- Microsoft Defender Antivirus on Windows Server
- The process at a glance
- Enable the user interface on Windows Server
- Turn on the GUI using the Add Roles and Features Wizard
- Turn on the GUI using PowerShell
- Install Microsoft Defender Antivirus on Windows Server
- Use the Add Roles and Features Wizard
- Use PowerShell
- Verify Microsoft Defender Antivirus is running
- Update antimalware Security intelligence
- Submit samples
- Submit a file
- Enable automatic sample submission
- Configure automatic exclusions
- Need to set Microsoft Defender Antivirus to passive mode?
- Set Microsoft Defender Antivirus to passive mode using a registry key
- Disable Microsoft Defender Antivirus using the Remove Roles and Features wizard
- Turn off the Microsoft Defender Antivirus user interface using PowerShell
- Are you using Windows Server 2016?
- The most secure Windows ever
- Microsoft Defender Antivirus
- Always on defense—at no extra cost
- Files are secured and accessible across devices
- You manage your privacy
- Help keep your family safer online
- Say goodbye to passwords with Windows Hello
- Sign in your way
- Windows Hello enabled apps
- Your companion devices unlock your PC
- Prevent PC updates from interrupting your workflow
- You’re in control with searching, streaming, and gaming
- Set parameters with Ask a Parent tool 6
- Get things done securely and quickly on the web
- Share and edit files in OneDrive
- Security and privacy you can count on
- Find My Device
Microsoft Defender Antivirus on Windows Server
Applies to:
Microsoft Defender Antivirus is available on the following editions/versions of Windows Server:
- Windows Server 2019
- Windows Server, version 1803 or later
- Windows Server 2016.
In some instances, Microsoft Defender Antivirus is referred to as Endpoint Protection; however, the protection engine is the same. Although the functionality, configuration, and management are largely the same for Microsoft Defender Antivirus on Windows 10, there are a few key differences on Windows Server:
- In Windows Server, automatic exclusions are applied based on your defined Server Role.
- In Windows Server, Microsoft Defender Antivirus does not automatically disable itself if you are running another antivirus product.
The process at a glance
The process of setting up and running Microsoft Defender Antivirus on a server platform includes several steps:
Enable the user interface on Windows Server
By default, Microsoft Defender Antivirus is installed and functional on Windows Server. The user interface (GUI) is installed by default on some SKUs, but is not required because you can use PowerShell or other methods to manage Microsoft Defender Antivirus. If the GUI is not installed on your server, you can add it by using the Add Roles and Features wizard, or by using PowerShell cmdlets.
Turn on the GUI using the Add Roles and Features Wizard
When you get to the Features step of the wizard, under Windows Defender Features, select the GUI for Windows Defender option.
In Windows Server 2016, the Add Roles and Features Wizard looks like this:
In Windows Server 2019, the Add Roles and Feature Wizard is similar.
Turn on the GUI using PowerShell
The following PowerShell cmdlet will enable the interface:
Install Microsoft Defender Antivirus on Windows Server
You can use either the Add Roles and Features Wizard or PowerShell to install Microsoft Defender Antivirus.
Use the Add Roles and Features Wizard
Refer to this article, and use the Add Roles and Features Wizard.
When you get to the Features step of the wizard, select the Microsoft Defender Antivirus option. Also select the GUI for Windows Defender option.
Use PowerShell
To use PowerShell to install Microsoft Defender Antivirus, run the following cmdlet:
Event messages for the antimalware engine included with Microsoft Defender Antivirus can be found in Microsoft Defender AV Events.
Verify Microsoft Defender Antivirus is running
To verify that Microsoft Defender Antivirus is running on your server, run the following PowerShell cmdlet:
To verify that firewall protection is turned on, run the following PowerShell cmdlet:
As an alternative to PowerShell, you can use Command Prompt to verify that Microsoft Defender Antivirus is running. To do that, run the following command from a command prompt:
The sc query command returns information about the Microsoft Defender Antivirus service. When Microsoft Defender Antivirus is running, the STATE value displays RUNNING .
Update antimalware Security intelligence
To get updated antimalware security intelligence, you must have the Windows Update service running. If you use an update management service, like Windows Server Update Services (WSUS), make sure that updates for Microsoft Defender Antivirus Security intelligence are approved for the computers you manage.
