|
|
|
|
@ -12,7 +12,6 @@ ms.localizationpriority: medium
|
|
|
|
|
author: denisebmsft
|
|
|
|
|
ms.author: deniseb
|
|
|
|
|
ms.custom: nextgen
|
|
|
|
|
ms.date: 02/25/2020
|
|
|
|
|
ms.reviewer:
|
|
|
|
|
manager: dansimp
|
|
|
|
|
---
|
|
|
|
|
@ -23,21 +22,24 @@ manager: dansimp
|
|
|
|
|
|
|
|
|
|
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
|
|
|
|
|
|
|
|
|
|
Windows Defender Antivirus is automatically enabled and installed on endpoints and devices that are running Windows 10.
|
|
|
|
|
## Overview
|
|
|
|
|
|
|
|
|
|
However, on endpoints and devices that are protected with a non-Microsoft antivirus or antimalware app, Windows Defender Antivirus will automatically disable itself.
|
|
|
|
|
Windows Defender Antivirus is automatically enabled and installed on endpoints and devices that are running Windows 10. But what happens when another antivirus/antimalware solution is used? It depends on whether you're using [Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection) together with your antivirus protection.
|
|
|
|
|
- When endpoints and devices are protected with a non-Microsoft antivirus/antimalware solution, and Microsoft Defender ATP is not used, Windows Defender Antivirus automatically goes into disabled mode.
|
|
|
|
|
- If your organization is using Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) together with a non-Microsoft antivirus/antimalware solution, then Windows Defender Antivirus automatically goes into passive mode. (Real time protection and and threats are not remediated by Windows Defender Antivirus.)
|
|
|
|
|
- If your organization is using Microsoft Defender ATP together with a non-Microsoft antivirus/antimalware solution, and you have [shadow protection (currently in private preview)](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/shadow-protection), then Windows Defender Antivirus runs in the background and blocks/remediates malicious items that are detected, such as during a post-breach attack.
|
|
|
|
|
|
|
|
|
|
If you are also using Microsoft Defender Advanced Threat Protection, then Windows Defender Antivirus will enter a passive mode. Important: Real time protection and and threats will not be remediated by Windows Defender Antivirus.
|
|
|
|
|
## Antivirus and Microsoft Defender ATP
|
|
|
|
|
|
|
|
|
|
The following matrix illustrates the states that Windows Defender Antivirus will enter when third-party antivirus products or Microsoft Defender ATP are also used.
|
|
|
|
|
The following table summarizes what happens with Windows Defender Antivirus when third-party antivirus products are used together or without Microsoft Defender ATP.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| Windows version | Antimalware protection offered by | Organization enrolled in Microsoft Defender ATP | Windows Defender Antivirus state |
|
|
|
|
|
|---------------------|---------------------------------------------------------------------|-------------------------------------------------|-----------------------------------|
|
|
|
|
|
| Windows 10 | A third-party product that is not offered or developed by Microsoft | Yes | Passive mode |
|
|
|
|
|
| Windows 10 | A third-party product that is not offered or developed by Microsoft | No | Automatic disabled mode |
|
|
|
|
|
| Windows 10 | Windows Defender Antivirus | Yes | Active mode |
|
|
|
|
|
| Windows 10 | Windows Defender Antivirus | No | Active mode |
|
|
|
|
|
| Windows version | Antimalware protection offered by | Organization enrolled in Microsoft Defender ATP | Windows Defender Antivirus state |
|
|
|
|
|
|------|------|-------|-------|
|
|
|
|
|
| Windows 10 | A third-party product that is not offered or developed by Microsoft | Yes | Passive mode |
|
|
|
|
|
| Windows 10 | A third-party product that is not offered or developed by Microsoft | No | Automatic disabled mode |
|
|
|
|
|
| Windows 10 | Windows Defender Antivirus | Yes | Active mode |
|
|
|
|
|
| Windows 10 | Windows Defender Antivirus | No | Active mode |
|
|
|
|
|
| Windows Server 2016 or 2019 | A third-party product that is not offered or developed by Microsoft | Yes | Active mode<sup>[[1](#fn1)]</sup> |
|
|
|
|
|
| Windows Server 2016 or 2019 | A third-party product that is not offered or developed by Microsoft | No | Active mode<sup>[[1](#fn1)]<sup> |
|
|
|
|
|
| Windows Server 2016 or 2019 | Windows Defender Antivirus | Yes | Active mode |
|
|
|
|
|
@ -52,7 +54,6 @@ If you are Using Windows Server, version 1803 and Windows 2019, you can enable p
|
|
|
|
|
|
|
|
|
|
See [Windows Defender Antivirus on Windows Server 2016 and 2019](windows-defender-antivirus-on-windows-server-2016.md) for key differences and management options for Windows Server installations.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
>[!IMPORTANT]
|
|
|
|
|
>Windows Defender Antivirus is only available on endpoints running Windows 10, Windows Server 2016, and Windows Server 2019.
