\MsSenseS.exe

NOTE: Monitoring Host Temporary Files 6\45 can be different numbered subfolders.

C:\Program Files\Microsoft Monitoring Agent\Agent\AgentControlPanel.exe

C:\Program Files\Microsoft Monitoring Agent\Agent\HealthService.exe

C:\Program Files\Microsoft Monitoring Agent\Agent\HSLockdown.exe

C:\Program Files\Microsoft Monitoring Agent\Agent\MOMPerfSnapshotHelper.exe

C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe

C:\Program Files\Microsoft Monitoring Agent\Agent\TestCloudConnection.exe

Add your existing solution to the exclusion list for Microsoft Defender Antivirus

During this step of the setup process, you add your existing solution to the Microsoft Defender Antivirus exclusion list. You can choose from several methods to add your exclusions to Microsoft Defender Antivirus, as listed in the following table:

Method What to do
Intune

NOTE: Intune is now part of Microsoft Endpoint Manager.

 1. Go to the Microsoft Endpoint Manager admin center and sign in.

2. Select Devices > Configuration profiles, and then select the profile that you want to configure.

3. Under Manage, select Properties.

4. Select Configuration settings: Edit.

5. Expand Microsoft Defender Antivirus, and then expand Microsoft Defender Antivirus Exclusions.

6. Specify the files and folders, extensions, and processes to exclude from Microsoft Defender Antivirus scans. For reference, see Microsoft Defender Antivirus exclusions.

7. Choose Review + save, and then choose Save.
Microsoft Endpoint Configuration Manager 1. Using the Configuration Manager console, go to Assets and Compliance > Endpoint Protection > Antimalware Policies, and then select the policy that you want to modify.

2. Specify exclusion settings for files and folders, extensions, and processes to exclude from Microsoft Defender Antivirus scans.
Group Policy Object 1. On your Group Policy management computer, open the Group Policy Management Console, right-click the Group Policy Object you want to configure and then select Edit.

2. In the Group Policy Management Editor, go to Computer configuration and select Administrative templates.

3. Expand the tree to Windows components > Microsoft Defender Antivirus > Exclusions. (You might see Windows Defender Antivirus instead of Microsoft Defender Antivirus in some versions of Windows.)

4. Double-click the Path Exclusions setting and add the exclusions.

5. Set the option to Enabled.

6. Under the Options section, select Show….

7. Specify each folder on its own line under the Value name column. If you specify a file, make sure to enter a fully qualified path to the file, including the drive letter, folder path, filename, and extension. Enter 0 in the Value column.

8. Select OK.

9. Double-click the Extension Exclusions setting and add the exclusions.

10. Set the option to Enabled.

11. Under the Options section, select Show….

12. Enter each file extension on its own line under the Value name column. Enter 0 in the Value column.

13. Select OK.
Local group policy object 1. On the endpoint or device, open the Local Group Policy Editor.

2. Go to Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Exclusions. (You might see Windows Defender Antivirus instead of Microsoft Defender Antivirus in some versions of Windows.)

3. Specify your path and process exclusions.
Registry key 1. Export the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\exclusions.

2. Import the registry key. Here are two examples:
– Local path: regedit.exe /s c:\temp\ MDAV_Exclusion.reg
– Network share: regedit.exe /s \\FileServer\ShareName\MDAV_Exclusion.reg

Keep the following points about exclusions in mind

When you add exclusions to Microsoft Defender Antivirus scans, you should add path and process exclusions.

Keep the following points in mind:

  • Path exclusions exclude specific files and whatever those files access.
  • Process exclusions exclude whatever a process touches, but does not exclude the process itself.
  • List your process exclusions using their full path and not by their name only. (The name-only method is less secure.)
  • If you list each executable (.exe) as both a path exclusion and a process exclusion, the process and whatever it touches are excluded.

Set up your device groups, device collections, and organizational units

Device groups, device collections, and organizational units enable your security team to manage and assign security policies efficiently and effectively. The following table describes each of these groups and how to configure them. Your organization might not use all three collection types.

Collection type What to do
Device groups (formerly called machine groups) enable your security operations team to configure security capabilities, such as automated investigation and remediation.

Device groups are also useful for assigning access to those devices so that your security operations team can take remediation actions if needed.

Device groups are created in the Microsoft 365 Defender portal.

 1. Go to the Microsoft 365 Defender portal (https://security.microsoft.com).

2. In the navigation pane on the left, choose Settings > Endpoints > Permissions > Device groups.

3. Choose + Add device group.

4. Specify a name and description for the device group.

5. In the Automation level list, select an option. (We recommend Full – remediate threats automatically.) To learn more about the various automation levels, see How threats are remediated.

6. Specify conditions for a matching rule to determine which devices belong to the device group. For example, you can choose a domain, OS versions, or even use device tags.

7. On the User access tab, specify roles that should have access to the devices that are included in the device group.

8. Choose Done.
Device collections enable your security operations team to manage applications, deploy compliance settings, or install software updates on the devices in your organization.

Device collections are created by using Configuration Manager.

 Follow the steps in Create a collection.
Organizational units enable you to logically group objects such as user accounts, service accounts, or computer accounts.

You can then assign administrators to specific organizational units, and apply group policy to enforce targeted configuration settings.

Organizational units are defined in Azure Active Directory Domain Services.

 Follow the steps in Create an Organizational Unit in an Azure Active Directory Domain Services managed domain.

Source : Official Microsoft Brand
Editor by : BEST Antivirus KBS Team

How useful was this post?

Click on a star to rate it!

Average rating 0 / 5. Vote count: 0

No votes so far! Be the first to rate this post.

(Visited 115 times, 1 visits today)
Tagged: