From fad8f80994e59c3456efdb41e7eaec4b826abb79 Mon Sep 17 00:00:00 2001 From: Marty Hernandez Avedon Date: Mon, 28 Sep 2020 17:18:27 -0400 Subject: [PATCH 1/7] added troubleshooting guide for migration to mdav --- ...osoft-defender-antivirus-when-migrating.md | 117 ++++++++++++++++++ 1 file changed, 117 insertions(+) create mode 100644 windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus-when-migrating.md diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus-when-migrating.md b/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus-when-migrating.md new file mode 100644 index 0000000000..47f04c4a81 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus-when-migrating.md @@ -0,0 +1,117 @@ +--- +title: Troubleshoot Microsoft Defender Antivirus when migrating from a third-party solution +description: Troubleshoot common errors when migrating to Microsoft Defender Antivirus +keywords: event, error code, logging, troubleshooting, microsoft defender antivirus, windows defender antivirus, migration +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.localizationpriority: medium +author: martyav +ms.author: v-maave +ms.custom: nextgen +ms.date: 09/11/2018 +ms.reviewer: +manager: dansimp +--- + +# Troubleshoot Microsoft Defender Antivirus when migrating from a third-party solution + +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +You can find help here if you encounter issues while migrating from a third-party security solution to Microsoft Defender Antivirus. + +## Microsoft Defender Antivirus won't start + +### Event IDs + +This issue can manifest with several different event IDs, all of which have the same underlying cause. + + Event ID | Log name | Description | Source +-|-|-|- +15 | Application | Updated Windows Defender status successfully to SECURITY_PRODUCT_STATE_OFF. | Security Center +5007 | Microsoft-Windows-Windows Defender/Operational | Windows Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.

**Old value:** Default\IsServiceRunning = 0x0
**New value:** HKLM\SOFTWARE\Microsoft\Windows Defender\IsServiceRunning = 0x1 | Windows Defender +5010 | Microsoft-Windows-Windows Defender/Operational | Windows Defender Antivirus scanning for spyware and other potentially unwanted software is disabled. | Windows Defender + +### How to tell if Microsoft Defender Antivirus is turned off because a third-party antivirus is installed + +If your organization's endpoints and devices are protected with a third-party antivirus or antimalware solution, and Microsoft Defender ATP is not used, then Microsoft Defender Antivirus will be automatically turned off. Several other scenarios can also result in Microsoft Defender Antivirus having [compatibility issues](microsoft-defender-antivirus-compatibility.md) during a migration. + +#### Use Services app to check if Microsoft Defender Antivirus is turned off + +To open the Services app, select the **Search** icon from the taskbar and search for *services*. + +Information about Microsoft Defender Antivirus will be listed under **Windows Defender** > **Operational**. + +You may see that *Windows Defender Antivirus Service* is set to manual — but when you try to start this service` manually, you will get a warning stating, *The Windows Defender Antivirus Service service on Local Computer started and then stopped. Some services stop automatically if they are not in use by other services or programs.* + +#### Generate a detailed report + +You can generate a detailed report about currently active group policies by opening a command prompt in **Run as admin** mode and entering the following command: + +```powershell +GPresult.exe /h gpresult.html +``` + +This will generate a report located at *./gpresult.html*. Open this file and you might see the following results, depending on how Microsoft Defender Antivirus was turned off. + +##### Group policy results + +##### If security settings are implemented via group policy (GPO) at the domain or local level, or though System center configuration manager (SCCM) + +Within the GPResults report, under the heading, *Windows Components/Windows Defender Antivirus*, you may see something like the following entry, indicating that Microsoft Defender Antivirus is turned off. + +Policy | Setting | Winning GPO +-|-|- +Turn off Windows Defender Antivirus | Enabled | Win10-Workstations + +###### If security settings are implemented via Group policy preference (GPP) + +Under the heading, *Registry item (Key path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsDefender, Value name: DisableAntiSpyware)*, you may see something like the following entry, indicating that Microsoft Defender Antivirus is turned off. + +DisableAntiSpyware | - +-|- +Winning GPO | Win10-Workstations +Result: Success | +**General** | +Action | Update +**Properties** | +Hive | HKEY_LOCAL_MACHINE +Key path | SOFTWARE\Microsoft\WindowsDefender +Value name | DisableAntiSpyware +Value type | REG_DWORD +Value data | 0x1 (1) + +###### If security settings are implemented via registry key + +The report may contain the following text, indicating that Microsoft Defender Antivirus is turned off: + +> Registry (regedit.exe) +> +> HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender +> DisableAntiSpyware (dword) 1 (hex) + +###### If security settings are set in Windows or your Windows Server image + +Your imagining admin might have set the security policy, **[DisableAntiSpyware](https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware)**, locally via *GPEdit.exe*, *LGPO.exe*, or by modifying the registry in their task sequence. You can [configure a Trusted Image Identifier](https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/configure-a-trusted-image-identifier-for-windows-defender) for Defender. + +### Turn Microsoft Defender Antivirus back on + +Microsoft Defender Antivirus will automatically turn on if no other antivirus is currently active. + +If you want to keep your third-party antivirus active alongside Microsoft Defender, you can turn on [limited periodic scanning](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/limited-periodic-scanning-microsoft-defender-antivirus). This enables a subset of Microsoft Defender Antivirus features. + +> [!IMPORTANT] +> Limited periodic scanning is not recommended in enterprise environments. The detection, management and reporting capabilities available when running Microsoft Defender Antivirus in this mode are reduced to prevent confusion and aid with compatibility. + +> [!WARNING] +> Solutions suggesting that you edit the *Windows Defender* start value for *wdboot*, *wdfilter*, *wdnisdrv*, *wdnissvc*, and *windefend* in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services are unsupported, and may force you to re-image your system. + +### See also + +* [Microsoft Defender Antivirus compatibility](microsoft-defender-antivirus-compatibility.md) +* [Microsoft Defender Antivirus in the Windows Security app](microsoft-defender-security-center-antivirus.md) From 17a00fe807280fddc227e892c90d9d2fd398cb90 Mon Sep 17 00:00:00 2001 From: Marty Hernandez Avedon Date: Mon, 28 Sep 2020 17:54:35 -0400 Subject: [PATCH 2/7] fixed links --- ...roubleshoot-microsoft-defender-antivirus-when-migrating.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus-when-migrating.md b/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus-when-migrating.md index 47f04c4a81..71d4e458f9 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus-when-migrating.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus-when-migrating.md @@ -97,13 +97,13 @@ The report may contain the following text, indicating that Microsoft Defender An ###### If security settings are set in Windows or your Windows Server image -Your imagining admin might have set the security policy, **[DisableAntiSpyware](https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware)**, locally via *GPEdit.exe*, *LGPO.exe*, or by modifying the registry in their task sequence. You can [configure a Trusted Image Identifier](https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/configure-a-trusted-image-identifier-for-windows-defender) for Defender. +Your imagining admin might have set the security policy, **[DisableAntiSpyware](https://docs.microsoft.com/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware)**, locally via *GPEdit.exe*, *LGPO.exe*, or by modifying the registry in their task sequence. You can [configure a Trusted Image Identifier](https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/configure-a-trusted-image-identifier-for-windows-defender) for Defender. ### Turn Microsoft Defender Antivirus back on Microsoft Defender Antivirus will automatically turn on if no other antivirus is currently active. -If you want to keep your third-party antivirus active alongside Microsoft Defender, you can turn on [limited periodic scanning](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/limited-periodic-scanning-microsoft-defender-antivirus). This enables a subset of Microsoft Defender Antivirus features. +If you want to keep your third-party antivirus active alongside Microsoft Defender, you can turn on [limited periodic scanning](limited-periodic-scanning-microsoft-defender-antivirus.md). This