-For configurations you might need to make for network infrastructure services, see [Firewalls and network infrastructure](/azure/information-protection/requirements#firewalls-and-network-infrastructure).

-> If you are using 'TelemetryProxyServer' setting on devices that are otherwise **completely offline**, then it is recommended to add the additional registry setting `PreferStaticProxyForHttpRequest` with a value of `1`.<br>

-This topic describes how to onboard specific Windows servers to Microsoft Defender for Endpoint.

->Windows Server Hyper-V is not supported.

-## Integration with Microsoft Defender for Servers

-Microsoft Defender for Endpoint integrates seamlessly with Microsoft Defender for Servers. You can onboard servers automatically, have servers monitored by Microsoft Defender for Cloud appear in Defender for Endpoint, and conduct detailed investigations as a Microsoft Defender for Cloud customer.

-For more information, see [Integration with Microsoft Defender for Cloud](azure-server-integration.md).

-> For Windows Server 2012 R2 and 2016 running the modern unified solution, you can either manually install/upgrade the new solution on these machines, or use the integration to automatically deploy or upgrade servers covered by your respective Microsoft Defender for Server plan. More information about making the switch at [Protect your endpoints with Defender for Cloud's integrated EDR solution: Microsoft Defender for Endpoint](/azure/defender-for-cloud/integration-defender-for-endpoint?tabs=windows).

-> - The integration between Microsoft Defender for servers and Microsoft Defender for Endpoint has been expanded to support Windows Server 2022, [Windows Server 2019, and Windows Virtual Desktop (WVD)](/azure/security-center/release-notes#microsoft-defender-for-endpoint-integration-with-azure-defender-now-supports-windows-server-2019-and-windows-10-virtual-desktop-wvd-in-preview).

-### New Windows Server 2012 R2 and 2016 functionality in the modern unified solution

-The previous implementation of onboarding Windows Server 2012 R2 and Windows Server 2016 required the use of Microsoft Monitoring Agent (MMA).

-The new unified solution package makes it easier to onboard servers by removing dependencies and installation steps. In addition, this unified solution package comes with the following major improvements:

-#### Known issues and limitations in the new, unified solution package for Windows Server 2012 R2 and 2016

-The following specifics apply to the new unified solution package for Windows Server 2012 R2 and 2016:

-Alternatively, use the instructions provided at [Workaround for a known issue with TelemetryProxyServer on disconnected machines](#workaround-for-a-known-issue-with-telemetryproxyserver-on-disconnected-machines) to install a certificate as a workaround.

- - `Set-MpPreference -EnableNetworkProtection Enabled`

- - `Set-MpPreference -AllowNetworkProtectionOnWinServer 1`

- - `Set-MpPreference -AllowNetworkProtectionDownLevel 1`

- - `Set-MpPreference -AllowDatagramProcessingOnWinServer 1`

- In addition, on machines with a high volume of network traffic, performance testing in your environment is highly recommended before enabling this capability broadly. You may need to account for extra resource consumption.

-## Workaround for a known issue with TelemetryProxyServer on disconnected machines

-Problem description:

-When using the TelemetryProxyServer setting to specify a proxy to be used by the EDR component of Microsoft Defender for Endpoint, on machines that have no other way to access the Certificate Revocation List (CRL) URL, a missing intermediate certificate will cause the EDR sensor to not successfully connect to the cloud service.

-Affected scenario:

-Workaround:

-1. Ensure the machine is running Sense version 10.8048.22439.1065 or higher by either installing using the latest package available from the onboarding page, or by applying KB5005292.

-2. Download and unzip the certificate from https://github.com/microsoft/mdefordownlevelserver/blob/main/InterCA.zip

-3. Import the certificate to the Local Computer trusted "Intermediate Certification Authorities" store.

-You can use the PowerShell command:

-Import-Certificate -FilePath .\InterCA.cer -CertStoreLocation Cert:\LocalMachine\Ca

-## Integration with Microsoft Defender for Cloud

-Microsoft Defender for Endpoint integrates seamlessly with Microsoft Defender for Cloud. You can onboard servers automatically, have servers monitored by Microsoft Defender for Cloud appear in Defender for Endpoint, and conduct detailed investigations as a Microsoft Defender for Cloud customer.

-For more information, see [Integration with Microsoft Defender for Cloud](azure-server-integration.md). Linux servers onboarded through Microsoft Defender for Cloud will have their initial configuration set to run Defender Antivirus in [passive mode](/defender-endpoint/microsoft-defender-antivirus-compatibility#microsoft-defender-antivirus-and-non-microsoft-antivirusantimalware-solutions).

