deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-07-03 03:03:43 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge pull request #3936 from MicrosoftDocs/master

Browse Source 
Publish 10/5/2020 10:30 AM PT
This commit is contained in:
Tina Burden
2020-10-05 10:38:29 -07:00
committed by GitHub
parent ecc51eaff7 fa80d4cbe7
commit d9838f7b84
4 changed files with 140 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
windows/deployment/update/update-compliance-using.md
View File

@ -62,21 +62,19 @@ The following is a breakdown of the different sections available in Update Compl
## Update Compliance data latency
Update Compliance uses Windows 10 diagnostic data as its data source. After you add Update Compliance and appropriately configure your devices, it could take 48-72 hours before they first appear. The process that follows is as follows:
Update Compliance uses Windows 10 diagnostic data as its data source. After you add Update Compliance and appropriately configure your devices, it could take 48-72 hours before they first appear.
Update Compliance is refreshed every 12 hours. This means that every 12 hours all data that has been gathered over the last 12-hour interval is pushed to Log Analytics. However, the rate at which each type of data is sent from the device and how long it takes to be ready for Update Compliance varies, roughly outlined below.
The data powering Update Compliance is refreshed every 24 hours, and refreshes with the latest data from all devices part of your organization that have been seen in the past 28 days. The entire set of data is refreshed in each daily snapshot, which means that the same data can be re-ingested even if no new data actually arrived from the device since the last snapshot. Snapshot time can be determined by the TimeGenerated field for each record, while LastScan can be used to roughly determine the freshness of each record's data.
| Data Type | Data upload rate from device | Data Latency |
|--|--|--|
|WaaSUpdateStatus | Once per day |4 hours |
|WaaSInsiderStatus| Once per day |4 hours |
|WaaSDeploymentStatus|Every update event (Download, install, etc.)|24-36 hours |
|WDAVStatus|On signature update|24 hours |
|WDAVThreat|On threat detection|24 hours |
|WUDOAggregatedStatus|On update event, aggregated over time|24-36 hours |
|WUDOStatus|Once per day|12 hours |
This means you should generally expect to see new data device data every 24 hours, except for WaaSDeploymentStatus and WUDOAggregatedStatus, which may take 36-48 hours (if it misses the 36th hour refresh, it would be in the 48th, so the data will be present in the 48th hour refresh).
This means you should generally expect to see new data device data every 24 hours, except for WaaSDeploymentStatus and WUDOAggregatedStatus, which may take 36-48 hours.
## Using Log Analytics
@ -89,4 +87,4 @@ See below for a few topics related to Log Analytics:
## Related topics
[Get started with Update Compliance](update-compliance-get-started.md)
[Get started with Update Compliance](update-compliance-get-started.md)

2
windows/deployment/update/waas-manage-updates-wsus.md
View File

@ -84,7 +84,7 @@ When using WSUS to manage updates on Windows client devices, start by configurin
![Example of UI](images/waas-wsus-fig5.png)
>[!IMPORTANT]
> Use Regedit.exe to check that the following key is not enabled, because it can break Windows Store connectivity: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdateDoNotConnectToWindowsUpdateInternetLocations
> Use Regedit.exe to check that the following key is not enabled, because it can break Windows Store connectivity: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\DoNotConnectToWindowsUpdateInternetLocations
> [!NOTE]
> There are three other settings for automatic update download and installation dates and times. This is simply the option this example uses. For more examples of how to control automatic updates and other related policies, see [Configure Automatic Updates by Using Group Policy](https://technet.microsoft.com/library/cc720539%28v=ws.10%29.aspx).

2
windows/security/threat-protection/TOC.md
View File

@ -709,7 +709,7 @@
##### [Attack surface reduction rules](microsoft-defender-atp/troubleshoot-asr.md)
#### [Troubleshoot next-generation protection](microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus.md)
#### [Troubleshoot migration issues](microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus-when-migrating.md)

134
windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus-when-migrating.md Normal file
View File

