How to Configure Windows Defender Antivirus on Windows Server 2025
Windows Defender Antivirus (WDA) is the built-in antimalware solution included with Windows Server 2025 and is active by default on Server with Desktop Experience installations. Unlike earlier versions of Windows Server where Defender was often treated as an afterthought, Windows Server 2025 ships with a fully capable, enterprise-grade antivirus engine that integrates seamlessly with the broader Microsoft security ecosystem. Properly configuring WDA ensures your server endpoints maintain real-time protection, receive timely signature updates, and are tuned to avoid performance conflicts with resource-intensive server roles such as SQL Server, Hyper-V, and Active Directory Domain Services. This guide walks through every stage of WDA configuration — from verifying the initial status to crafting Group Policy deployments across your server fleet.
Prerequisites
- Windows Server 2025 installed with Desktop Experience or Server Core
- Local Administrator or Domain Administrator privileges
- PowerShell 5.1 or later (included by default)
- Internet connectivity for signature updates (or WSUS/SCCM for air-gapped environments)
- Group Policy Management Console (GPMC) if deploying settings via GPO
- Understanding of any third-party AV products already present in your environment
Step 1: Verify Windows Defender Antivirus Status
Before making any changes, confirm the current operational state of Windows Defender Antivirus using the Get-MpComputerStatus cmdlet. This cmdlet returns detailed information about the antivirus engine, including whether real-time protection is active, the current signature version, and the last scan time.
# Check the overall Defender status
Get-MpComputerStatus
# Focus on the most critical fields
Get-MpComputerStatus | Select-Object `
AMRunningMode, `
AMServiceEnabled, `
AntispywareEnabled, `
AntivirusEnabled, `
RealTimeProtectionEnabled, `
AntivirusSignatureVersion, `
AntivirusSignatureLastUpdated, `
QuickScanAge, `
FullScanAgeThe AMRunningMode field will show one of several values: Normal means WDA is the primary AV; Passive Mode indicates a third-party AV is installed and WDA is running in a secondary capacity; EDR Block Mode means Microsoft Defender for Endpoint is providing additional enforcement. If the service shows as disabled, use Set-Service -Name WinDefend -StartupType Automatic and Start-Service WinDefend to re-enable it.
Step 2: Update Virus and Threat Protection Definitions
Keeping signature definitions current is the most fundamental ongoing maintenance task for any antivirus deployment. Windows Server 2025 can update definitions directly from Microsoft Update, Windows Server Update Services (WSUS), or a UNC share. Use the following commands to force an immediate update check.
# Force an immediate signature update
Update-MpSignature
# Update from a specific UNC fallback path (useful in air-gapped or WSUS environments)
Update-MpSignature -UpdateSource InternalDefinitionUpdateServer
# Confirm the update completed and note the new version
Get-MpComputerStatus | Select-Object AntivirusSignatureVersion, AntivirusSignatureLastUpdatedFor environments without direct internet access, configure a dedicated definition update share using the Set-MpPreference -SignatureDefinitionUpdateFileSharesSources parameter pointing to a UNC path where you have pre-downloaded definitions.
Step 3: Run Manual Scans
While real-time protection monitors file system activity continuously, scheduled and on-demand scans provide an additional safety net. Windows Server 2025 supports Quick Scans (high-risk areas and running processes), Full Scans (every file on every disk), and Custom Scans targeting specific paths.
# Run a Quick Scan (recommended for routine checks — typically 1-5 minutes)
Start-MpScan -ScanType QuickScan
# Run a Full Scan (thorough but resource-intensive — schedule during maintenance windows)
Start-MpScan -ScanType FullScan
# Run a Custom Scan targeting a specific directory
Start-MpScan -ScanType CustomScan -ScanPath "D:SharesUserData"
# Check scan results after completion
Get-MpThreatDetection | Select-Object ThreatName, ActionSuccess, DetectionTime, ResourcesOn production servers, avoid running Full Scans during peak business hours. Use Task Scheduler or Group Policy to schedule full scans during maintenance windows, typically Sunday nights or early morning hours when user load is minimal.
Step 4: Configure Exclusions for Server Roles
One of the most important — and most frequently overlooked — WDA configuration tasks on servers is defining appropriate exclusions. Scanning certain file types or directories used by database engines, hypervisors, and directory services causes unnecessary I/O overhead and can trigger false positives. Microsoft publishes official exclusion lists for each server role.
# SQL Server: Exclude data, log, and backup directories
Add-MpPreference -ExclusionPath "C:Program FilesMicrosoft SQL Server"
Add-MpPreference -ExclusionPath "D:SQLData"
Add-MpPreference -ExclusionPath "E:SQLLogs"
Add-MpPreference -ExclusionPath "F:SQLBackups"
# SQL Server: Exclude specific file extensions
Add-MpPreference -ExclusionExtension ".mdf"
Add-MpPreference -ExclusionExtension ".ldf"
Add-MpPreference -ExclusionExtension ".ndf"
Add-MpPreference -ExclusionExtension ".bak"
# Hyper-V: Exclude VHD/VHDX files and VM state files
Add-MpPreference -ExclusionPath "C:ProgramDataMicrosoftWindowsHyper-V"
Add-MpPreference -ExclusionPath "D:VMs"
Add-MpPreference -ExclusionExtension ".vhd"
Add-MpPreference -ExclusionExtension ".vhdx"
Add-MpPreference -ExclusionExtension ".avhd"
Add-MpPreference -ExclusionExtension ".vsv"
Add-MpPreference -ExclusionExtension ".iso"
# Active Directory Domain Services: Exclude NTDS database and logs
Add-MpPreference -ExclusionPath "C:WindowsNTDS"
Add-MpPreference -ExclusionPath "C:WindowsSYSVOL"
Add-MpPreference -ExclusionExtension ".dit"
Add-MpPreference -ExclusionExtension ".edb"
Add-MpPreference -ExclusionExtension ".pat"
Add-MpPreference -ExclusionExtension ".log"
# DFSR replication folders (adjust path as appropriate)
Add-MpPreference -ExclusionPath "C:System Volume InformationDFSR"
# Exclude specific processes (e.g., SQL Server engine)
Add-MpPreference -ExclusionProcess "sqlservr.exe"
Add-MpPreference -ExclusionProcess "sqlwriter.exe"
Add-MpPreference -ExclusionProcess "sqlagent.exe"
# Verify all current exclusions
Get-MpPreference | Select-Object ExclusionPath, ExclusionExtension, ExclusionProcessExclusions should be as specific as possible. Avoid broad exclusions like entire drives unless absolutely required, as this significantly reduces your protection surface. Always document exclusions and review them quarterly as server roles and data directories evolve.