enables a subset of Microsoft Defender Antivirus features. > [!IMPORTANT] > Limited periodic scanning is not recommended in enterprise environments. The detection, management and reporting capabilities available when running Microsoft Defender Antivirus in this mode are reduced to prevent confusion and aid with compatibility. From 68d41501e743c0ed3758eec2d192c60151485730 Mon Sep 17 00:00:00 2001 From: Marty Hernandez Avedon Date: Tue, 29 Sep 2020 12:38:15 -0400 Subject: [PATCH 3/7] copyedits --- ...osoft-defender-antivirus-when-migrating.md | 21 ++++++++++++------- 1 file changed, 13 insertions(+), 8 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus-when-migrating.md b/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus-when-migrating.md index 71d4e458f9..6732786fa7 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus-when-migrating.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus-when-migrating.md @@ -29,7 +29,7 @@ You can find help here if you encounter issues while migrating from a third-part ### Event IDs -This issue can manifest with several different event IDs, all of which have the same underlying cause. +This issue can manifest in the form of several different event IDs, all of which have the same underlying cause. Event ID | Log name | Description | Source -|-|-|- @@ -37,21 +37,26 @@ This issue can manifest with several different event IDs, all of which have the 5007 | Microsoft-Windows-Windows Defender/Operational | Windows Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.

**Old value:** Default\IsServiceRunning = 0x0
**New value:** HKLM\SOFTWARE\Microsoft\Windows Defender\IsServiceRunning = 0x1 | Windows Defender 5010 | Microsoft-Windows-Windows Defender/Operational | Windows Defender Antivirus scanning for spyware and other potentially unwanted software is disabled. | Windows Defender -### How to tell if Microsoft Defender Antivirus is turned off because a third-party antivirus is installed +### How to tell if Microsoft Defender Antivirus won't start because a third-party antivirus is installed -If your organization's endpoints and devices are protected with a third-party antivirus or antimalware solution, and Microsoft Defender ATP is not used, then Microsoft Defender Antivirus will be automatically turned off. Several other scenarios can also result in Microsoft Defender Antivirus having [compatibility issues](microsoft-defender-antivirus-compatibility.md) during a migration. +On a Windows 10 device, if you are not using Microsoft Defender Advanced Threat Protection (ATP), and you have a third-party antivirus installed, then Microsoft Defender Antivirus will be automatically turned off. If you are using Microsoft Defender ATP with a third-party antivirus installed, Microsoft Defender Antivirus will start in passive mode, with reduced functionality. + +> [!TIP] +> The scenario just described applies only to Windows 10. Other versions of Windows have [different responses](microsoft-defender-antivirus-compatibility.md) to Microsoft Defender Antivirus being run alongside third-party security software. #### Use Services app to check if Microsoft Defender Antivirus is turned off To open the Services app, select the **Search** icon from the taskbar and search for *services*. -Information about Microsoft Defender Antivirus will be listed under **Windows Defender** > **Operational**. +Information about Microsoft Defender Antivirus will be listed within the Services app under **Windows Defender** > **Operational**. The antivirus service name is *Windows Defender Antivirus Service*. -You may see that *Windows Defender Antivirus Service* is set to manual — but when you try to start this service` manually, you will get a warning stating, *The Windows Defender Antivirus Service service on Local Computer started and then stopped. Some services stop automatically if they are not in use by other services or programs.* +While checking the app, you may see that *Windows Defender Antivirus Service* is set to manual — but when you try to start this service manually, you get a warning stating, *The Windows Defender Antivirus Service service on Local Computer started and then stopped. Some services stop automatically if they are not in use by other services or programs.