|
|
|
|
|
>
|
|
|
|
|
@ -60,32 +61,38 @@ See [Windows Defender Antivirus on Windows Server 2016 and 2019](windows-defende
|
|
|
|
|
>
|
|
|
|
|
>Windows Defender is also offered for [consumer devices on Windows 8.1 and Windows Server 2012](https://technet.microsoft.com/library/dn344918#BKMK_WindowsDefender), although it does not provide enterprise-level management (or an interface on Windows Server 2012 Server Core installations).
|
|
|
|
|
|
|
|
|
|
## Functionality and features available in each state
|
|
|
|
|
|
|
|
|
|
This table indicates the functionality and features that are available in each state:
|
|
|
|
|
The following table summarizes the functionality and features that are available in each state:
|
|
|
|
|
|
|
|
|
|
State | Description | [Real-time protection](configure-real-time-protection-windows-defender-antivirus.md) and [cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md) | [Limited periodic scanning availability](limited-periodic-scanning-windows-defender-antivirus.md) | [File scanning and detection information](customize-run-review-remediate-scans-windows-defender-antivirus.md) | [Threat remediation](configure-remediation-windows-defender-antivirus.md) | [Security intelligence updates](manage-updates-baselines-windows-defender-antivirus.md)
|
|
|
|
|
:-|:-|:-:|:-:|:-:|:-:|:-:
|
|
|
|
|
Passive mode | Windows Defender Antivirus will not be used as the antivirus app, and threats will not be remediated by Windows Defender Antivirus. Files will be scanned and reports will be provided for threat detections which are shared with the Microsoft Defender ATP service. | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]
|
|
|
|
|
Automatic disabled mode | Windows Defender Antivirus will not be used as the antivirus app. Files will not be scanned and threats will not be remediated. | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark no](images/svg/check-no.svg)]
|
|
|
|
|
Active mode | Windows Defender Antivirus is used as the antivirus app on the machine. All configuration made with Configuration Manager, Group Policy, Intune, or other management products will apply. Files will be scanned and threats remediated, and detection information will be reported in your configuration tool (such as Configuration Manager or the Windows Defender Antivirus app on the machine itself). | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]
|
|
|
|
|
|State |[Real-time protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus) and [cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus) | [Limited periodic scanning availability](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/limited-periodic-scanning-windows-defender-antivirus) | [File scanning and detection information](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus) | [Threat remediation](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus) | [Security intelligence updates](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus) |
|
|
|
|
|
|--|--|--|--|--|--|
|
|
|
|
|
|Active mode <br/><br/> |Yes |No |Yes |Yes |Yes |
|
|
|
|
|
|Passive mode |No |No |Yes |No |Yes |
|
|
|
|
|
|[Shadow protection enabled](shadow-protection.md) |No |No |Yes |Yes |Yes |
|
|
|
|
|
|Automatic disabled mode |No |Yes |No |No |No |
|
|
|
|
|
|
|
|
|
|
- In Active mode, Windows Defender Antivirus is used as the antivirus app on the machine. All configuration made with Configuration Manager, Group Policy, Intune, or other management products will apply. Files are scanned and threats remediated, and detection information are reported in your configuration tool (such as Configuration Manager or the Windows Defender Antivirus app on the machine itself).
|
|
|
|
|
- In Passive mode, Windows Defender Antivirus is not used as the antivirus app, and threats are not remediated by Windows Defender Antivirus. Files are scanned and reports are provided for threat detections which are shared with the Microsoft Defender ATP service.
|
|
|
|
|
- When [shadow protection (currently in private preview)](shadow-protection.md) is turned on, Windows Defender Antivirus is not used as the primary antivirus solution, but can still detect and remediate malicious items.
