deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-20 12:53:38 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

copyedits

Browse Source
This commit is contained in:
Marty Hernandez Avedon
2020-09-29 12:38:15 -04:00
parent 17a00fe807
commit 68d41501e7
1 changed files with 13 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus-when-migrating.md
View File

@ -29,7 +29,7 @@ You can find help here if you encounter issues while migrating from a third-part
### Event IDs ### Event IDs
This issue can manifest with several different event IDs, all of which have the same underlying cause. This issue can manifest in the form of several different event IDs, all of which have the same underlying cause.
Event ID | Log name | Description | Source Event ID | Log name | Description | Source
-|-|-|- -|-|-|-
@ -37,21 +37,26 @@ This issue can manifest with several different event IDs, all of which have the
5007 | Microsoft-Windows-Windows Defender/Operational | Windows Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.<br /><br />**Old value:** Default\IsServiceRunning = 0x0<br />**New value:** HKLM\SOFTWARE\Microsoft\Windows Defender\IsServiceRunning = 0x1 | Windows Defender 5007 | Microsoft-Windows-Windows Defender/Operational | Windows Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.<br /><br />**Old value:** Default\IsServiceRunning = 0x0<br />**New value:** HKLM\SOFTWARE\Microsoft\Windows Defender\IsServiceRunning = 0x1 | Windows Defender
5010 | Microsoft-Windows-Windows Defender/Operational | Windows Defender Antivirus scanning for spyware and other potentially unwanted software is disabled. | Windows Defender 5010 | Microsoft-Windows-Windows Defender/Operational | Windows Defender Antivirus scanning for spyware and other potentially unwanted software is disabled. | Windows Defender
### How to tell if Microsoft Defender Antivirus is turned off because a third-party antivirus is installed ### How to tell if Microsoft Defender Antivirus won't start because a third-party antivirus is installed
If your organization's endpoints and devices are protected with a third-party antivirus or antimalware solution, and Microsoft Defender ATP is not used, then Microsoft Defender Antivirus will be automatically turned off. Several other scenarios can also result in Microsoft Defender Antivirus having [compatibility issues](microsoft-defender-antivirus-compatibility.md) during a migration. On a Windows 10 device, if you are not using Microsoft Defender Advanced Threat Protection (ATP), and you have a third-party antivirus installed, then Microsoft Defender Antivirus will be automatically turned off. If you are using Microsoft Defender ATP with a third-party antivirus installed, Microsoft Defender Antivirus will start in passive mode, with reduced functionality.
> [!TIP]
> The scenario just described applies only to Windows 10. Other versions of Windows have [different responses](microsoft-defender-antivirus-compatibility.md) to Microsoft Defender Antivirus being run alongside third-party security software.
#### Use Services app to check if Microsoft Defender Antivirus is turned off #### Use Services app to check if Microsoft Defender Antivirus is turned off
To open the Services app, select the **Search** icon from the taskbar and search for *services*. To open the Services app, select the **Search** icon from the taskbar and search for *services*.
Information about Microsoft Defender Antivirus will be listed under **Windows Defender** > **Operational**. Information about Microsoft Defender Antivirus will be listed within the Services app under **Windows Defender** > **Operational**. The antivirus service name is *Windows Defender Antivirus Service*.
You may see that *Windows Defender Antivirus Service* is set to manual — but when you try to start this service` manually, you will get a warning stating, *The Windows Defender Antivirus Service service on Local Computer started and then stopped. Some services stop automatically if they are not in use by other services or programs.* While checking the app, you may see that *Windows Defender Antivirus Service* is set to manual — but when you try to start this service manually, you get a warning stating, *The Windows Defender Antivirus Service service on Local Computer started and then stopped. Some services stop automatically if they are not in use by other services or programs.*
This indicates that Microsoft Defender Antivirus has been automatically turned off to preserve compatibility with a third-party antivirus.
#### Generate a detailed report #### Generate a detailed report
You can generate a detailed report about currently active group policies by opening a command prompt in **Run as admin** mode and entering the following command: You can generate a detailed report about currently active group policies by opening a command prompt in **Run as admin** mode, then entering the following command:
```powershell ```powershell
GPresult.exe /h gpresult.html GPresult.exe /h gpresult.html
@ -97,11 +102,11 @@ The report may contain the following text, indicating that Microsoft Defender An
###### If security settings are set in Windows or your Windows Server image ###### If security settings are set in Windows or your Windows Server image
Your imagining admin might have set the security policy, **[DisableAntiSpyware](https://docs.microsoft.com/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware)**, locally via *GPEdit.exe*, *LGPO.exe*, or by modifying the registry in their task sequence. You can [configure a Trusted Image Identifier](https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/configure-a-trusted-image-identifier-for-windows-defender) for Defender. Your imagining admin might have set the security policy, **[DisableAntiSpyware](https://docs.microsoft.com/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware)**, locally via *GPEdit.exe*, *LGPO.exe*, or by modifying the registry in their task sequence. You can [configure a Trusted Image Identifier](https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/configure-a-trusted-image-identifier-for-windows-defender) for Microsoft Defender Antivirus.
### Turn Microsoft Defender Antivirus back on ### Turn Microsoft Defender Antivirus back on
Microsoft Defender Antivirus will automatically turn on if no other antivirus is currently active. Microsoft Defender Antivirus will automatically turn on if no other antivirus is currently active. You'll need to turn the third-party antivirus completely off to ensure Microsoft Defender Antivirus can run with full functionality.
If you want to keep your third-party antivirus active alongside Microsoft Defender, you can turn on [limited periodic scanning](limited-periodic-scanning-microsoft-defender-antivirus.md). This enables a subset of Microsoft Defender Antivirus features. If you want to keep your third-party antivirus active alongside Microsoft Defender, you can turn on [limited periodic scanning](limited-periodic-scanning-microsoft-defender-antivirus.md). This enables a subset of Microsoft Defender Antivirus features.