* + +This indicates that Microsoft Defender Antivirus has been automatically turned off to preserve compatibility with a third-party antivirus. #### Generate a detailed report -You can generate a detailed report about currently active group policies by opening a command prompt in **Run as admin** mode and entering the following command: +You can generate a detailed report about currently active group policies by opening a command prompt in **Run as admin** mode, then entering the following command: ```powershell GPresult.exe /h gpresult.html @@ -97,11 +102,11 @@ The report may contain the following text, indicating that Microsoft Defender An ###### If security settings are set in Windows or your Windows Server image -Your imagining admin might have set the security policy, **[DisableAntiSpyware](https://docs.microsoft.com/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware)**, locally via *GPEdit.exe*, *LGPO.exe*, or by modifying the registry in their task sequence. You can [configure a Trusted Image Identifier](https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/configure-a-trusted-image-identifier-for-windows-defender) for Defender. +Your imagining admin might have set the security policy, **[DisableAntiSpyware](https://docs.microsoft.com/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware)**, locally via *GPEdit.exe*, *LGPO.exe*, or by modifying the registry in their task sequence. You can [configure a Trusted Image Identifier](https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/configure-a-trusted-image-identifier-for-windows-defender) for Microsoft Defender Antivirus. ### Turn Microsoft Defender Antivirus back on -Microsoft Defender Antivirus will automatically turn on if no other antivirus is currently active. +Microsoft Defender Antivirus will automatically turn on if no other antivirus is currently active. You'll need to turn the third-party antivirus completely off to ensure Microsoft Defender Antivirus can run with full functionality. If you want to keep your third-party antivirus active alongside Microsoft Defender, you can turn on [limited periodic scanning](limited-periodic-scanning-microsoft-defender-antivirus.md). This enables a subset of Microsoft Defender Antivirus features. From e8da25680627f1a28776a946c344b028e543f549 Mon Sep 17 00:00:00 2001 From: Marty Hernandez Avedon Date: Tue, 29 Sep 2020 13:08:59 -0400 Subject: [PATCH 4/7] more copyedits --- ...osoft-defender-antivirus-when-migrating.md | 32 +++++++++++++------ 1 file changed, 22 insertions(+), 10 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus-when-migrating.md b/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus-when-migrating.md index 6732786fa7..83d888ad9a 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus-when-migrating.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus-when-migrating.md @@ -1,5 +1,5 @@ --- -title: Troubleshoot Microsoft Defender Antivirus when migrating from a third-party solution +title: Troubleshoot Microsoft Defender Antivirus while migrating from a third-party solution description: Troubleshoot common errors when migrating to Microsoft Defender Antivirus keywords: event, error code, logging, troubleshooting, microsoft defender antivirus, windows defender antivirus, migration search.product: eADQiWindows 10XVcnh @@ -15,7 +15,7 @@ ms.reviewer: manager: dansimp --- -# Troubleshoot Microsoft Defender Antivirus when migrating from a third-party solution +# Troubleshoot Microsoft Defender Antivirus while migrating from a third-party solution [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] @@ -25,12 +25,22 @@ manager: dansimp You can find help here if you encounter issues while migrating from a third-party security solution to Microsoft Defender Antivirus. +## Review event logs + +Open the Event viewer app by selecting the **Search** icon in the taskbar, and searching for *event viewer*. + +Information about Microsoft Defender Antivirus can be found under **Applications and Services Logs** > **Microsoft** > **Windows** > **Windows Defender**. + +From there, select **Open** underneath **Operational**. + +Selecting an event from the details pane will show you more information about an event in the lower pane, under the **General** and **Details** tabs. + ## Microsoft Defender Antivirus won't start -### Event IDs - This issue can manifest in the form of several different event IDs, all of which have the same underlying cause. +### Associated event IDs + Event ID | Log name | Description | Source -|-|-|- 15 | Application | Updated Windows Defender status successfully to SECURITY_PRODUCT_STATE_OFF. | Security Center @@ -108,13 +118,15 @@ Your imagining admin might have set the security policy, **[DisableAntiSpyware]( Microsoft Defender Antivirus will automatically turn on if no other antivirus is currently active. You'll need to turn the third-party antivirus completely off to ensure Microsoft Defender Antivirus can run with full