Introduction to Microsoft Defender on Windows Server 2019

Microsoft Defender Antivirus is built into Windows Server 2019 and provides real-time protection against malware, ransomware, spyware, and other threats. On Windows Server 2019, Defender Antivirus integrates with Windows Defender System Guard, Windows Defender Credential Guard, and Microsoft Defender for Endpoint (the enterprise-grade EDR product). For basic server protection, the built-in Defender Antivirus with properly configured exclusions, scheduled scans, and up-to-date definitions is sufficient. For advanced threat detection, investigation, and response, licensing Microsoft Defender for Endpoint extends capabilities with behavioral analytics, EDR, and automated investigation and remediation. This guide covers setting up and hardening Microsoft Defender on Windows Server 2019.

Verifying Defender is Enabled

On Windows Server 2019 with Desktop Experience, Microsoft Defender Antivirus is enabled by default. On Server Core, it is also enabled. Check the current status:

Get-MpComputerStatus | Select-Object AMRunningMode, AMEngineVersion, AMProductVersion, AMServiceEnabled, AntispywareEnabled, AntivirusEnabled, BehaviorMonitorEnabled, IoavProtectionEnabled, NISEnabled, OnAccessProtectionEnabled, RealTimeProtectionEnabled, AntivirusSignatureLastUpdated, AntivirusSignatureVersion

If Defender is not running, start and enable the service:

Set-Service -Name WinDefend -StartupType Automatic
Start-Service WinDefend
Set-MpPreference -DisableRealtimeMonitoring $false

If a third-party antivirus product is installed, it may have disabled Defender. Defender enters passive mode when a third-party AV is active, which means it runs without real-time protection but still receives updates and can perform scans.

Updating Defender Definitions

Keeping signature definitions current is critical for effective malware detection. Update definitions immediately and configure automatic updates:

Update-MpSignature
Get-MpComputerStatus | Select-Object AntivirusSignatureLastUpdated, AntivirusSignatureVersion, AntispywareSignatureVersion

Configure update fallback sources for servers without direct internet access. Defender can receive updates from WSUS, SCCM, a file share, or a UNC path. Configure the fallback order:

Set-MpPreference -SignatureDefinitionUpdateFileSharesSources "\UpdateServerDefenderUpdates"
Set-MpPreference -SignatureFallbackOrder "MicrosoftUpdateServer|MMPC|InternalDefinitionUpdateServer|FileShares"
Set-MpPreference -SignatureScheduleDay Everyday
Set-MpPreference -SignatureScheduleTime "12:00:00"

Configuring Real-Time Protection Settings

Fine-tune real-time protection to balance security and performance on production servers. Enable all protection components:

Set-MpPreference -DisableRealtimeMonitoring $false
Set-MpPreference -DisableBehaviorMonitoring $false
Set-MpPreference -DisableIOAVProtection $false
Set-MpPreference -DisableIntrusionPreventionSystem $false
Set-MpPreference -DisablePrivacyMode $false
Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $false
Set-MpPreference -DisableBlockAtFirstSeen $false
Set-MpPreference -PUAProtection Enabled

Enable cloud-delivered protection for faster detection of new threats:

Set-MpPreference -MAPSReporting Advanced
Set-MpPreference -SubmitSamplesConsent AlwaysPrompt
Set-MpPreference -CloudBlockLevel High
Set-MpPreference -CloudExtendedTimeout 50

Configuring Exclusions for Server Roles

Antivirus exclusions are necessary for server applications that Defender might interfere with, such as database servers, web servers, and virtualization hosts. Incorrect exclusions can expose systems to malware, so configure them carefully and only for validated paths. Common exclusions for Windows Server roles:

# SQL Server exclusions
Add-MpPreference -ExclusionPath "C:Program FilesMicrosoft SQL Server"
Add-MpPreference -ExclusionPath "D:SQLData"
Add-MpPreference -ExclusionExtension ".mdf", ".ldf", ".ndf"
Add-MpPreference -ExclusionProcess "sqlservr.exe", "sqlagent.exe", "sqlbrowser.exe"

# IIS Web Server exclusions
Add-MpPreference -ExclusionPath "C:inetpubtempIIS Temporary Compressed Files"
Add-MpPreference -ExclusionPath "C:WindowsIIS Temporary Compressed Files"

# Domain Controller exclusions
Add-MpPreference -ExclusionPath "C:WindowsSYSVOL"
Add-MpPreference -ExclusionPath "C:WindowsNTDS"
Add-MpPreference -ExclusionExtension ".dit", ".edb", ".chk", ".log", ".jrs", ".pol"

Verify exclusions:

Get-MpPreference | Select-Object ExclusionPath, ExclusionExtension, ExclusionProcess

