Merge branch 'master' into dansimp-metadata-bigfix

2025-05-12 13:27:23 +00:00 · 2021-01-21 09:47:18 -08:00 · 2021-01-21 09:47:18 -08:00 · d074a6b4eb
commit d074a6b4eb
parent 8c804c84ca 8cc2b5b292
4 changed files with 57 additions and 33 deletions
--- a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md
@ -13,7 +13,7 @@ ms.author: deniseb
 ms.custom: nextgen
 ms.reviewer: tewchen, pahuijbr, shwjha
 manager: dansimp
-ms.date: 01/11/2021
+ms.date: 01/21/2021
 ---

 # Microsoft Defender Antivirus compatibility
@ -38,27 +38,36 @@ The following table summarizes what happens with Microsoft Defender Antivirus wh

 | Windows version   | Antimalware protection  | Microsoft Defender for Endpoint enrollment | Microsoft Defender Antivirus state     |
 |------|------|-------|-------|
-| Windows 10      | A third-party product that is not offered or developed by Microsoft |                       Yes                       |           Passive mode            |
-| Windows 10      | A third-party product that is not offered or developed by Microsoft |                       No                        |      Automatic disabled mode     |
-| Windows 10      |                         Microsoft Defender Antivirus                         |                       Yes                       |            Active mode            |
-| Windows 10      |                         Microsoft Defender Antivirus                         |                       No                        |            Active mode            |
-| Windows Server 2016 or 2019 | A third-party product that is not offered or developed by Microsoft |                       Yes                       | Active mode<sup>[[1](#fn1)]</sup> |
-| Windows Server 2016 or 2019 | A third-party product that is not offered or developed by Microsoft |                       No                        | Active mode<sup>[[1](#fn1)]<sup>  |
-| Windows Server 2016 or 2019 |                         Microsoft Defender Antivirus                         |                       Yes                       |            Active mode            |
-| Windows Server 2016 or 2019 |                         Microsoft Defender Antivirus                         |                       No                        |            Active mode            |
+| Windows 10  | A third-party product that is not offered or developed by Microsoft | Yes  | Passive mode  |
+| Windows 10  | A third-party product that is not offered or developed by Microsoft | No   | Automatic disabled mode     |
+| Windows 10  | Microsoft Defender Antivirus | Yes  | Active mode | 
+| Windows 10  | Microsoft Defender Antivirus | No   | Active mode |
+| Windows Server, version 1803 or newer, or Windows Server 2019 | A third-party product that is not offered or developed by Microsoft | Yes  | Active mode<sup>[[1](#fn1)]</sup> |
+| Windows Server, version 1803 or newer, or Windows Server 2019 | A third-party product that is not offered or developed by Microsoft | No  | Must be set to passive mode (manually)<sup>[[1](#fn1)]<sup>  |
+| Windows Server, version 1803 or newer, or Windows Server 2019 | Microsoft Defender Antivirus  | Yes |         Active mode  |
+| Windows Server, version 1803 or newer, or Windows Server 2019 | Microsoft Defender Antivirus | No  | Active mode |
+| Windows Server 2016 | Microsoft Defender Antivirus | Yes | Active mode |
+| Windows Server 2016 | Microsoft Defender Antivirus | No | Active mode |
+| Windows Server 2016 | A third-party product that is not offered or developed by Microsoft | Yes | Must be disabled (manually)<sup>[[2](#fn2)]<sup> |
+| Windows Server 2016 | A third-party product that is not offered or developed by Microsoft | No | Must be disabled (manually)<sup>[[2](#fn2)]<sup> |

-(<a id="fn1">1</a>)  On Windows Server 2016 or 2019, Microsoft Defender Antivirus does not enter passive mode automatically when you install a non-Microsoft antivirus product. In those cases, [set Microsoft Defender Antivirus to passive mode](microsoft-defender-antivirus-on-windows-server-2016.md#need-to-set-microsoft-defender-antivirus-to-passive-mode) to prevent problems caused by having multiple antivirus products installed on a server.
+(<a id="fn1">1</a>)  On Windows Server, version 1803 or newer, or Windows Server 2019, Microsoft Defender Antivirus does not enter passive mode automatically when you install a non-Microsoft antivirus product. In those cases, [set Microsoft Defender Antivirus to passive mode](microsoft-defender-antivirus-on-windows-server-2016.md#need-to-set-microsoft-defender-antivirus-to-passive-mode) to prevent problems caused by having multiple antivirus products installed on a server.

-If you are using Windows Server, version 1803 or Windows Server 2019, you set Microsoft Defender Antivirus to passive mode by setting this registry key:
+If you are using Windows Server, version 1803 or newer, or Windows Server 2019, you can set Microsoft Defender Antivirus to passive mode by setting the following registry key:
 - Path: `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection`
 - Name: `ForceDefenderPassiveMode`
 - Type: `REG_DWORD`
 - Value: `1`

-See [Microsoft Defender Antivirus on Windows Server 2016 and 2019](microsoft-defender-antivirus-on-windows-server-2016.md) for key differences and management options for Windows Server installations.
+> [!NOTE]
+> The `ForceDefenderPassiveMode` registry key is not supported on Windows Server 2016.
+
+(<a id="fn2">2</a>) On Windows Server 2016, Microsoft Defender Antivirus does not enter passive mode automatically when you install a non-Microsoft antivirus product. In addition, Microsoft Defender Antivirus is not supported in passive mode. In those cases, [disable/uninstall Microsoft Defender Antivirus manually](microsoft-defender-antivirus-on-windows-server-2016.md#are-you-using-windows-server-2016) to prevent problems caused by having multiple antivirus products installed on a server.
+
+See [Microsoft Defender Antivirus on Windows Server](microsoft-defender-antivirus-on-windows-server-2016.md) for key differences and management options for Windows Server installations.

 > [!IMPORTANT]
-> Microsoft Defender Antivirus is only available on endpoints running Windows 10, Windows Server 2016, and Windows Server 2019.
+> Microsoft Defender Antivirus is only available on devices running Windows 10, Windows Server 2016, Windows Server, version 1803 or later, and Windows Server 2019.
 >
 > In Windows 8.1 and Windows Server 2012, enterprise-level endpoint antivirus protection is offered as [System Center Endpoint Protection](https://technet.microsoft.com/library/hh508760.aspx), which is managed through Microsoft Endpoint Configuration Manager.
 >
@ -81,7 +90,7 @@ The table in this section summarizes the functionality and features that are ava
 - In Active mode, Microsoft Defender Antivirus is used as the antivirus app on the machine. All configuration made with Configuration Manager, Group Policy, Intune, or other management products will apply. Files are scanned and threats remediated, and detection information are reported in your configuration tool (such as Configuration Manager or the Microsoft Defender Antivirus app on the machine itself).
 - In Passive mode, Microsoft Defender Antivirus is not used as the antivirus app, and threats are not remediated by Microsoft Defender Antivirus. Files are scanned and reports are provided for threat detections that are shared with the Microsoft Defender for Endpoint service. Therefore, you might encounter alerts in the Security Center console with Microsoft Defender Antivirus as a source, even when Microsoft Defender Antivirus is in Passive mode.
 - When [EDR in block mode](../microsoft-defender-atp/edr-in-block-mode.md) is turned on and Microsoft Defender Antivirus is not the primary antivirus solution, it can still detect and remediate malicious items.
- When disabled, Microsoft Defender Antivirus is not used as the antivirus app. Files are not scanned and threats are not remediated. Disabling/uninstalling Microsoft Defender Antivirus is not recommended.
+- When disabled, Microsoft Defender Antivirus is not used as the antivirus app. Files are not scanned and threats are not remediated. Disabling/uninstalling Microsoft Defender Antivirus is not recommended in general; if possible, keep Microsoft Defender Antivirus in passive mode if you are using a non-Microsoft antimalware/antivirus solution.

