From 0b721bcc78529ccd2d974d56e7dcfdcfc2746b10 Mon Sep 17 00:00:00 2001 From: Iaan D'Souza-Wiltshire Date: Wed, 6 Sep 2017 13:29:44 -0700 Subject: [PATCH] updates to troubleshooting uc --- .../troubleshoot-reporting.md | 58 +++++++++++++++++++ ...indows-defender-antivirus-compatibility.md | 32 +++++++++- 2 files changed, 88 insertions(+), 2 deletions(-) create mode 100644 windows/threat-protection/windows-defender-antivirus/troubleshoot-reporting.md diff --git a/windows/threat-protection/windows-defender-antivirus/troubleshoot-reporting.md b/windows/threat-protection/windows-defender-antivirus/troubleshoot-reporting.md new file mode 100644 index 0000000000..bf8a1da73f --- /dev/null +++ b/windows/threat-protection/windows-defender-antivirus/troubleshoot-reporting.md @@ -0,0 +1,58 @@ +--- +title: Troubleshoot problems with reporting tools for Windows Defender AV +description: Identify and solve common problems when attempting to report in Windows Defender AV protection status in Update Compliance +keywords: troubleshoot, error, fix, update compliance, oms, monitor, report, windows defender av +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +author: iaanw +ms.author: iawilt +ms.date: 09/06/2017 +--- + +# Troublehsoot Windows Defender Antivirus reporting + +**Applies to:** + +- Windows 10 + +**Audience** + +- IT administrators + +When you use [Update Compliance to obtain reporting into the protection status of machines or endpoints](/windows/deployment/update/update-compliance-using#wdav-assessment) in your network that are using Windows Defender Antivirus, you may encounter problems or issues. + +Typically, the most common indicators of a problem are: +- You only see a small number or subset of all the devices you were expecting to see +- You do not see any devices at all +- The reports and information you do see is outdated (older than a few days) + +For common error codes and event IDs related to the Windows Defender AV service that are not related to Update Compliance, see the [Windows Defender Antivirus events](troubleshoot-windows-defender-antivirus.md) topic. + +There are three steps to troubleshooting these problems: + +1. Confirm that you have met all pre-requisites +2. Check your connectivity to the Windows Defender cloud-based service +3. Submit support logs + + +## Confirm pre-requisites + +In order for devices to properly show up in Update Compliance, you have to meet certain pre-requisites for both the Update Compliance service and for Windows Defender Antivirus protection: + +>[!div class="checklist] +>- Endpoints are using Windows Defender Antivirus as the sole antivirus protection app. Using any other antivirus app will cause Windows Defender AV to disable itself and the endpoint will not be reported in Update Compliance. + + + + + + +## Related topics + +- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) +- [Deploy, manage updates, and report on Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md) diff --git a/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md b/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md index 84504a1aae..6a237c878c 100644 --- a/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md +++ b/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md @@ -15,23 +15,51 @@ ms.date: 06/13/2017 --- -# Windows Defender Antivirus and Advanced Threat Protection: Better together +# Windows Defender Antivirus and third party protection products **Applies to:** - Windows 10 +- Windows Server 2016 **Audience** - Enterprise security administrators +Windows Defender Antivirus is automatically enabled and installed on endpoints and devices that are running Windows 10. + +However, on endpoints and devices that are protected with a non-Microsoft antivirus or antimalware app, Windows Defender AV will automatically disable itself. If you are also using Windows Defender Advanced Threat Protection, then Windows Defender AV will enter a passive mode. + +The following matrix illustrates how Windows Defender AV operates in these instances. Note that this matrix only applies to endpoints that are running Windows 10: + +Windows version | Antimalware protection offered by | Organization enrolled in Windows Defender ATP | Windows Defender AV state +-|-|- +Windows 10 | A third-party product that is not offered or developed by Microsoft | Yes | Passive mode +Windows 10 | A third-party product that is not offered or developed by Microsoft | No | Disabled mode +Windows 10 | Windows Defender AV | Yes | Active mode +Windows 10 | Windows Defender AV | No | Active mode +Windows 8 or earlier | A third-party product that is not offered or developed by Microsoft | N/A (Windows Defender ATP requires Windows 10) | N/A (Windows Defender AV requires Windows 10) +Windows 8 or earlier | Windows Defender AV | Yes | Active mode +Windows 8 or earlier | Windows Defender AV | No | Active mode +Windows Server 2016 | A third-party product that is not offered or developed by Microsoft | Yes | Passive mode +Windows Server 2016 | A third-party product that is not offered or developed by Microsoft | No | Disabled mode +Windows Server 2016 | Windows Defender AV | Yes | Active mode +Windows Server 2016 | Windows Defender AV | No | Active mode + +If you are using another antivirus or antimalware protection app. + +If you are enrolled in Windows Defender Advanced Threat Protection, and you are not using Windows Defender AV as your real-time protection service on your endpoints, Windows Defender AV will automatically enter into a passive mode. + + +On Windows Server 2016 SKUs, Windows Defender AV will not enter into the passive mode and will run alongside your other antivirus product. + Windows Defender Advanced Threat Protection (ATP) is an additional service beyond Windows Defender Antivirus that helps enterprises detect, investigate, and respond to advanced persistent threats on their network. See the [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md) topics for more information about the service. -If you are enrolled in Windows Defender ATP, and you are not using Windows Defender AV as your real-time protection service on your endpoints, Windows Defender will automatically enter into a passive mode. On Windows Server 2016 SKUs, Windows Defender AV will not enter into the passive mode and will run alongside your other antivirus product. +I In passive mode, Windows Defender AV will continue to run (using the *msmpeng.exe* process), and will continue to be updated, however there will be no Windows Defender user interface, scheduled scans won't run, and Windows Defender AV will not provide real-time protection from malware.