How to Configure Windows Server 2022 Border Gateway Protocol

Introduction to Microsoft Defender for Endpoint on Windows Server 2022

Microsoft Defender for Endpoint (MDE) is an enterprise-grade endpoint security platform that extends beyond the built-in Windows Defender Antivirus to provide advanced threat detection, investigation, and response capabilities. While Windows Defender AV handles signature-based malware detection, MDE adds Endpoint Detection and Response (EDR), behavioral analytics, threat intelligence integration, automated investigation and remediation, and attack surface reduction rules — all managed from the Microsoft Defender portal.

Windows Server 2022 is a supported platform for MDE onboarding. Unlike Windows 10/11 clients, server onboarding follows a slightly different process and has specific licensing requirements. This article walks through the full process of licensing, onboarding, verifying, and configuring MDE on Windows Server 2022.

MDE Licensing Requirements for Windows Server 2022

Microsoft Defender for Endpoint on Windows Server is not included in the standard Windows Server license. You need one of the following licenses to onboard a Windows Server 2022 machine:

• Microsoft Defender for Endpoint Plan 1 or Plan 2 (standalone server license) — billed per server, per month
• Microsoft Defender for Servers Plan 1 or Plan 2 (via Microsoft Defender for Cloud) — part of the Azure Defender suite, billed per server per hour
• Microsoft 365 E5, E5 Security, or A5 — includes MDE Plan 2, but covers client devices primarily; server coverage requires a server addon

The most common enterprise choice is Defender for Servers Plan 2 via Microsoft Defender for Cloud, which provides MDE Plan 2 functionality plus Azure-native vulnerability management, file integrity monitoring, and just-in-time VM access for Azure-hosted servers.

Before onboarding, ensure your licensing is active in the Microsoft 365 Admin Center or Azure portal. Attempting to onboard without a valid license will result in the sensor reporting but with reduced telemetry.

Onboarding Methods Overview

There are four primary methods to onboard Windows Server 2022 to Microsoft Defender for Endpoint:

• Local onboarding script — Best for single servers, testing, or proof-of-concept. Uses WindowsDefenderATPOnboardingScript.cmd.
• Microsoft Intune / Endpoint Manager — Best for servers managed through Intune MDM. Suitable for Azure Arc-enrolled servers.
• Group Policy — Suitable for on-premises Active Directory environments with many servers.
• Microsoft Monitoring Agent (MMA) — Legacy method used for older Windows Server versions; not recommended for new Server 2022 deployments.

Windows Server 2022 supports the modern unified agent approach (no MMA required), which is the recommended path. The unified sensor integrates directly with the OS and provides richer telemetry than the MMA-based approach used for Windows Server 2008 R2 and 2012 R2.

Onboarding with the Local Script (WindowsDefenderATPOnboardingScript.cmd)

The local onboarding script is the fastest way to get a single server enrolled. To obtain the script:

1. Log in to the Microsoft Defender portal at security.microsoft.com
2. Navigate to Settings > Endpoints > Device Management > Onboarding
3. Select Windows Server 2019 and 2022 from the operating system dropdown
4. Select Local Script as the deployment method
5. Click Download onboarding package and save the ZIP file

Extract the ZIP and copy the onboarding package to the target server. Run the script from an elevated Command Prompt:

WindowsDefenderATPOnboardingScript.cmd

The script will output progress messages. A successful onboarding shows:

Successfully onboarded machine to Microsoft Defender for Endpoint
Triggering the start of the telemetry service

After the script completes, the SENSE service (Microsoft Defender Advanced Threat Protection Service) should start automatically. It may take 5–10 minutes for the device to appear in the Defender portal.

Verifying Onboarding with Get-Service sense

The SENSE service is the MDE sensor that transmits telemetry to the Defender backend. After onboarding, verify it is running using PowerShell:

Get-Service -Name "sense"

Expected output:

Status   Name               DisplayName
------   ----               -----------
Running  sense              Windows Defender Advanced Threat Protection Service

If the service is stopped, start it manually and check for errors:

Start-Service -Name "sense"
Get-EventLog -LogName "Application" -Source "sense" -Newest 20

You can also verify connectivity from the server to the MDE cloud endpoints by running the Microsoft Defender for Endpoint Client Analyzer tool, downloadable from the Defender portal under Settings > Endpoints > Onboarding. The analyzer tests network connectivity, service status, signature versions, and configuration state.

To check onboarding status from the registry:

Get-ItemProperty -Path "HKLM:SOFTWAREMicrosoftWindows Advanced Threat ProtectionStatus" | Select-Object OnboardingState

A value of 1 indicates successfully onboarded. A value of 0 means the device is not onboarded.

