From c597c5ddf6e5864739819869be7297c4851d6b7b Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 25 Feb 2020 13:57:02 -0800 Subject: [PATCH 01/12] Update windows-defender-antivirus-in-windows-10.md --- ...indows-defender-antivirus-in-windows-10.md | 34 +++++++++---------- 1 file changed, 16 insertions(+), 18 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md index 539f6e5844..1a430158c8 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md +++ b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md @@ -1,5 +1,5 @@ --- -title: Next-generation protection in Windows 10 and Windows Server 2016 +title: Next-generation protection in Windows 10, Windows Server 2016, and Windows Server 2019 description: Learn how to manage, configure, and use Windows Defender AV, the built-in antimalware and antivirus product available in Windows 10 and Windows Server 2016 keywords: windows defender antivirus, windows defender, antimalware, scep, system center endpoint protection, system center configuration manager, virus, malware, threat, detection, protection, security search.product: eADQiWindows 10XVcnh @@ -11,33 +11,36 @@ ms.pagetype: security ms.localizationpriority: medium author: denisebmsft ms.author: deniseb -ms.date: 12/17/2019 +ms.date: 02/25/2020 ms.reviewer: manager: dansimp ms.custom: nextgen --- -# Next-generation protection in Windows 10 and Windows Server 2016 +# Next-generation protection in Windows 10, Windows Server 2016, and Windows Server 2019 **Applies to:** - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -Windows Defender Antivirus is the next-generation protection component of Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP). Next-generation protection brings together machine learning, big-data analysis, in-depth threat resistance research, and cloud infrastructure to protect devices in your enterprise organization. Next-generation protection services include: +## Windows Defender Antivirus: Your next-generation protection + +Windows Defender Antivirus is the next-generation protection component of Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP). Next-generation protection brings together machine learning, big-data analysis, in-depth threat resistance research, and the Microsoft cloud infrastructure to protect devices in your enterprise organization. Next-generation protection services include the following: - [Behavior-based, heuristic, and real-time antivirus protection](configure-protection-features-windows-defender-antivirus.md). This includes always-on scanning using file and process behavior monitoring and other heuristics (also known as "real-time protection"). It also includes detecting and blocking apps that are deemed unsafe, but may not be detected as malware. - [Cloud-delivered protection](utilize-microsoft-cloud-protection-windows-defender-antivirus.md). This includes near-instant detection and blocking of new and emerging threats. - [Dedicated protection and product updates](manage-updates-baselines-windows-defender-antivirus.md). This includes updates related to keeping Windows Defender Antivirus up to date. ->[!TIP] ->Visit the [Microsoft Defender ATP demo website](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the following protection features are working and explore them using demo scenarios: -> - Cloud-delivered protection -> - Block at first sight (BAFS) protection -> - Potentially unwanted applications (PUA) protection +## Try a demo! + +Visit the [Microsoft Defender ATP demo website](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the following protection features are working and explore them using demo scenarios: +- Cloud-delivered protection +- Block at first sight (BAFS) protection +- Potentially unwanted applications (PUA) protection ## Minimum system requirements -Windows Defender Antivirus is your main vehicle for next-generation protection, and it has the same hardware requirements as of Windows 10. For more information, see: +Windows Defender Antivirus has the same hardware requirements as of Windows 10. For more information, see: - [Minimum hardware requirements](https://docs.microsoft.com/windows-hardware/design/minimum/minimum-hardware-requirements-overview) - [Hardware component guidelines](https://docs.microsoft.com/windows-hardware/design/component-guidelines/components) @@ -47,15 +50,10 @@ Windows Defender Antivirus is your main vehicle for next-generation protection, For information on how to configure next-generation protection services, see [Configure Windows Defender Antivirus features](configure-windows-defender-antivirus-features.md). > [!Note] -> Configuration and management is largely the same in Windows Server 2016, while running Windows Defender Antivirus; however, there are some differences. To learn more, see [Windows Defender Antivirus on Windows Server 2016](windows-defender-antivirus-on-windows-server-2016.md). +> Configuration and management is largely the same in Windows Server 2016 and Windows Server 2019, while running Windows Defender Antivirus; however, there are some differences. To learn more, see [Windows Defender Antivirus on Windows Server 2016](windows-defender-antivirus-on-windows-server-2016.md). -## Related topics +## Related articles -- [Full version history for Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md) - [Windows Defender Antivirus management and configuration](configuration-management-reference-windows-defender-antivirus.md) + - [Evaluate Windows Defender Antivirus protection](evaluate-windows-defender-antivirus.md) -- [Enable cloud protection](enable-cloud-protection-windows-defender-antivirus.md) -- [Configure real-time protection](configure-real-time-protection-windows-defender-antivirus.md) -- [Enable block at first sight](configure-block-at-first-sight-windows-defender-antivirus.md) -- [Detect and block potentially unwanted applications](detect-block-potentially-unwanted-apps-windows-defender-antivirus.md) -- [Create and deploy cloud-protected antimalware policies](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service.md) From b08e711a9cdb9e9469fa75e3c639cfb48115a30a Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 25 Feb 2020 14:41:37 -0800 Subject: [PATCH 02/12] Update windows-defender-antivirus-on-windows-server-2016.md --- ...fender-antivirus-on-windows-server-2016.md | 137 +++++++++--------- 1 file changed, 72 insertions(+), 65 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md index 5af8d81560..cd3b2ac628 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md +++ b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md @@ -1,6 +1,6 @@ --- -title: Windows Defender Antivirus on Windows Server 2016 -description: Enable and configure Windows Defender AV on Windows Server 2016 +title: Windows Defender Antivirus on Windows Server 2016 and 2019 +description: Enable and configure Windows Defender AV on Windows Server 2016 and 2019 keywords: windows defender, server, scep, system center endpoint protection, server 2016, current branch, server 2012 search.product: eADQiWindows 10XVcnh ms.pagetype: security @@ -11,44 +11,47 @@ ms.pagetype: security ms.localizationpriority: medium author: denisebmsft ms.author: deniseb -ms.date: 09/10/2019 +ms.date: 02/25/2020 ms.reviewer: manager: dansimp --- -# Windows Defender Antivirus on Windows Server 2016 +# Windows Defender Antivirus on Windows Server 2016 and 2019 **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -Windows Defender Antivirus is available on Windows Server 2016. In some instances it is referred to as Endpoint Protection - however, the protection engine is the same. +Windows Defender Antivirus is available on Windows Server 2016 and Windows Server 2019. In some instances, Windows Defender Antivirus is referred to as Endpoint Protection; however, the protection engine is the same. -While the functionality, configuration, and management is largely the same for Windows Defender AV either on Windows 10 or Windows Server 2016, there are a few key differences: +While the functionality, configuration, and management is largely the same for Windows Defender Antivirus on Windows 10, there are a few key differences on Windows Server 2016 or Windows Server 2019: -- In Windows Server 2016, [automatic exclusions](configure-server-exclusions-windows-defender-antivirus.md) are applied based on your defined Server Role. -- In Windows Server 2016, Windows Defender AV will not disable itself if you are running another antivirus product. +- In Windows Server, [automatic exclusions](configure-server-exclusions-windows-defender-antivirus.md) are applied based on your defined Server Role. +- In Windows Server, Windows Defender Antivirus will not disable itself if you are running another antivirus product. -This topic includes the following instructions for setting up and running Windows Defender AV on a server platform: +The process of setting up and running Windows Defender Antivirus on a server platform includes several steps: -- [Enable the interface](#enable-or-disable-the-interface-on-windows-server-2016) +1. [Enable the interface](#enable-or-disable-the-user-interface-on-windows-server-2016-or-2019) -- [Verify Windows Defender AV is running](#verify-windows-defender-is-running) +2. [Install Windows Defender Anvirus]() -- [Update antimalware Security intelligence](#update-antimalware-security-intelligence) +2. [Verify Windows Defender Antivirus is running](#verify-windows-defender-is-running) -- [Submit Samples](#submit-samples) +3. [Update your antimalware Security intelligence](#update-antimalware-security-intelligence) -- [Configure