By default, Windows Update does not download and install updates automatically on Windows Server 2019 or Windows Server 2016. You can change this configuration by using one of the following methods:
| Method | Description |
|---|---|
| Windows Update in Control Panel | — Install updates automatically results in all updates being automatically installed, including Windows Defender Security intelligence updates. — Download updates but let me choose whether to install them allows Windows Defender to download and install Security intelligence updates automatically, but other updates are not automatically installed. |
| Group Policy | You can set up and manage Windows Update by using the settings available in Group Policy, in the following path: Administrative Templates\Windows Components\Windows Update\Configure Automatic Updates |
| The AUOptions registry key | The following two values allow Windows Update to automatically download and install Security intelligence updates: — 4 — Install updates automatically. This value results in all updates being automatically installed, including Windows Defender Security intelligence updates. — 3 — Download updates but let me choose whether to install them. This value allows Windows Defender to download and install Security intelligence updates automatically, but other updates are not automatically installed. |
To ensure that protection from malware is maintained, we recommend that you enable the following services:
Windows Error Reporting service
Windows Update service
The following table lists the services for Microsoft Defender Antivirus and the dependent services.
| Service Name | File Location | Description |
|---|---|---|
| Windows Defender Service (WinDefend) | C:\Program Files\Windows Defender\MsMpEng.exe | This is the main Microsoft Defender Antivirus service that needs to be running at all times. |
| Windows Error Reporting Service (Wersvc) | C:\WINDOWS\System32\svchost.exe -k WerSvcGroup | This service sends error reports back to Microsoft. |
| Windows Defender Firewall (MpsSvc) | C:\WINDOWS\system32\svchost.exe -k LocalServiceNoNetwork | We recommend leaving the Windows Defender Firewall service enabled. |
| Windows Update (Wuauserv) | C:\WINDOWS\system32\svchost.exe -k netsvcs | Windows Update is needed to get Security intelligence updates and antimalware engine updates |
Submit samples
Sample submission allows Microsoft to collect samples of potentially malicious software. To help provide continued and up-to-date protection, Microsoft researchers use these samples to analyze suspicious activities and produce updated antimalware Security intelligence. We collect program executable files, such as .exe files and .dll files. We do not collect files that contain personal data, like Microsoft Word documents and PDF files.
Submit a file
Visit the sample submission portal, and submit your file.
Enable automatic sample submission
To enable automatic sample submission, start a Windows PowerShell console as an administrator, and set the SubmitSamplesConsent value data according to one of the following settings:
| Setting | Description |
|---|---|
| 0 — Always prompt | The Microsoft Defender Antivirus service prompts you to confirm submission of all required files. This is the default setting for Microsoft Defender Antivirus, but is not recommended for installations on Windows Server 2016 or 2019 without a GUI. |
| 1 — Send safe samples automatically | The Microsoft Defender Antivirus service sends all files marked as «safe» and prompts for the remainder of the files. |
| 2 — Never send | The Microsoft Defender Antivirus service does not prompt and does not send any files. |
| 3 — Send all samples automatically | The Microsoft Defender Antivirus service sends all files without a prompt for confirmation. |
Configure automatic exclusions
To help ensure security and performance, certain exclusions are automatically added based on the roles and features you install when using Microsoft Defender Antivirus on Windows Server 2016 or 2019.
Need to set Microsoft Defender Antivirus to passive mode?
If you are using a non-Microsoft antivirus product as your primary antivirus solution, set Microsoft Defender Antivirus to passive mode.
Set Microsoft Defender Antivirus to passive mode using a registry key
If you are using Windows Server, version 1803 or Windows Server 2019, you can set Microsoft Defender Antivirus to passive mode by setting the following registry key:
- Path: HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection
- Name: ForcePassiveMode
- Type: REG_DWORD
- Value: 1
Disable Microsoft Defender Antivirus using the Remove Roles and Features wizard
See Install or Uninstall Roles, Role Services, or Features, and use the Remove Roles and Features Wizard.
When you get to the Features step of the wizard, clear the Windows Defender Features option.
If you clear Windows Defender by itself under the Windows Defender Features section, you will be prompted to remove the interface option GUI for Windows Defender.
Microsoft Defender Antivirus will still run normally without the user interface, but the user interface cannot be enabled if you disable the core Windows Defender feature.
Turn off the Microsoft Defender Antivirus user interface using PowerShell
To turn off the Microsoft Defender Antivirus GUI, use the following PowerShell cmdlet:
Are you using Windows Server 2016?
If you are using Windows Server 2016 and a third-party antimalware/antivirus product that is not offered or developed by Microsoft, you’ll need to disable/uninstall Microsoft Defender Antivirus.
You can’t uninstall the Windows Security app, but you can disable the interface with these instructions.