functionality. -If you want to keep your third-party antivirus active alongside Microsoft Defender, you can turn on [limited periodic scanning](limited-periodic-scanning-microsoft-defender-antivirus.md). This enables a subset of Microsoft Defender Antivirus features. - -> [!IMPORTANT] -> Limited periodic scanning is not recommended in enterprise environments. The detection, management and reporting capabilities available when running Microsoft Defender Antivirus in this mode are reduced to prevent confusion and aid with compatibility. - > [!WARNING] -> Solutions suggesting that you edit the *Windows Defender* start value for *wdboot*, *wdfilter*, *wdnisdrv*, *wdnissvc*, and *windefend* in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services are unsupported, and may force you to re-image your system. +> Solutions suggesting that you edit the *Windows Defender* start values for *wdboot*, *wdfilter*, *wdnisdrv*, *wdnissvc*, and *windefend* in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services are unsupported, and may force you to re-image your system. + +If you want to keep your third-party antivirus active alongside Microsoft Defender Antivirus, and you aren't using Microsoft Defender ATP, you can turn on [limited periodic scanning](limited-periodic-scanning-microsoft-defender-antivirus.md). This enables a subset of Microsoft Defender Antivirus features. Limited periodic scanning is only available when Microsoft Defender Antivirus has been automatically disabled. + +> [!IMPORTANT] +> Limited periodic scanning is not recommended in enterprise environments. The detection, management and reporting capabilities available when running Microsoft Defender Antivirus in this mode are reduced. + +You can also run Microsoft Defender Antivirus in passive mode if you start using Microsoft Defender ATP and a third-party antivirus together with Microsoft Defender Antivirus. Passive mode has a larger feature-set than limited periodic scanning, although you will not enjoy capabilities such as [Real Time Protection](configure-real-time-protection-microsoft-defender-antivirus.md). ### See also From c80177e53ee032e173df4e5b269c1d1c0309da64 Mon Sep 17 00:00:00 2001 From: Marty Hernandez Avedon Date: Tue, 29 Sep 2020 14:47:30 -0400 Subject: [PATCH 5/7] fixed link --- .../troubleshoot-microsoft-defender-antivirus-when-migrating.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus-when-migrating.md b/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus-when-migrating.md index 83d888ad9a..4982dc5eb5 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus-when-migrating.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus-when-migrating.md @@ -112,7 +112,7 @@ The report may contain the following text, indicating that Microsoft Defender An ###### If security settings are set in Windows or your Windows Server image -Your imagining admin might have set the security policy, **[DisableAntiSpyware](https://docs.microsoft.com/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware)**, locally via *GPEdit.exe*, *LGPO.exe*, or by modifying the registry in their task sequence. You can [configure a Trusted Image Identifier](https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/configure-a-trusted-image-identifier-for-windows-defender) for Microsoft Defender Antivirus. +Your imagining admin might have set the security policy, **[DisableAntiSpyware](https://docs.microsoft.com/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware)**, locally via *GPEdit.exe*, *LGPO.exe*, or by modifying the registry in their task sequence. You can [configure a Trusted Image Identifier](https://docs.microsoft.com/windows-hardware/manufacture/desktop/configure-a-trusted-image-identifier-for-windows-defender) for Microsoft Defender Antivirus. ### Turn Microsoft Defender Antivirus back on From 6114afcc54acdff65b53e7215b473bfc5ce6487e Mon Sep 17 00:00:00 2001 From: Marty Hernandez Avedon Date: Fri, 2 Oct 2020 15:05:48 -0400 Subject: [PATCH 6/7] updated toc --- windows/security/threat-protection/TOC.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index 054bf6c970..76dca53d6b 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -700,7 +700,7 @@ ##### [Attack surface reduction rules](microsoft-defender-atp/troubleshoot-asr.md) #### [Troubleshoot next-generation protection](microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus.md) - +#### [Troubleshoot migration issues](microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus-when-migrating.md) From 64622b0534f973acd96dc8a1b08ee023d63828f0 Mon Sep 17 00:00:00 2001 From: Marty Hernandez Avedon Date: Fri, 2 Oct 2020 16:38:47 -0400 Subject: [PATCH 7/7] updated w latest from milind, yong --- ...