automatic exclusions](#configure-automatic-exclusions) +4. (As needed) [Submit samples](#submit-samples) -## Enable or disable the interface on Windows Server 2016 -By default, Windows Defender AV is installed and functional on Windows Server 2016. The user interface is installed by default on some SKUs, but is not required. +5. (As needed) [Configure automatic exclusions](#configure-automatic-exclusions) + +6. (If needed) [Uninstall Windows Defender Antivirus](#need-to-uninstall-windows-defender-antivirus) + +## Enable the user interface on Windows Server 2016 or 2019 + +By default, Windows Defender Antivirus is installed and functional on Windows Server 2016 and Windows Server 2019. The user interface is installed by default on some SKUs, but is not required. If the interface is not installed on your server, you can add it in the **Add Roles and Features Wizard** at the **Features** step, under **Windows Defender Features** by selecting the **GUI for Windows Defender** option. >[!NOTE] >You can't uninstall the Windows Security app, but you can disable the interface with these instructions. -If the interface is not installed, you can add it in the **Add Roles and Features Wizard** at the **Features** step, under **Windows Defender Features** by selecting the **GUI for Windows Defender** option. - ![Add roles and feature wizard showing the GUI for Windows Defender option](images/server-add-gui.png) See the [Install or uninstall roles, role services, or features](https://docs.microsoft.com/windows-server/administration/server-manager/install-or-uninstall-roles-role-services-or-features) topic for information on using the wizard. @@ -66,51 +69,38 @@ To hide the interface, use the **Remove Roles and Features Wizard** and deselect Uninstall-WindowsFeature -Name Windows-Defender-GUI ``` - >[!IMPORTANT] > Windows Defender AV will still run normally without the user interface, but the user interface cannot be enabled if you disable the core **Windows Defender** feature. -## Install or uninstall Windows Defender AV on Windows Server 2016 +## Install Windows Defender Antivirus on Windows Server 2016 or 2019 +You can use the Add Roles and Features Wizard or PowerShell to install Windows Defender Antivirus. -You can also uninstall Windows Defender AV completely with the **Remove Roles and Features Wizard** by deselecting the **Windows Defender Features** option at the **Features** step in the wizard. +### Use the Add Roles and Features Wizard -This is useful if you have a third-party antivirus product installed on the machine already. Multiple AV products can cause problems when installed and actively running on the same machine. See the question "Should I run Microsoft security software at the same time as other security products?" on the [Windows Defender Security Intelligence Antivirus and antimalware software FAQ](https://www.microsoft.com/wdsi/help/antimalware-faq#multiple-products). +1. Refer to [this article](https://docs.microsoft.com/windows-server/administration/server-manager/install-or-uninstall-roles-role-services-or-features#install-roles-role-services-and-features-by-using-the-add-roles-and-features-wizard), and use the **Add Roles and Features Wizard**. ->[!NOTE] ->Deselecting **Windows Defender** on its own under the **Windows Defender Features** section will automatically prompt you to remove the interface option **GUI for Windows Defender**. +2. When you get to the **Features** step of the wizard, select the Windows Defender Antivirus option. Also select the **GUI for Windows Defender** option. - - - -The following PowerShell cmdlet will also uninstall Windows Defender AV on Windows Server 2016: - - -```PowerShell -Uninstall-WindowsFeature -Name Windows-Defender -``` - -To install Windows Defender AV again, use the **Add Roles and Features Wizard** and ensure the **Windows Defender** feature is selected. You can also enable the interface by selecting the **GUID for Windows Defender** option. - -You can also use the following PowerShell cmdlet to install Windows Defender AV: +### Use PowerShell ```PowerShell Install-WindowsFeature -Name Windows-Defender ``` > [!TIP] -> Event messages for the antimalware engine included with Windows Defender AV can be found in [Windows Defender AV Events](troubleshoot-windows-defender-antivirus.md). +> Event messages for the antimalware engine included with Windows Defender Antivirus can be found in [Windows Defender AV Events](troubleshoot-windows-defender-antivirus.md). -## Verify Windows Defender is running +## Verify Windows Defender Antivirus is running -To verify that Windows Defender AV is running on the server, run the following PowerShell cmdlet: +To verify that Windows Defender Antivirus is running on your server, run the following PowerShell cmdlet: ```PowerShell