-> [!NOTE]

-> - The integration between Microsoft Defender for servers and Microsoft Defender for Endpoint has been expanded to support Windows Server 2022, [Windows Server 2019, and Windows Virtual Desktop (WVD)](/azure/security-center/release-notes#microsoft-defender-for-endpoint-integration-with-azure-defender-now-supports-windows-server-2019-and-windows-10-virtual-desktop-wvd-in-preview).

-> - Server endpoint monitoring utilizing this integration has been disabled for Office 365 GCC customers.

-## Windows Server 2012 R2 and Windows Server 2016

-If you've fully updated your machines with the latest [monthly rollup](https://support.microsoft.com/topic/october-12-2021-kb5006714-monthly-rollup-4dc4a2cd-677c-477b-8079-dcfef2bda09e) package, there are **no** other prerequisites.

-The installer package will check if the following components have already been installed via an update:

-#### Update package for Microsoft Defender for Endpoint on Windows Server 2012 R2 and 2016

-Use the following steps to download the packages:

-You can use the [installer script](server-migration.md#installer-script) to help automate installation, uninstallation, and onboarding.

-1. Create a group policy: <br> Open the [Group Policy Management Console](/internet-explorer/ie11-deploy-guide/group-policy-and-group-policy-mgmt-console-ie11) (GPMC), right-click **Group Policy Objects** you want to configure and click **New**. Enter the name of the new GPO in the dialogue box that is displayed and click **OK**.

-2. Open the [Group Policy Management Console](/internet-explorer/ie11-deploy-guide/group-policy-and-group-policy-mgmt-console-ie11) (GPMC), right-click the Group Policy Object (GPO) you want to configure and click **Edit**.

-5. In the **Task** window that opens, go to the **General** tab. Under **Security options** click **Change User or Group** and type SYSTEM and then click **Check Names** then **OK**. NT AUTHORITY\SYSTEM appears as the user account the task will run as.

-10. To link the GPO to an Organization Unit (OU), right-click and select **Link an existing GPO**. In the dialogue box that is displayed, select the Group Policy Object that you wish to link. Click **OK**.

-> - The Onboarding package for Windows Server 2012 R2, 2016, 2019 and 2022 through Microsoft Endpoint Manager currently ships as a script. For more information on how to deploy programs and scripts in Configuration Manager, see [Packages and programs in Configuration Manager](/configmgr/apps/deploy-use/packages-and-programs).

-## Related topics

-|**Windows**|[Local script (up to 10 devices)](configure-endpoints-script.md) <br> NOTE: If you want to deploy more than 10 devices in a production environment, use the Group Policy method instead or the other supported tools listed below.<br> [Group Policy](configure-endpoints-gp.md) <br> [Microsoft Endpoint Manager/ Mobile Device Manager](configure-endpoints-mdm.md) <br> [Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md) <br> [VDI scripts](configure-endpoints-vdi.md) <br> [Integration with Microsoft Defender for Cloud](configure-server-endpoints.md#integration-with-microsoft-defender-for-cloud)|

-|**Windows**|[Local script (up to 10 devices)](configure-endpoints-script.md) <br> [Group Policy](configure-endpoints-gp.md) <br> [Microsoft Endpoint Manager/ Mobile Device Manager](configure-endpoints-mdm.md) <br> [Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md) <br> [VDI scripts](configure-endpoints-vdi.md) <br> [Integration with Microsoft Defender for Cloud](configure-server-endpoints.md#integration-with-microsoft-defender-for-cloud)|

-| Data refresh timestamp | Indicates when client events were last received for reporting on AV mode, AV engine version, AV platform version, AV security intelligence version, and scan information. |

-Microsoft Defender Antivirus makes up-to-date reports and determinations based on the following criteria:

-| **up-to-date** | the device communicated with the Defender report event (‘Signature refresh time’) within last seven days and has a security intelligence publish time within last seven days and the Engine or Platform version build time is within last 60 days. |

-| **out-of-date** | the device communicated with the Defender report event (‘Signature refresh time’) within last seven days and has a security intelligence publish time within last seven days but Engine or Platform version build time is older than 60 days. |

-| **unknown (no data available)** | the device hasn't communicated with the report event (ΓÇÿSignature refresh timeΓÇÖ) for more than seven days, or the security intelligence publish time is greater than seven days. |

-|Up-to date | the security intelligence version on the device was written in the past seven days and the device has communicated with the report event in past seven days. |

-The following table lays out the possible values for up to date reports for **Antivirus Engine**. Reported Status is based on the last time reporting event was received and security intelligence publish time.

