Windows Defender Overview for Windows Server
Applies To: Windows Server 2016
Windows Server 2016 now includes Windows Defender. Windows Defender is malware protection that immediately and actively protects Windows Server 2016 against known malware and can regularly update antimalware definitions through Windows Update.
This topic includes information important for running Windows Defender on a server platform. Use the following links to get to the information you need in this topic:
By default, Windows Defender is installed and functional on Windows Server 2016. The user interface is installed by default on some SKUs. You can manage Windows Defender by using WMI, Windows PowerShell, or by using Group Policy.
If the user interface is not installed, use Add Roles and Features Wizard, or the Install-WindowsFeature cmdlet.
To install Windows Defender, start a Windows PowerShell console as an administrator, and run the following command:
Install-WindowsFeature -Name Windows-Defender-GUI
To disable Windows Defender, you must uninstall it by using the Remove Roles and Features Wizard or by using the Uninstall-WindowsFeature cmdlet.
To uninstall Windows Defender, start a Windows PowerShell console as an administrator, and run the following command:
Uninstall-WindowsFeature -Name Windows-Server-Antimalware
Event messages for the antimalware engine included with Windows Defender can be found in Windows Defender Events.
To verify that Windows Defender is running on the server, run the following command:
sc query Windefend. The
sc query command returns information about the Windows Defender service. If Windows Defender is running, the
STATE value displays
In order to get updated antimalware definitions, you must have the Windows Update service running. If you use an update management service, like Windows Server Update Services (WSUS), make sure that updates for Windows Defender definitions are approved for the computers you manage.
By default, Windows Update does not download and install updates automatically on Windows Server 2016. You can change this configuration by using one of the following methods:
Windows Update in Control Panel.
Install updates automatically results in all updates being automatically installed, including Windows Defender definition updates.
Download updates but let me choose whether to install them allows Windows Defender to download and install definition updates automatically, but other updates are not automatically installed.
Group Policy. You can set up and manage Windows Update by using the settings available in Group Policy, in the following path: Administrative Templates\Windows Components\Windows Update\Configure Automatic Updates
The AUOptions registry key. The following two values allow Windows Update to automatically download and install definition updates.
4 Install updates automatically. This value results in all updates being automatically installed, including Windows Defender definition updates.
3 Download updates but let me choose whether to install them. This value allows Windows Defender to download and install definition updates automatically, but other updates are not automatically installed.
To ensure that protection from malware is maintained, we recommend that you enable the following services:
Windows Defender Network Inspection service
Windows Error Reporting service
Windows Update service
The following table lists the services for Windows Defender and the dependent services.
|Service Name||File Location||Description|
|Windows Defender Service (Windefend)||C:\Program Files\Windows Defender\MsMpEng.exe||This is the main Windows Defender service that needs to be running at all times.|
|Windows Defender Network Inspection Service (Wdnissvc)||C:\Program Files\Windows Defender\NisSrv.exe||This service is invoked when Windows Defender encounters a trigger to load it.|
|Windows Error Reporting Service (Wersvc)||C:\WINDOWS\System32\svchost.exe -k WerSvcGroup||This service sends error reports back to Microsoft.|
|Windows Firewall (MpsSvc)||C:\WINDOWS\system32\svchost.exe -k LocalServiceNoNetwork||We recommend leaving the Windows Firewall service enabled.|
|Windows Update (Wuauserv)||C:\WINDOWS\system32\svchost.exe -k netsvcs||Windows Update is needed to get definition updates and antimalware engine updates|
For more information about managing Windows Defender by using Windows PowerShell, see Windows Defender Cmdlets.
As an example of managing Windows Defender by using Windows PowerShell cmdlets, scheduling a time of day to check for definition updates would be enabled by starting a Windows PowerShell console as an administrator and setting the ScanScheduleTime value:
Set-MpPreference -ScanScheduleTime 120
Sample submission allows Microsoft to collect samples of potentially malicious software. To help provide continued and up-to-date protection, Microsoft researchers use these samples to analyze suspicious activities and produce updated antimalware definitions.
We collect program executable files, such as EXE files and DLL files. We do not collect files that contain personal data, like Microsoft Word documents and PDF files.
Enable automatic sample submission
To enable automatic sample submission, start a Windows PowerShell console as an administrator, and set the SubmitSamplesConsent value data according to one of the following settings:
0 Always prompt. The Windows Defender service prompts you to confirm submission of all required files. This is the default setting for Windows Defender, but is not recommended for Windows Server 2016 installations without a GUI.
1 Send safe samples automatically. The Windows Defender service sends all files marked as "safe" and prompts for the remainder of the files.
2 Never send. The Windows Defender service does not prompt and does not send any files.
3 Send all samples automatically. The Windows Defender service sends all files without a prompt for confirmation.
To help ensure security and performance, certain exclusions are automatically added based on the roles and features you install. Windows Defender delivers automatic exclusions for Windows Server 2016 roles via the regularly scheduled definition update process.
To add custom exclusions in addition to the ones automatically added, start a Windows PowerShell console as an administrator, and run the following command:
Add-MpPreference -ExclusionPath "c:\temp"
To remove exclusions, start a Windows PowerShell console as an administrator, and run the following command:
Remove-MpPreference -ExclusionPath "c:\temp"
Custom and duplicate exclusions do not conflict with automatic exclusions.
For more information about automatic exclusions, see Automatic exclusions for Windows Defender.