Configuring Scheduled Scans

Schedule regular full and quick scans to detect threats that may have bypassed real-time protection. Configure scan timing to minimize impact on server workloads:

Set-MpPreference -ScanScheduleDay Saturday
Set-MpPreference -ScanScheduleTime "03:00:00"
Set-MpPreference -ScanScheduleQuickScanTime "23:00:00"
Set-MpPreference -ScanAvgCPULoadFactor 30
Set-MpPreference -ScanOnlyIfIdleEnabled $true
Set-MpPreference -RemediationScheduleDay Saturday
Set-MpPreference -RemediationScheduleTime "03:30:00"

Run an immediate scan manually:

Start-MpScan -ScanType QuickScan
Start-MpScan -ScanType FullScan
Start-MpScan -ScanType CustomScan -ScanPath "D:Data"

Enabling Network Protection

Network Protection prevents processes on the server from accessing malicious domains and IP addresses known to host malware, exploit kits, or phishing content. It works at the network driver level using Microsoft’s SmartScreen cloud intelligence:

Set-MpPreference -EnableNetworkProtection Enabled
Get-MpPreference | Select-Object EnableNetworkProtection

Set Network Protection to audit mode first to review what would be blocked before enabling block mode:

Set-MpPreference -EnableNetworkProtection AuditMode
# Review events in Event Viewer: Windows Logs > Application, Event ID 1125 (would-be blocked) and 1126 (audit mode alert)
Set-MpPreference -EnableNetworkProtection Enabled

Configuring Controlled Folder Access

Controlled Folder Access protects important folders from ransomware and unauthorized changes. It allows only trusted applications to write to protected folders. Enable and configure it:

Set-MpPreference -EnableControlledFolderAccess Enabled
Add-MpPreference -ControlledFolderAccessProtectedFolders "D:CriticalData", "C:Finance"
Add-MpPreference -ControlledFolderAccessAllowedApplications "C:BackupAppbackup.exe", "C:AppDataapp.exe"
Get-MpPreference | Select-Object EnableControlledFolderAccess, ControlledFolderAccessProtectedFolders

Configuring Attack Surface Reduction Rules

Attack Surface Reduction (ASR) rules block behaviors commonly used in malware attacks. Enable ASR rules appropriate for server workloads. Each rule can be set to Block, Audit, or Disabled:

$rules = @{
    "BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550" = 1  # Block executable content from email/webmail
    "D4F940AB-401B-4EFC-AADC-AD5F3C50688A" = 1  # Block Office apps from creating child processes
    "3B576869-A4EC-4529-8536-B80A7769E899" = 1  # Block Office apps from creating executable content
    "75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84" = 1  # Block Office apps from injecting into processes
    "D3E037E1-3EB8-44C8-A917-57927947596D" = 1  # Block JavaScript/VBScript from launching processes
    "5BEB7EFE-FD9A-4556-801D-275E5FFC04CC" = 1  # Block execution of potentially obfuscated scripts
    "92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B" = 1  # Block Win32 API calls from Office macros
    "01443614-CD74-433A-B99E-2ECDC07BFC25" = 1  # Block executable files unless trusted
}
foreach ($ruleId in $rules.Keys) {
    Add-MpPreference -AttackSurfaceReductionRules_Ids $ruleId -AttackSurfaceReductionRules_Actions $rules[$ruleId]
}
Get-MpPreference | Select-Object AttackSurfaceReductionRules_Ids, AttackSurfaceReductionRules_Actions

Onboarding to Microsoft Defender for Endpoint

For enterprise-grade EDR capabilities, onboard Windows Server 2019 to Microsoft Defender for Endpoint. Download the onboarding package from the Defender portal (security.microsoft.com). Run the onboarding script:

.WindowsDefenderATPOnboardingScript.cmd

Verify the MDE service is running and the machine is onboarded:

Get-Service Sense | Select-Object Status
Get-ItemProperty -Path "HKLM:SOFTWAREMicrosoftWindows Advanced Threat ProtectionStatus" -Name "OnboardingState"
# OnboardingState = 1 means onboarded successfully

Reviewing Threat History and Alerts

Review detected threats and protection history:

Get-MpThreatDetection | Select-Object ThreatName, ActionSuccess, CurrentThreatExecutionStatusID, DetectionSourceTypeID, DomainUser, ProcessName, Resources | Format-Table -AutoSize
Get-MpThreat | Select-Object ThreatName, SeverityID, CategoryID, StatusID | Format-Table
Get-WinEvent -LogName "Microsoft-Windows-Windows Defender/Operational" -MaxEvents 50 | Where-Object {$_.Id -in @(1116,1117,1118)} | Select-Object TimeCreated, Id, Message