-| EventΓÇÖs Last Refresh Time (also known as ΓÇ£Signature Refresh TimeΓÇ¥ in reports) | Security Intelligence Publish Time | _Reported Status_: |

-|:-|:-|:-|

-| < 7 days (new) | < 7 days (new) | _Up to date <br/> Out of date <br/> Unknown (whatever client reports)_ |

-| > 7 days (old) | > 7 days (old) | _Unknown_ |

-| < 7 days (new) | > 7 days (old) | _Unknown_ |

-| > 7 days (old) | < 7 days (new) | _Unknown_ |

-**The general definition of ‘Up to date’** The platform version on the device is the most recent platform release. Platform is typically released monthly, via Windows Update). There's a three-day grace period from the day when WU is released.

-The following table lays out the possible up to date report values for **Antivirus Platform**. Reported values are based on the last time reporting event was received and security intelligence publish time.

-| EventΓÇÖs Last Refresh Time (also known as ΓÇ£Signature Refresh TimeΓÇ¥ in reports) | Security Intelligence Publish Time | _Reported Status_: |

-|:-|:-|:-|

-| < 7 days (new) | < 7 days (new) | _Up to date <br/> Out of date <br/> Unknown (whatever client reports)_ |

-| > 7 days (old) | > 7 days (old) | _Unknown_ |

-| < 7 days (new) | > 7 days (old) | _Unknown_ |

-| > 7 days (old) | < 7 days (new) | _Unknown_ |

-The following table lays out the possible up to date report values for **Security Intelligence** updates. Reported values are based on the last time reporting event was received, the security intelligence publish time, and the last status received from client.

-| EventΓÇÖs Last Refresh Time <br/> (Also known as ΓÇ£Signature Refresh TimeΓÇ¥ in reports) | Security Intelligence Publish Time | Last status received from client | _Reported Status_: |

-|:-|:-|:-|:-|

-| >7 days (old) | >7 days (old) | Up to date | _Unknown_ |

-| <7 days (new) | >7 days (old) | Up to date | _Unknown_ |

-| >7 days (old) | <7 days (new) | Up to date | _Unknown_ |

-| <7 days (new) | <7 days (new) | Unknown | _Unknown_|

-| <7 days (new) | <7 days (new) | Up to date | _Up to date_ |

-| >7 days (old) | <7 days (new) | Out of date | _Out of date_ |

-| >7 days (old) | >7 days (old) | Out of date | _Out of date_ |

-| <7 days (new) | >7 days (old) | Out of date | _Out of date_ |

-|Reports: Web content filtering|| In development| In development|

-<br />

-****

- - To allow Users to Change the VPN toggle from within the app, add **EnableVPNToggleInApp = TRUE**, in the key-value pairs. By default, users cannot the change the toggle from within the app.

- - To allow Users to Change the VPN toggle from within the app, add **EnableVPNToggleInApp = TRUE**, in the key-value pairs. By default, users can't the change the toggle from within the app.

- - Configuration Value: `issupervised`

-| **Windows Client** | [Mobile Device Management / Microsoft Intune](configure-endpoints-mdm.md) <br> [Group Policy](configure-endpoints-gp.md) <br> [Local script (up to 10 devices)](configure-endpoints-script.md) <br>[VDI scripts](configure-endpoints-vdi.md) <br> [Integration with Microsoft Defender for Cloud](configure-server-endpoints.md#integration-with-microsoft-defender-for-cloud) |

-| **Windows Server** | [Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md) <br> [Group Policy](configure-endpoints-gp.md) <br> [VDI scripts](configure-endpoints-vdi.md) <br> [Integration with Microsoft Defender for Cloud](configure-server-endpoints.md#integration-with-microsoft-defender-for-cloud) |

-| **Linux Server** | [Local script](linux-install-manually.md) <br> [Puppet](linux-install-with-puppet.md) <br> [Ansible](linux-install-with-ansible.md) <br> [Integration with Microsoft Defender for Cloud](configure-server-endpoints.md#integration-with-microsoft-defender-for-cloud) |

-In addition to always-on, real-time protection and [on-demand antivirus](run-scan-microsoft-defender-antivirus.md) scans, you can set up regular, scheduled antivirus scans. You can configure the type of scan, when the scan should occur, and if the scan should occur after a [protection update](manage-protection-updates-microsoft-defender-antivirus.md) or when an endpoint is not being used. You can also set up special scans to complete remediation actions if needed.

