Windows Defender (Microsoft Defender Antivirus) is the built-in endpoint protection platform for Windows Server. When properly configured, it provides real-time protection, cloud-delivered analysis, and automatic sample submission without requiring third-party antivirus. This guide covers configuring Defender for production server workloads.
Enable and Configure Windows Defender
# Check if Defender is installed and running
Get-WindowsFeature Windows-Defender
Get-MpComputerStatus | Select-Object AntivirusEnabled, RealTimeProtectionEnabled, AMServiceEnabled
# If Defender feature is not installed (Server Core)
Install-WindowsFeature -Name Windows-Defender
# Start the Defender service
Start-Service WinDefend
Set-Service WinDefend -StartupType AutomaticConfigure Real-Time Protection
# Enable all protection layers
Set-MpPreference -DisableRealtimeMonitoring $false
Set-MpPreference -DisableBehaviorMonitoring $false
Set-MpPreference -DisableIOAVProtection $false
Set-MpPreference -DisableScriptScanning $false
# Enable cloud-delivered protection
Set-MpPreference -MAPSReporting Advanced
Set-MpPreference -SubmitSamplesConsent SendAllSamples
# Enable potentially unwanted application (PUA) blocking
Set-MpPreference -PUAProtection Enabled
# Enable network protection
Set-MpPreference -EnableNetworkProtection Enabled
# Enable controlled folder access (ransomware protection)
Set-MpPreference -EnableControlledFolderAccess Enabled
Add-MpPreference -ControlledFolderAccessProtectedFolders "D:\Data", "D:\Shares"
Add-MpPreference -ControlledFolderAccessAllowedApplications "C:\Program Files\MyApp\app.exe"Configure Exclusions for Server Workloads
# SQL Server exclusions (critical for performance)
Add-MpPreference -ExclusionPath "D:\SQLData"
Add-MpPreference -ExclusionPath "D:\SQLLogs"
Add-MpPreference -ExclusionPath "D:\SQLBackups"
Add-MpPreference -ExclusionExtension "mdf", "ldf", "ndf", "bak", "trn"
Add-MpPreference -ExclusionProcess "sqlservr.exe", "sqlagent.exe", "sqlwriter.exe"
# IIS exclusions
Add-MpPreference -ExclusionPath "C:\inetpub\temp\IIS Temporary Compressed Files"
Add-MpPreference -ExclusionProcess "w3wp.exe"
# Hyper-V exclusions
Add-MpPreference -ExclusionPath "C:\ClusterStorage"
Add-MpPreference -ExclusionExtension "vhd", "vhdx", "avhd", "avhdx", "vsv", "iso"
Add-MpPreference -ExclusionProcess "vmms.exe", "vmwp.exe"
# Active Directory exclusions
Add-MpPreference -ExclusionPath "C:\Windows\NTDS"
Add-MpPreference -ExclusionPath "C:\Windows\SYSVOL"
Add-MpPreference -ExclusionProcess "ntdsa.exe", "lsass.exe"
# View all configured exclusions
Get-MpPreference | Select-Object -ExpandProperty ExclusionPath
Get-MpPreference | Select-Object -ExpandProperty ExclusionProcess
Get-MpPreference | Select-Object -ExpandProperty ExclusionExtensionSchedule Scans
# Configure scheduled quick scan (daily)
Set-MpPreference -ScanScheduleQuickScanTime 02:00:00
# Configure scheduled full scan (weekly)
Set-MpPreference -ScanScheduleDay 1 # Sunday
Set-MpPreference -ScanScheduleTime 03:00:00
Set-MpPreference -ScanParameters FullScan
# Configure scan behavior
Set-MpPreference -ScanAvgCPULoadFactor 30 # Limit CPU during scans
Set-MpPreference -CheckForSignaturesBeforeRunningScan $true
Set-MpPreference -ScanOnlyIfIdleEnabled $false # Scan even if not idle (server)
# Run immediate scans
Start-MpScan -ScanType QuickScan
Start-MpScan -ScanType FullScan
Start-MpScan -ScanPath "D:\Downloads" -ScanType CustomScanUpdate Management
# Check current signature version
Get-MpComputerStatus | Select-Object AntivirusSignatureVersion, AntivirusSignatureLastUpdated
# Force signature update
Update-MpSignature
# Configure update sources
Set-MpPreference -SignatureDefinitionUpdateFileSharesSources "\\server\updates"
Set-MpPreference -SignatureFallbackOrder "MicrosoftUpdateServer|MMPC"
# Schedule signature updates every 4 hours
Set-MpPreference -SignatureScheduleDay Everyday
Set-MpPreference -SignatureUpdateInterval 4Attack Surface Reduction (ASR) Rules
# Enable ASR rules for server protection
$ASRRules = @{
# Block credential stealing from lsass.exe
"9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2" = 1
# Block process creations from PSExec and WMI
"d1e49aac-8f56-4280-b9ba-993a6d77406c" = 1
# Block Office macro code from creating executable content
"3b576869-a4ec-4529-8536-b80a7769e899" = 1
# Block executable content from email and webmail
"be9ba2d9-53ea-4cdc-84e5-9b1eeee46550" = 1
}
foreach ($rule in $ASRRules.GetEnumerator()) {
Add-MpPreference -AttackSurfaceReductionRules_Ids $rule.Key `
-AttackSurfaceReductionRules_Actions $rule.Value
}
# Audit mode first (recommended before enforcing)
# Use value 2 instead of 1 for audit modeMonitoring and Alerts
# Check for threats
Get-MpThreat | Select-Object ThreatName, IsActive, SeverityID | Format-Table
Get-MpThreatDetection | Select-Object ThreatName, ActionSuccess, DetectionTime
# View Defender event logs
Get-WinEvent -LogName "Microsoft-Windows-Windows Defender/Operational" `
-MaxEvents 50 | Format-Table TimeCreated, Id, Message -Wrap
# Monitor protection status
$status = Get-MpComputerStatus
[PSCustomObject]@{
RealTimeProtection = $status.RealTimeProtectionEnabled
BehaviorMonitoring = $status.BehaviorMonitorEnabled
NetworkProtection = $status.EnableNetworkProtection
SignatureAge = "$([math]::Round(((Get-Date) - $status.AntivirusSignatureLastUpdated).TotalHours, 1)) hours"
LastQuickScan = $status.QuickScanEndTime
LastFullScan = $status.FullScanEndTime
}Best Practices
- Configure workload-specific exclusions — scanning database files causes massive performance impact
- Enable cloud-delivered protection for the latest threat intelligence
- Use ASR rules in audit mode first before enforcing to avoid false positives
- Schedule full scans during off-peak hours
- Keep signatures updated every 4 hours at minimum
- Enable controlled folder access on servers with critical data for ransomware protection
- Monitor Defender events and set up alerts for detected threats
- Limit CPU usage during scans with ScanAvgCPULoadFactor on production servers