How to Set Up Windows Server 2016 Windows Defender

Windows Defender Antivirus is included with Windows Server 2016 and provides real-time protection against malware, viruses, spyware, and other threats. In Server 2016, Windows Defender is enabled by default unless a third-party antivirus is installed. This guide covers managing Windows Defender through PowerShell, configuring scan schedules, exclusions, and integrating with Windows Defender Advanced Threat Protection (ATP) for enterprise threat detection.

Step 1: Verify Windows Defender Status

Get-MpComputerStatus | Select-Object AMRunningMode, AntivirusEnabled, RealTimeProtectionEnabled, AntivirusSignatureLastUpdated, AMProductVersion

Check if the Windows Defender service is running:

Get-Service -Name WinDefend | Select-Object Name, Status, StartType

Step 2: Enable Windows Defender

If Windows Defender has been disabled, re-enable real-time protection:

Set-MpPreference -DisableRealtimeMonitoring $false

Enable all protection components:

Set-MpPreference -DisableBehaviorMonitoring $false
Set-MpPreference -DisableOnAccessProtection $false
Set-MpPreference -DisableIOAVProtection $false
Set-MpPreference -DisableScriptScanning $false

Step 3: Update Definitions

Force an immediate definition update:

Update-MpSignature

Specify an alternative update source (e.g., internal WSUS or UNC path):

Update-MpSignature -UpdateSource UNC -UNCSharePath "\fileserverDefenderUpdates"

Check current signature version and age:

Get-MpComputerStatus | Select-Object AntivirusSignatureVersion, AntivirusSignatureLastUpdated, AntivirusSignatureAge

Step 4: Run Manual Scans

Run a quick scan:

Start-MpScan -ScanType QuickScan

Run a full scan:

Start-MpScan -ScanType FullScan

Scan a specific path:

Start-MpScan -ScanType CustomScan -ScanPath "D:FileShares"

Step 5: Configure Scheduled Scans

Set-MpPreference -ScanScheduleDay Everyday `
  -ScanScheduleTime "02:00:00" `
  -ScanParameters QuickScan `
  -RemediationScheduleDay Everyday

Day options: Sunday, Monday, Tuesday, Wednesday, Thursday, Friday, Saturday, Everyday, Never.

Step 6: Configure Exclusions

Add path exclusions (useful for database files or backup directories):

Add-MpPreference -ExclusionPath "D:SQLData", "D:SQLLogs", "E:Backups"

Add process exclusions (prevent scanning files accessed by specific processes):

Add-MpPreference -ExclusionProcess "sqlservr.exe", "msmdsrv.exe"

Add file extension exclusions:

Add-MpPreference -ExclusionExtension "mdf", "ldf", "ndf"

View all current exclusions:

Get-MpPreference | Select-Object ExclusionPath, ExclusionProcess, ExclusionExtension

Step 7: Configure Cloud-Based Protection and Sample Submission

Enable cloud-delivered protection for faster threat response:

Set-MpPreference -MAPSReporting Advanced
Set-MpPreference -SubmitSamplesConsent SendAllSamples
Set-MpPreference -CloudBlockLevel High
Set-MpPreference -CloudExtendedTimeout 50

Step 8: Review Threat History

Get-MpThreatDetection | Select-Object ThreatID, ActionSuccess, DetectionSourceTypeID, DomainUser, ProcessName, Resources

Get detailed threat information:

Get-MpThreat | Select-Object ThreatID, ThreatName, SeverityID, CategoryID, IsActive | Format-Table

Step 9: Remove Quarantined Threats

View quarantined items and remove all:

Get-MpThreat
Remove-MpThreat

Step 10: Deploy Windows Defender Settings via Group Policy

Configure Windows Defender settings across all domain computers using GPO at:

Computer Configuration > Administrative Templates > Windows Components > Windows Defender Antivirus

Key GPO settings to configure:

  • Turn on real-time protection
  • Configure scheduled scan settings
  • Define paths excluded from scanning
  • Turn on behavior monitoring
  • Configure Microsoft MAPS reporting level

Step 11: Verify Defender Status After Configuration

After applying all configuration changes, verify the final status of Windows Defender:

Get-MpComputerStatus | Select-Object AMRunningMode, AntivirusEnabled, RealTimeProtectionEnabled, BehaviorMonitorEnabled, IoavProtectionEnabled, OnAccessProtectionEnabled

Check that scheduled scan settings were applied:

Get-MpPreference | Select-Object ScanScheduleDay, ScanScheduleTime, ScanParameters, SignatureUpdateInterval

Run a quick validation scan to confirm Defender is operational:

Start-MpScan -ScanType QuickScan
Get-MpComputerStatus | Select-Object LastQuickScanSource, LastQuickScanStartTime, LastQuickScanEndTime

Summary

Windows Defender on Windows Server 2016 provides a solid, integrated antivirus solution with real-time protection, scheduled scanning, cloud-based threat intelligence, and central management via Group Policy. Proper exclusion configuration for SQL Server, Exchange, and other server workloads is critical to maintaining performance while keeping systems protected against evolving threats.