-|(Recommended) A quick scan looks at all the locations where there could be malware registered to start with the system, such as registry keys and known Windows startup folders. <br/><br/>Combined with always-on, real-time protection, which reviews files when they are opened and closed, and whenever a user navigates to a folder, a quick scan helps provide strong protection against malware that starts with the system and kernel-level malware.<br/><br/>In most cases, a quick scan is sufficient and is the recommended option for scheduled scans.|A full scan starts by running a quick scan and then continues with a sequential file scan of all mounted fixed disks and removable/network drives (if the full scan is configured to do so).<br/><br/>A full scan can take a few hours or days to complete, depending on the amount and type of data that needs to be scanned.<br/><br/>When the full scan is complete, new security intelligence is available, and a new scan is then required to make sure that no other threats are detected with the new security intelligence.<br/><br/>Because of the time and resources involved in a full scan, in general, Microsoft does not recommend scheduling full scans.|A custom scan runs on files and folders that you specify. For example, you can choose to scan a USB drive, or a specific folder on your device's local drive.|

-|You want to set up regular, scheduled scans|Quick scan <p> A quick scan checks the processes, memory, profiles, and certain locations on the device. Combined with [always-on real-time protection](configure-real-time-protection-microsoft-defender-antivirus.md), a quick scan helps provide strong coverage both for malware that starts with the system and kernel-level malware. Real-time protection reviews files when they are opened and closed, and whenever a user navigates to a folder.|

-|You want to make sure a portable device, such as a USB drive, does not contain malware|Custom scan <p> A custom scan enables you to select specific locations, folders, or files, and runs a quick scan.|

-> [!IMPORTANT]

-> If you are using Microsoft Defender for Cloud, see [Integration with Microsoft Defender for Cloud](configure-server-endpoints.md#integration-with-microsoft-defender-for-cloud).

-Endpoint | Tool options

-:|:

-**Windows** | [Local script (up to 10 devices)](../defender-endpoint/configure-endpoints-script.md), [Group Policy](../defender-endpoint/configure-endpoints-gp.md), [Microsoft Endpoint Manager/ Mobile Device Manager](../defender-endpoint/configure-endpoints-mdm.md), [Microsoft Endpoint Configuration Manager](../defender-endpoint/configure-endpoints-sccm.md), [VDI scripts](../defender-endpoint/configure-endpoints-vdi.md), [Integration with Microsoft Defender for Cloud](../defender-endpoint/configure-server-endpoints.md#integration-with-microsoft-defender-for-cloud)

-**macOS** | [Local scripts](../defender-endpoint/mac-install-manually.md), [Microsoft Endpoint Manager](../defender-endpoint/mac-install-with-intune.md), [JAMF Pro](../defender-endpoint/mac-install-with-jamf.md), [Mobile Device Management](../defender-endpoint/mac-install-with-other-mdm.md)

-**Linux Server** | [Local script](../defender-endpoint/linux-install-manually.md), [Puppet](../defender-endpoint/linux-install-with-puppet.md), [Ansible](../defender-endpoint/linux-install-with-ansible.md)

-**iOS** | [App-based](../defender-endpoint/ios-install.md)

-**Android** | [Microsoft Endpoint Manager](../defender-endpoint/android-intune.md)

-|**Insider Risk Management**|Use this role group to manage insider risk management for your organization in a single group. By adding all user accounts for designated administrators, analysts, and investigators, you can configure insider risk management permissions in a single group. This role group contains all the insider risk management permission roles. This is the easiest way to quickly get started with insider risk management and is a good fit for organizations that do not need separate permissions defined for separate groups of users.|Case Management <br/><br/> Data Connector Admin <br/><br/> Insider Risk Management Admin <br/><br/> Insider Risk Management Analysis <br/><br/> Insider Risk Management Audit <br/><br/> Insider Risk Management Investigation <br/><br/> Insider Risk Management Sessions <br/><br/> View-Only Case|

-|**Insider Risk Management Session Approvers**|Manage group modification requests for session recording.|Insider Risk Management Sessions|

-|**Insider Risk Management Sessions**|Allow managing group modification requests for session recording.|Insider Risk Management <br/><br/> Insider Risk Management Session Approvers|