 ## Keep the following points in mind

--- a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016.md
@ -1,5 +1,5 @@
 ---
-title: Microsoft Defender Antivirus on Windows Server 2016 and 2019
+title: Microsoft Defender Antivirus on Windows Server
 description: Learn how to enable and configure Microsoft Defender Antivirus on Windows Server 2016 and Windows Server 2019.
 keywords: windows defender, server, scep, system center endpoint protection, server 2016, current branch, server 2012
 search.product: eADQiWindows 10XVcnh
@ -10,12 +10,12 @@ ms.sitesec: library
 ms.localizationpriority: medium
 author: denisebmsft
 ms.author: deniseb
-ms.date: 01/04/2021
+ms.date: 01/21/2021
 ms.reviewer: pahuijbr, shwjha
 manager: dansimp
 ---

-# Microsoft Defender Antivirus on Windows Server 2016 and Windows Server 2019
+# Microsoft Defender Antivirus on Windows Server

 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]

@ -23,9 +23,12 @@ manager: dansimp

 - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)

-Microsoft Defender Antivirus is available on Windows Server 2016 and 2019. In some instances, Microsoft Defender Antivirus is referred to as *Endpoint Protection*; however, the protection engine is the same.
+Microsoft Defender Antivirus is available on the following editions/versions of Windows Server:
+- Windows Server 2019
+- Windows Server, version  1803 or later
+- Windows Server 2016. 

-While the functionality, configuration, and management are largely the same for [Microsoft Defender Antivirus on Windows 10](microsoft-defender-antivirus-in-windows-10.md), there are a few key differences on Windows Server 2016 and 2019:
+In some instances, Microsoft Defender Antivirus is referred to as *Endpoint Protection*; however, the protection engine is the same. Although the functionality, configuration, and management are largely the same for [Microsoft Defender Antivirus on Windows 10](microsoft-defender-antivirus-in-windows-10.md), there are a few key differences on Windows Server:

 - In Windows Server, [automatic exclusions](configure-server-exclusions-microsoft-defender-antivirus.md) are applied based on your defined Server Role.
 - In Windows Server, Microsoft Defender Antivirus does not automatically disable itself if you are running another antivirus product.
@ -34,29 +37,29 @@ While the functionality, configuration, and management are largely the same for

 The process of setting up and running Microsoft Defender Antivirus on a server platform includes several steps:

-1. [Enable the interface](#enable-the-user-interface-on-windows-server-2016-or-2019).
-2. [Install Microsoft Defender Antivirus](#install-microsoft-defender-antivirus-on-windows-server-2016-or-2019).
+1. [Enable the interface](#enable-the-user-interface-on-windows-server).
+2. [Install Microsoft Defender Antivirus](#install-microsoft-defender-antivirus-on-windows-server).
 3. [Verify Microsoft Defender Antivirus is running](#verify-microsoft-defender-antivirus-is-running).
 4. [Update your antimalware Security intelligence](#update-antimalware-security-intelligence).
 5. (As needed) [Submit samples](#submit-samples).
 6. (As needed) [Configure automatic exclusions](#configure-automatic-exclusions).
 7. (Only if necessary) [Set Microsoft Defender Antivirus to passive mode](#need-to-set-microsoft-defender-antivirus-to-passive-mode).

-## Enable the user interface on Windows Server 2016 or 2019
+## Enable the user interface on Windows Server

-By default, Microsoft Defender Antivirus is installed and functional on Windows Server 2016 and 2019. The user interface (GUI) is installed by default on some SKUs, but is not required because you can use PowerShell or other methods to manage Microsoft Defender Antivirus. And if the GUI is not installed on your server, you can add it by using the Add Roles and Features Wizard or by using PowerShell.
+By default, Microsoft Defender Antivirus is installed and functional on Windows Server. The user interface (GUI) is installed by default on some SKUs, but is not required because you can use PowerShell or other methods to manage Microsoft Defender Antivirus. If the GUI is not installed on your server, you can add it by using the **Add Roles and Features** wizard, or by using PowerShell cmdlets.

 ### Turn on the GUI using the Add Roles and Features Wizard

-1. Refer to [this article](https://docs.microsoft.com/windows-server/administration/server-manager/install-or-uninstall-roles-role-services-or-features#install-roles-role-services-and-features-by-using-the-add-roles-and-features-wizard), and use the **Add Roles and Features Wizard**.
+1. See [Install roles, role services, and features by using the add Roles and Features Wizard](https://docs.microsoft.com/windows-server/administration/server-manager/install-or-uninstall-roles-role-services-or-features#install-roles-role-services-and-features-by-using-the-add-roles-and-features-wizard), and use the **Add Roles and Features Wizard**.

