In Windows Server 2016 there is a built-in native Microsoft antivirus — Windows Defender, which is installed and enabled by default. In this article we’ll look at the features of Windows Defender in Windows Server 2016.
Windows Defender GUI
By default, only the Windows Defender anti-virus engine is installed in Windows Server. To install the graphic interface of the Defender, install the server component GUI for Windows Defender using the Server Manager console (it is located in Windows Defender Features section).
You can enable the Defender GUI using PowerShell:
Install-WindowsFeature -Name Windows-Defender-GUI
To uninstall the Defender graphic console, the following PowerShell command is used:
Uninstall-WindowsFeature -Name Windows-Defender-GUI
How to Uninstall Windows Defender on Windows Server 2016
In Windows 10, when you install any third-party antivirus (McAfee, Avast, Kaspersky, Symantec, etc.), the built-in Windows Defender is disabled. However, it doesn’t happen in Windows Server 2016. You have to disable the integrated antivirus engine manually (in most cases, it is not recommended to use several antivirus programs at a time on one computer or server).
You can uninstall Windows Defender in Windows Server 2016 using Server Manager or with the following command:
Uninstall-WindowsFeature -Name Windows-Defender
Managing Windows Defender Using PowerShell Commands
Let’s consider typical PowerShell commands to manage Windows Defender.
You can make sure if Windows Defender service is running using this PowerShell command:
As you can see, the service is started (Status – Running)
You can display the current status and settings of Defender using the following cmdlet:
The cmdlet displays the version and the date of the latest antivirus database update, enabled components, the time of the last scan, etc.
You can disable Windows Defender real time protection as follows:
Set-MpPreference -DisableRealtimeMonitoring $true
After running this command, the antivirus won’t scan all files processed by the system on the go.
Set-MpPreference -DisableRealtimeMonitoring $false
For example, you need to enable AV scanning for external USB storage devices. Get the current settings with command:
Get-MpPreference | fl disable*
If the USB drive scanning is disabled (DisableRemovableDriveScanning = True), you can enable the scan using the command:
Set-MpPreference -DisableRemovableDriveScanning $false
A complete list of Defender module cmdlets can be displayed with the command:
Get-Command -Module Defender
How to Exclude files and Folder from Windows Defender Scans
You can set the list of exclusions – these are names, file extensions, directories to be excluded from the automatic Windows Defender scan. The peculiarity of Windows Defender in Windows Server 2016 is the automatically generated list of exclusions applied depending on the installed server roles. You must admit that it is logical to exclude the files of virtual and differencing disks, VHDS disks (*.vhd, *.vhdx, *.avhd), snapshots and other virtual machine files from the antivirus check if the Hyper-V role is installed.
To add the specific directories to the exclusion list of the antivirus manually, run this command:
Set-MpPreference -ExclusionPath "C:\Test", "C:\VM", "C:\Nano"
To exclude the antivirus check of certain processes use the following command:
Set-MpPreference -ExclusionProcess "vmms.exe", "Vmwp.exe"
Updating Windows Defender Definitions
Windows Defender can automatically update online from Windows Update servers. If there is an internal WSUS server in your network, the antivirus can receive updates from it. You just need to make sure that the installation of updates has been approved on your WSUS server (the updates of Windows Defender antivirus databases are called Definition Updates in the WSUS console), and clients are targeted to the right WSUS server using GPO.
In some cases, Windows Defender may work incorrectly after getting a broken update. Then it is recommended to reset current databases and re-download them again:
"%PROGRAMFILES%\Windows Defender\MPCMDRUN.exe" -RemoveDefinitions -All
"%PROGRAMFILES%\Windows Defender\MPCMDRUN.exe" –SignatureUpdate
Some reasons why Windows Defender doesn’t start in Windows 10 are described in the article Windows Defender Threat Service has stopped.