-microsoft-defender-antivirus-when-migrating.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus-when-migrating.md b/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus-when-migrating.md index 4982dc5eb5..09535418a1 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus-when-migrating.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus-when-migrating.md @@ -56,7 +56,7 @@ On a Windows 10 device, if you are not using Microsoft Defender Advanced Threat #### Use Services app to check if Microsoft Defender Antivirus is turned off -To open the Services app, select the **Search** icon from the taskbar and search for *services*. +To open the Services app, select the **Search** icon from the taskbar and search for *services*. You can also open the app from the command-line by typing *services.msc*. Information about Microsoft Defender Antivirus will be listed within the Services app under **Windows Defender** > **Operational**. The antivirus service name is *Windows Defender Antivirus Service*. @@ -86,7 +86,7 @@ Turn off Windows Defender Antivirus | Enabled | Win10-Workstations ###### If security settings are implemented via Group policy preference (GPP) -Under the heading, *Registry item (Key path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsDefender, Value name: DisableAntiSpyware)*, you may see something like the following entry, indicating that Microsoft Defender Antivirus is turned off. +Under the heading, *Registry item (Key path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender, Value name: DisableAntiSpyware)*, you may see something like the following entry, indicating that Microsoft Defender Antivirus is turned off. DisableAntiSpyware | - -|- @@ -96,7 +96,7 @@ Result: Success | Action | Update **Properties** | Hive | HKEY_LOCAL_MACHINE -Key path | SOFTWARE\Microsoft\WindowsDefender +Key path | SOFTWARE\Policies\Microsoft\Windows Defender Value name | DisableAntiSpyware Value type | REG_DWORD Value data | 0x1 (1) @@ -121,12 +121,12 @@ Microsoft Defender Antivirus will automatically turn on if no other antivirus is > [!WARNING] > Solutions suggesting that you edit the *Windows Defender* start values for *wdboot*, *wdfilter*, *wdnisdrv*, *wdnissvc*, and *windefend* in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services are unsupported, and may force you to re-image your system. -If you want to keep your third-party antivirus active alongside Microsoft Defender Antivirus, and you aren't using Microsoft Defender ATP, you can turn on [limited periodic scanning](limited-periodic-scanning-microsoft-defender-antivirus.md). This enables a subset of Microsoft Defender Antivirus features. Limited periodic scanning is only available when Microsoft Defender Antivirus has been automatically disabled. +Passive mode is available if you start using Microsoft Defender ATP and a third-party antivirus together with Microsoft Defender Antivirus. Passive mode allows Microsoft Defender to scan files and update itself, but it will not remediate threats. In addition, behavior monitoring via [Real Time Protection](configure-real-time-protection-microsoft-defender-antivirus.md) is not available under passive mode, unless [Endpoint data loss prevention (DLP)](../microsoft-defender-atp/information-protection-in-windows-overview.md) is deployed. + +Another feature, known as [limited periodic scanning](limited-periodic-scanning-microsoft-defender-antivirus.md), is available to end-users when Microsoft Defender Antivirus is set to automatically turn off. This feature allows Microsoft Defender Antivirus to scan files periodically alongside a third-party antivirus, using a limited number of detections. > [!IMPORTANT] -> Limited periodic scanning is not recommended in enterprise environments. The detection, management and reporting capabilities available when running Microsoft Defender Antivirus in this mode are reduced. - -You can also run Microsoft Defender Antivirus in passive mode if you start using Microsoft Defender ATP and a third-party antivirus together with Microsoft Defender Antivirus. Passive mode has a larger feature-set than limited periodic scanning, although you will not enjoy capabilities such as [Real Time Protection](configure-real-time-protection-microsoft-defender-antivirus.md). +> Limited periodic scanning is not recommended in enterprise environments. The detection, management and reporting capabilities available when running Microsoft Defender Antivirus in this mode are reduced as compared to active mode. ### See also