 2. When you get to the **Features** step of the wizard, under **Windows Defender Features**, select the **GUI for Windows Defender** option.

-In Windows Server 2016, the **Add Roles and Features Wizard** looks like this:
+   In Windows Server 2016, the **Add Roles and Features Wizard** looks like this:

-![Add roles and feature wizard showing the GUI for Windows Defender option](images/server-add-gui.png)
+   ![Add roles and feature wizard showing the GUI for Windows Defender option](images/server-add-gui.png)

-In Windows Server 2019, the **Add Roles and Feature Wizard** looks much the same.
+   In Windows Server 2019, the **Add Roles and Feature Wizard** is similar.

 ### Turn on the GUI using PowerShell

@ -66,7 +69,7 @@ The following PowerShell cmdlet will enable the interface:
 Install-WindowsFeature -Name Windows-Defender-GUI
 ```

-## Install Microsoft Defender Antivirus on Windows Server 2016 or 2019
+## Install Microsoft Defender Antivirus on Windows Server

 You can use either the **Add Roles and Features Wizard** or PowerShell to install Microsoft Defender Antivirus.

@ -111,7 +114,7 @@ The `sc query` command returns information about the Microsoft Defender Antiviru

 ## Update antimalware Security intelligence 

-In order to get updated antimalware Security intelligence, you must have the Windows Update service running. If you use an update management service, like Windows Server Update Services (WSUS), make sure that updates for Microsoft Defender Antivirus Security intelligence are approved for the computers you manage.
+To get updated antimalware security intelligence, you must have the Windows Update service running. If you use an update management service, like Windows Server Update Services (WSUS), make sure that updates for Microsoft Defender Antivirus Security intelligence are approved for the computers you manage.

 By default, Windows Update does not download and install updates automatically on Windows Server 2019 or Windows Server 2016. You can change this configuration by using one of the following methods:

@ -195,10 +198,22 @@ To turn off the Microsoft Defender Antivirus GUI, use the following PowerShell c
 Uninstall-WindowsFeature -Name Windows-Defender-GUI
 ```

+### Are you using Windows Server 2016?
+
+If you are using Windows Server 2016 and a third-party antimalware/antivirus product that is not offered or developed by Microsoft, you'll need to disable/uninstall Microsoft Defender Antivirus. 
+
+> [!NOTE]
+> You can't uninstall the Windows Security app, but you can disable the interface with these instructions.
+
+The following PowerShell cmdlet uninstalls Microsoft Defender Antivirus on Windows Server 2016:
+
+```PowerShell
+Uninstall-WindowsFeature -Name Windows-Defender
+```
+
 ## See also

 - [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
-
- [Configure exclusions in Microsoft Defender AV on Windows Server](configure-server-exclusions-microsoft-defender-antivirus.md) 
+- [Microsoft Defender Antivirus compatibility](microsoft-defender-antivirus-compatibility.md)


--- a/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md
@ -157,7 +157,7 @@ $version = undef
            }

            file { '/etc/opt/microsoft/mdatp/mdatp_onboard.json':
-                source  => 'puppet:///modules/mdatp/mdatp_onboard.json',
+                source  => 'puppet:///modules/install_mdatp/mdatp_onboard.json',
                owner   => root,
                group   => root,
                mode    => '0600',
--- a/windows/security/threat-protection/microsoft-defender-atp/linux-preferences.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/linux-preferences.md
@ -200,7 +200,7 @@ Type of threat for which the behavior is configured.
 Action to take when coming across a threat of the type specified in the preceding section. Can be:

 - **Audit**: The device is not protected against this type of threat, but an entry about the threat is logged.
- **Block**: The device is protected against this type of threat and you are notified in the user interface and the security console.
+- **Block**: The device is protected against this type of threat and you are notified in the security console.
 - **Off**: The device is not protected against this type of threat and nothing is logged.

 |||