@ -0,0 +1,134 @@
---
title: Troubleshoot Microsoft Defender Antivirus while migrating from a third-party solution
description: Troubleshoot common errors when migrating to Microsoft Defender Antivirus
keywords: event, error code, logging, troubleshooting, microsoft defender antivirus, windows defender antivirus, migration
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.localizationpriority: medium
author: martyav
ms.author: v-maave
ms.custom: nextgen
ms.date: 09/11/2018
ms.reviewer:
manager: dansimp
---
# Troubleshoot Microsoft Defender Antivirus while migrating from a third-party solution
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
You can find help here if you encounter issues while migrating from a third-party security solution to Microsoft Defender Antivirus.
## Review event logs
Open the Event viewer app by selecting the **Search** icon in the taskbar, and searching for *event viewer*.
Information about Microsoft Defender Antivirus can be found under **Applications and Services Logs** > **Microsoft** > **Windows** > **Windows Defender**.
From there, select **Open** underneath **Operational**.
Selecting an event from the details pane will show you more information about an event in the lower pane, under the **General** and **Details** tabs.
## Microsoft Defender Antivirus won't start
This issue can manifest in the form of several different event IDs, all of which have the same underlying cause.
### Associated event IDs
Event ID | Log name | Description | Source
-|-|-|-
15 | Application | Updated Windows Defender status successfully to SECURITY_PRODUCT_STATE_OFF. | Security Center
5007 | Microsoft-Windows-Windows Defender/Operational | Windows Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.<br /><br />**Old value:** Default\IsServiceRunning = 0x0<br />**New value:** HKLM\SOFTWARE\Microsoft\Windows Defender\IsServiceRunning = 0x1 | Windows Defender
5010 | Microsoft-Windows-Windows Defender/Operational | Windows Defender Antivirus scanning for spyware and other potentially unwanted software is disabled. | Windows Defender
### How to tell if Microsoft Defender Antivirus won't start because a third-party antivirus is installed
On a Windows 10 device, if you are not using Microsoft Defender Advanced Threat Protection (ATP), and you have a third-party antivirus installed, then Microsoft Defender Antivirus will be automatically turned off. If you are using Microsoft Defender ATP with a third-party antivirus installed, Microsoft Defender Antivirus will start in passive mode, with reduced functionality.
> [!TIP]
> The scenario just described applies only to Windows 10. Other versions of Windows have [different responses](microsoft-defender-antivirus-compatibility.md) to Microsoft Defender Antivirus being run alongside third-party security software.
#### Use Services app to check if Microsoft Defender Antivirus is turned off
To open the Services app, select the **Search** icon from the taskbar and search for *services*. You can also open the app from the command-line by typing *services.msc*.
Information about Microsoft Defender Antivirus will be listed within the Services app under **Windows Defender** > **Operational**. The antivirus service name is *Windows Defender Antivirus Service*.
While checking the app, you may see that *Windows Defender Antivirus Service* is set to manual — but when you try to start this service manually, you get a warning stating, *The Windows Defender Antivirus Service service on Local Computer started and then stopped. Some services stop automatically if they are not in use by other services or programs.*
This indicates that Microsoft Defender Antivirus has been automatically turned off to preserve compatibility with a third-party antivirus.
#### Generate a detailed report
You can generate a detailed report about currently active group policies by opening a command prompt in **Run as admin** mode, then entering the following command:
```powershell
GPresult.exe /h gpresult.html
```
This will generate a report located at *./gpresult.html*. Open this file and you might see the following results, depending on how Microsoft Defender Antivirus was turned off.
##### Group policy results
##### If security settings are implemented via group policy (GPO) at the domain or local level, or though System center configuration manager (SCCM)
Within the GPResults report, under the heading, *Windows Components/Windows Defender Antivirus*, you may see something like the following entry, indicating that Microsoft Defender Antivirus is turned off.
Policy | Setting | Winning GPO
-|-|-
Turn off Windows Defender Antivirus | Enabled | Win10-Workstations
###### If security settings are implemented via Group policy preference (GPP)
Under the heading, *Registry item (Key path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender, Value name: DisableAntiSpyware)*, you may see something like the following entry, indicating that Microsoft Defender Antivirus is turned off.
DisableAntiSpyware | -
-|-
Winning GPO | Win10-Workstations
Result: Success |
**General** |
Action | Update
**Properties** |
Hive | HKEY_LOCAL_MACHINE
Key path | SOFTWARE\Policies\Microsoft\Windows Defender
Value name | DisableAntiSpyware
Value type | REG_DWORD
Value data | 0x1 (1)
###### If security settings are implemented via registry key
The report may contain the following text, indicating that Microsoft Defender Antivirus is turned off:
> Registry (regedit.exe)
>
> HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender
> DisableAntiSpyware (dword) 1 (hex)
###### If security settings are set in Windows or your Windows Server image
Your imagining admin might have set the security policy, **[DisableAntiSpyware](https://docs.microsoft.com/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware)**, locally via *GPEdit.exe*, *LGPO.exe*, or by modifying the registry in their task sequence. You can [configure a Trusted Image Identifier](https://docs.microsoft.com/windows-hardware/manufacture/desktop/configure-a-trusted-image-identifier-for-windows-defender) for Microsoft Defender Antivirus.
### Turn Microsoft Defender Antivirus back on
Microsoft Defender Antivirus will automatically turn on if no other antivirus is currently active. You'll need to turn the third-party antivirus completely off to ensure Microsoft Defender Antivirus can run with full functionality.
> [!WARNING]
> Solutions suggesting that you edit the *Windows Defender* start values for *wdboot*, *wdfilter*, *wdnisdrv*, *wdnissvc*, and *windefend* in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services are unsupported, and may force you to re-image your system.
Passive mode is available if you start using Microsoft Defender ATP and a third-party antivirus together with Microsoft Defender Antivirus. Passive mode allows Microsoft Defender to scan files and update itself, but it will not remediate threats. In addition, behavior monitoring via [Real Time Protection](configure-real-time-protection-microsoft-defender-antivirus.md) is not available under passive mode, unless [Endpoint data loss prevention (DLP)](../microsoft-defender-atp/information-protection-in-windows-overview.md) is deployed.
Another feature, known as [limited periodic scanning](limited-periodic-scanning-microsoft-defender-antivirus.md), is available to end-users when Microsoft Defender Antivirus is set to automatically turn off. This feature allows Microsoft Defender Antivirus to scan files periodically alongside a third-party antivirus, using a limited number of detections.
> [!IMPORTANT]
> Limited periodic scanning is not recommended in enterprise environments. The detection, management and reporting capabilities available when running Microsoft Defender Antivirus in this mode are reduced as compared to active mode.
### See also
* [Microsoft Defender Antivirus compatibility](microsoft-defender-antivirus-compatibility.md)
* [Microsoft Defender Antivirus in the Windows Security app](microsoft-defender-security-center-antivirus.md)