MDE vs Windows Defender Antivirus

It is important to understand that MDE and Windows Defender Antivirus are complementary but distinct components. Windows Defender AV is the antimalware engine — it scans files, blocks known malware, and quarantines threats. MDE is the EDR platform — it monitors behavioral signals, correlates events across the device timeline, and detects sophisticated attacks that bypass signature-based detection.

On Windows Server 2022, when MDE is deployed, Defender AV continues to operate alongside the SENSE sensor. MDE enhances Defender AV with cloud-delivered protection updates and adds the ability for Microsoft analysts to remotely investigate the device. MDE does not replace Defender AV — both must be active for full coverage.

When a third-party antivirus product is installed on the server, Defender AV enters passive mode, continuing to send signals to MDE without actively blocking threats (since the third-party AV handles that). To check the current mode:

Get-MpComputerStatus | Select-Object AMRunningMode

Possible values are: Normal, Passive, EDR Block, SxS Passive.

Endpoint Detection and Response (EDR) Capabilities

Once onboarded, the server gains EDR capabilities that include a 180-day device timeline, process tree visualization, file and registry analysis, and automated alerts. The Defender portal shows a complete picture of all activity on the device including processes started, network connections, file writes, and user logons.

EDR in Block Mode allows MDE to block malicious activity even when Defender AV is in passive mode. To enable EDR in block mode:

Set-MpPreference -ForceUseProxyOnly 0
# EDR in Block Mode is controlled from the Defender portal:
# Settings > Endpoints > Advanced Features > EDR in block mode > On

Automated Investigation and Response (AIR) is another key MDE feature that automatically investigates alerts and takes remediation actions without requiring analyst intervention. AIR investigates suspicious processes, examines related network activity, checks for lateral movement indicators, and can automatically quarantine files or isolate devices.

To configure the automation level for a device group in the Defender portal, navigate to Settings > Endpoints > Device Groups, select your server group, and set the automation level to Full – remediate threats automatically for the highest automation.

Configuring Attack Surface Reduction (ASR) Rules

Attack Surface Reduction rules are a set of policies that block behaviors commonly exploited by malware, such as Office applications spawning child processes, obfuscated script execution, and credential theft from LSASS. ASR rules are available when MDE is deployed with Defender AV in active or passive mode.

To enable ASR rules via PowerShell, use Set-MpPreference -AttackSurfaceReductionRules_Ids and -AttackSurfaceReductionRules_Actions:

# Block credential stealing from LSASS
Add-MpPreference -AttackSurfaceReductionRules_Ids 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b3 -AttackSurfaceReductionRules_Actions Enabled

# Block Office apps from creating child processes
Add-MpPreference -AttackSurfaceReductionRules_Ids d4f940ab-401b-4efc-aadc-ad5f3c50688a -AttackSurfaceReductionRules_Actions Enabled

# Block execution of potentially obfuscated scripts
Add-MpPreference -AttackSurfaceReductionRules_Ids 5beb7efe-fd9a-4556-801d-275e5ffc04cc -AttackSurfaceReductionRules_Actions Enabled

# Block process creations from PSExec and WMI commands
Add-MpPreference -AttackSurfaceReductionRules_Ids d1e49aac-8f56-4280-b9ba-993a6d77406c -AttackSurfaceReductionRules_Actions Enabled

For server environments, be cautious with ASR rules as some rules may interfere with legitimate server workloads. Always deploy ASR rules in audit mode first to understand their impact before enabling block mode:

Add-MpPreference -AttackSurfaceReductionRules_Ids 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b3 -AttackSurfaceReductionRules_Actions AuditMode

Review ASR audit events in the Event Viewer under Applications and Services Logs > Microsoft > Windows > Windows Defender > Operational, or in the Defender portal under Reports > Attack surface reduction rules.

MDE Integration with Microsoft Sentinel

For organizations using Microsoft Sentinel as their SIEM/SOAR platform, MDE integrates natively to stream alerts, incidents, and raw device telemetry into Sentinel. To connect MDE to Sentinel:

1. In the Azure portal, open your Sentinel workspace
2. Navigate to Content hub and install the Microsoft Defender XDR solution
3. Configure the Microsoft Defender XDR data connector
4. Enable the Connect incidents and alerts toggle
5. Optionally enable raw event tables (DeviceProcessEvents, DeviceNetworkEvents, DeviceFileEvents, etc.) for advanced hunting

Once connected, MDE alerts appear in Sentinel as incidents and can be investigated using KQL queries. For example, to find all process creation events from LSASS on your servers:

DeviceProcessEvents
| where InitiatingProcessFileName =~ "lsass.exe"
| where DeviceName contains "server"
| project Timestamp, DeviceName, FileName, ProcessCommandLine
| order by Timestamp desc

Managing Windows Server 2022 through the Defender portal at security.microsoft.com gives you a unified view of device health, vulnerability status, alert queues, and investigation timelines — making MDE a cornerstone of enterprise server security operations.