|
|
|
|
|
- In Automatic disabled mode, Windows Defender Antivirus is not used as the antivirus app. Files are not scanned and threats are not remediated.
|
|
|
|
|
|
|
|
|
|
## Keep the following points in mind
|
|
|
|
|
|
|
|
|
|
If you are enrolled in Microsoft Defender ATP and you are using a third party antimalware product then passive mode is enabled because [the service requires common information sharing from the Windows Defender Antivirus service](../microsoft-defender-atp/defender-compatibility.md) in order to properly monitor your devices and network for intrusion attempts and attacks.
|
|
|
|
|
|
|
|
|
|
Automatic disabled mode is enabled so that if the protection offered by a third-party antivirus product expires or otherwise stops providing real-time protection from viruses, malware or other threats, Windows Defender Antivirus will automatically enable itself to ensure antivirus protection is maintained on the endpoint. It also allows you to enable [limited periodic scanning](limited-periodic-scanning-windows-defender-antivirus.md), which uses the Windows Defender Antivirus engine to periodically check for threats in addition to your main antivirus app.
|
|
|
|
|
When Windows Defender Antivirus is automatic disabled, it can automatically re-enable if the protection offered by a third-party antivirus product expires or otherwise stops providing real-time protection from viruses, malware or other threats. This is to ensure antivirus protection is maintained on the endpoint. It also allows you to enable [limited periodic scanning](limited-periodic-scanning-windows-defender-antivirus.md), which uses the Windows Defender Antivirus engine to periodically check for threats in addition to your main antivirus app.
|
|
|
|
|
|
|
|
|
|
In passive and automatic disabled mode, you can still [manage updates for Windows Defender Antivirus](manage-updates-baselines-windows-defender-antivirus.md), however you can't move Windows Defender Antivirus into the normal active mode if your endpoints have an up-to-date third-party product providing real-time protection from malware.
|
|
|
|
|
In passive and automatic disabled mode, you can still [manage updates for Windows Defender Antivirus](manage-updates-baselines-windows-defender-antivirus.md); however, you can't move Windows Defender Antivirus into the normal active mode if your endpoints have an up-to-date third-party product providing real-time protection from malware.
|
|
|
|
|
|
|
|
|
|
If you uninstall the other product, and choose to use Windows Defender Antivirus to provide protection to your endpoints, Windows Defender Antivirus will automatically return to its normal active mode.
|
|
|
|
|
If you uninstall the other product, and choose to use Windows Defender Antivirus to provide protection to your endpoints, Windows Defender Antivirus will automatically return to its normal active mode.
|
|
|
|
|
|
|
|
|
|
>[!WARNING]
|
|
|
|
|
>You should not attempt to disable, stop, or modify any of the associated services used by Windows Defender Antivirus, Microsoft Defender ATP, or the Windows Security app.
|
|
|
|
|
>
|
|
|
|
|
>This includes the *wscsvc*, *SecurityHealthService*, *MsSense*, *Sense*, *WinDefend*, or *MsMpEng* services and process. Manually modifying these services can cause severe instability on your endpoints and open your network to infections and attacks.
|
|
|
|
|
>
|
|
|
|
|
>It can also cause problems when using third-party antivirus apps and how their information is displayed in the [Windows Security app](windows-defender-security-center-antivirus.md).
|
|
|
|
|
>You should not attempt to disable, stop, or modify any of the associated services used by Windows Defender Antivirus, Microsoft Defender ATP, or the Windows Security app. This includes the *wscsvc*, *SecurityHealthService*, *MsSense*, *Sense*, *WinDefend*, or *MsMpEng* services and process. Manually modifying these services can cause severe instability on your endpoints and open your network to infections and attacks. It can also cause problems when using third-party antivirus apps and how their information is displayed in the [Windows Security app](windows-defender-security-center-antivirus.md).
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
## Related topics
|
|
|
|
|
|
|
|
|
|
- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
|
|
|
|
|
- [Windows Defender Antivirus on Windows Server 2016 and 2019](windows-defender-antivirus-on-windows-server-2016.md)
|
|
|
|
|
- [Shadow protection in next-generation protection](shadow-protection.md)
|
|
|
|
|
|
Beth Levin