The following PowerShell cmdlet uninstalls Microsoft Defender Antivirus on Windows Server 2016:
The most secure Windows ever
Windows 10 provides comprehensive, built-in protection—at no extra cost. 1 Learn how Windows Hello facial recognition and biometric logins, coupled with comprehensive antivirus protection, keep you more secure than ever.
Microsoft Defender Antivirus
Formerly known as Windows Defender, Microsoft Defender Antivirus still delivers the comprehensive, ongoing, and real-time protection you expect against software threats like viruses, malware, and spyware across email, apps, the cloud, and the web.
Always on defense—at no extra cost
No need to download—Microsoft Defender comes standard on Windows 10, protecting your data and devices in real time with a full suite of advanced security safeguards. 1
Files are secured and accessible across devices
Save your files to OneDrive to keep them protected, backed up, and accessible from all your devices, anywhere.
You manage your privacy
Set your location, camera, and data usage options in the easy-to-access account settings panel.
Help keep your family safer online
With Windows 10, schedule screen time, limit access to mature content, and restrict online purchases, including apps, games, and movies. 2
Say goodbye to passwords with Windows Hello
Windows Hello logs you in 3x faster than a password. 4 Use your camera to recognize your face or try your fingerprint reader. 3 You can always keep your PIN as a backup.
Sign in your way
Enabling Windows Hello turns on sign-in with your face or fingerprint. 3 Login faster and more securely to your laptop, tablet, device, app, or even websites; you can even make in-app purchases.
Windows Hello enabled apps
Windows Hello works with compatible apps like iHeartRadio and Dropbox, so you can bypass the password and breeze right through with facial recognition biometric security. 3
Your companion devices unlock your PC
Windows Hello lets you use your digital wristband, smart watch, phone, and other companion devices to quickly unlock your Windows 10 PC without using a password. 5
Prevent PC updates from interrupting your workflow
Windows 10 provides new features and security updates for free on an ongoing basis. Now you have the option to update when it’s convenient for you.
You’re in control with searching, streaming, and gaming
Set parameters with Ask a Parent tool 6
If your kids want more screen time or to purchase a game, app, or movie, you can require them to request your permission first.
Get things done securely and quickly on the web
Microsoft Edge and Bing feature built-in learning tools, 4K 7 streaming, and advanced cyber protections—all optimized for Windows 10.
Sync your files with OneDrive Learn how to store and access files across devices with OneDrive. Watch step by step how to set-up, sync and access files on your iOS, Andriod and Windows devices.
Share and edit files in OneDrive
Save files to OneDrive to keep them protected, backed up, and accessible from your iOS, Android, and Windows devices, virtually anywhere. 8 Even offline.
Security and privacy you can count on
Privacy starts with putting you in control. You should have the tools and information to make informed choices. You can manage your data saved to the cloud.
Find My Device
Find My Device is a feature that can help you locate your Windows 10 device if it’s lost or stolen. It works for any Windows device, such as a PC, laptop, Surface, or Surface Pen.
1 For the supported lifetime of the device. Internet access fees may apply.
2 Requires a Microsoft family account with Device health sharing permissions enabled.
3 Windows Hello requires specialized hardware including a Windows Hello capable device, fingerprint reader, illuminated IR sensor or other biometric sensors and capable devices.
4 Based on average time comparison between typing a password respectively detecting a face or fingerprint to authentication success.
5 Available for selected companion devices and selected Windows 10 editions. Might require that PC and companion devices are joined in Azure Active Directory or Active Directory and paired via Bluetooth.
6 Requires a Microsoft family account with Device health sharing permissions enabled. Also requires Android devices with Microsoft Launcher installed and signed in with the same Microsoft account associated with their Microsoft family account. For a parent to access and view a child’s locations and app activities through the Family web page, Microsoft Launcher must be installed on each child’s device. For a parent to access and view their child’s location(s) and app activities through Microsoft Launcher, Microsoft Launcher must be installed on both the parent’s device and each child’s device. In each case, location and app usage permissions must be allowed through Microsoft Launcher on the child’s device. Activity reporting features require Android 5.0+ on each child’s device. Family settings available on Windows 10 and Xbox One devices. Some settings available on Android devices with Microsoft Launcher installed. Family settings work on the Microsoft Edge browser only.
7 4K Ultra HD exclusivity is limited to PCs running Windows 10. 4K works in both Microsoft Edge and Netflix app. Only 7th Gen Intel® Core™ processor or higher devices can decrypt PlayReady 4K DRM. Netflix Ultra HD plan required. Requires Dolby Vision-supported PlayReady content and capable hardware.
8 Internet access may be required. Fees may apply.