Step 5: Toggle Real-Time Protection
Real-time protection monitors files as they are opened, created, or modified. In certain controlled scenarios — such as restoring large database backups or deploying application binaries during a maintenance window — temporarily disabling real-time protection can prevent scan-induced I/O contention. Always re-enable it immediately after the maintenance task completes.
# Disable real-time protection temporarily (administrative maintenance only)
Set-MpPreference -DisableRealtimeMonitoring $true
# Perform your maintenance task here...
# Re-enable real-time protection
Set-MpPreference -DisableRealtimeMonitoring $false
# Confirm real-time protection is active
(Get-MpComputerStatus).RealTimeProtectionEnabledIn Group Policy-managed environments, this setting may be locked. If Set-MpPreference returns an access denied error, check whether a GPO is enforcing the policy and adjust it at the GPO level instead.
Step 6: Deploy Windows Defender Antivirus Settings via Group Policy
For consistency across server fleets, configure WDA through Group Policy rather than per-server PowerShell commands. The WDA policy node lives at Computer Configuration → Administrative Templates → Windows Components → Microsoft Defender Antivirus.
# On a domain controller or GPMC workstation — create and link a new GPO
Import-Module GroupPolicy
New-GPO -Name "Windows Defender Antivirus - Servers" | `
New-GPLink -Target "OU=Servers,DC=contoso,DC=com"
# Key GPO settings to configure (via GPMC UI or Set-GPRegistryValue):
# Enable Windows Defender Antivirus
Set-GPRegistryValue -Name "Windows Defender Antivirus - Servers" `
-Key "HKLMSOFTWAREPoliciesMicrosoftWindows Defender" `
-ValueName "DisableAntiSpyware" `
-Type DWord -Value 0
# Configure scheduled quick scan — daily at 3:00 AM
Set-GPRegistryValue -Name "Windows Defender Antivirus - Servers" `
-Key "HKLMSOFTWAREPoliciesMicrosoftWindows DefenderScan" `
-ValueName "ScheduleQuickScanTime" `
-Type DWord -Value 180 # Minutes past midnight (3:00 AM = 180)
# Set signature update interval to every 4 hours
Set-GPRegistryValue -Name "Windows Defender Antivirus - Servers" `
-Key "HKLMSOFTWAREPoliciesMicrosoftWindows DefenderSignature Updates" `
-ValueName "SignatureUpdateInterval" `
-Type DWord -Value 4
# Enable cloud-delivered protection (MAPS)
Set-GPRegistryValue -Name "Windows Defender Antivirus - Servers" `
-Key "HKLMSOFTWAREPoliciesMicrosoftWindows DefenderSpynet" `
-ValueName "SpynetReporting" `
-Type DWord -Value 2 # 2 = Advanced membershipAlways test GPO changes in a staging OU before applying them to production servers. Use gpresult /H C:gp-report.html on a server to confirm the GPO has been applied and the settings are taking effect.
Step 7: Windows Defender Antivirus vs. Third-Party Antivirus
When a third-party antivirus product is installed on Windows Server 2025, WDA automatically transitions to Passive Mode. In Passive Mode, WDA still receives definition updates and participates in threat detection telemetry for Microsoft Defender for Endpoint (MDE) integration, but it does not perform real-time protection or on-demand scans. This is the correct behavior and avoids conflicts between two AV engines scanning the same files simultaneously.
# Confirm current running mode (Normal vs Passive vs Disabled)
(Get-MpComputerStatus).AMRunningMode
# Force WDA into active mode if third-party AV has been removed
# (WDA may not automatically resume — a reboot often resolves this)
Set-MpPreference -DisableRealtimeMonitoring $false
Set-Service -Name WinDefend -StartupType Automatic
Start-Service -Name WinDefend
# Verify active mode after restart
Get-MpComputerStatus | Select-Object AMRunningMode, RealTimeProtectionEnabledMicrosoft’s recommendation for Windows Server 2025 in enterprise environments is to use WDA together with Microsoft Defender for Endpoint (MDE) rather than replacing it with a third-party product. This combination provides unified telemetry, advanced threat hunting capabilities, and integration with Microsoft Sentinel — features that third-party solutions cannot replicate within the Microsoft 365 Defender ecosystem.
Conclusion
Windows Defender Antivirus on Windows Server 2025 is a production-ready, enterprise-grade antimalware platform that requires deliberate configuration to deliver both strong protection and good performance. By verifying operational status, keeping definitions current, tuning exclusions for your specific server roles, and deploying consistent settings through Group Policy, you build a solid foundation for endpoint security across your server estate. As your environment grows, consider graduating to Microsoft Defender for Endpoint to gain extended detection and response (EDR) capabilities, advanced threat hunting with KQL, and centralized management through the Microsoft 365 Defender portal — all of which layer cleanly on top of the WDA foundation configured in this guide.