Get-Service -Name windefend ``` -To verify that firewall protection through Windows Defender is turned on, run the following PowerShell cmdlet: +To verify that firewall protection is turned on, run the following PowerShell cmdlet: ```PowerShell Get-Service -Name mpssvc @@ -122,35 +112,28 @@ As an alternative to PowerShell, you can use Command Prompt to verify that Windo sc query Windefend ``` -The `sc query` command returns information about the Windows Defender service. If Windows Defender is running, the `STATE` value displays `RUNNING`. +The `sc query` command returns information about the Windows Defender Antivirus service. When Windows Defender Antivirus is running, the `STATE` value displays `RUNNING`. ## Update antimalware Security intelligence -In order to get updated antimalware Security intelligence , you must have the Windows Update service running. If you use an update management service, like Windows Server Update Services (WSUS), make sure that updates for Windows Defender Antivirus Security intelligence are approved for the computers you manage. +In order to get updated antimalware Security intelligence, you must have the Windows Update service running. If you use an update management service, like Windows Server Update Services (WSUS), make sure that updates for Windows Defender Antivirus Security intelligence are approved for the computers you manage. -By default, Windows Update does not download and install updates automatically on Windows Server 2016. You can change this configuration by using one of the following methods: +By default, Windows Update does not download and install updates automatically on Windows Server 2016 or 2019. You can change this configuration by using one of the following methods: -- **Windows Update** in Control Panel. - - **Install updates automatically** results in all updates being automatically installed, including Windows Defender Security intelligence updates. - - - **Download updates but let me choose whether to install them** allows Windows Defender to download and install Security intelligence updates automatically, but other updates are not automatically installed. - -- **Group Policy**. You can set up and manage Windows Update by using the settings available in Group Policy, in the following path: **Administrative Templates\Windows Components\Windows Update\Configure Automatic Updates** - -- The **AUOptions** registry key. The following two values allow Windows Update to automatically download and install Security intelligence updates. - - - **4** Install updates automatically. This value results in all updates being automatically installed, including Windows Defender Security intelligence updates. - - - **3** Download updates but let me choose whether to install them. This value allows Windows Defender to download and install Security intelligence updates automatically, but other updates are not automatically installed. +|Method |Description | +|---------|---------| +|**Windows Update** in Control Panel |- **Install updates automatically** results in all updates being automatically installed, including Windows Defender Security intelligence updates.
- **Download updates but let me choose whether to install them** allows Windows Defender to download and install Security intelligence updates automatically, but other updates are not automatically installed. | +|**Group Policy** | You can set up and manage Windows Update by using the settings available in Group Policy, in the following path: **Administrative Templates\Windows Components\Windows Update\Configure Automatic Updates** | +|The **AUOptions** registry key |The following two values allow Windows Update to automatically download and install Security intelligence updates:
- **4** Install updates automatically. This value results in all updates being automatically installed, including Windows Defender Security intelligence updates.
- **3** Download updates but let me choose whether to install them. This value allows Windows Defender to download and install Security intelligence updates automatically, but other updates are not automatically installed. | To ensure that protection from malware is maintained, we recommend that you enable the following services: -- Windows Error Reporting service +- Windows Error Reporting service -- Windows Update service +- Windows Update service -The following table lists the services for Windows Defender and the dependent services. +The following table lists the services for Windows Defender Antivirus and the dependent services. |Service Name|File Location|Description| |--------|---------|--------| @@ -169,13 +152,13 @@ We collect program executable files, such as .exe files and .dll files. We do no To enable automatic sample submission, start a Windows PowerShell console as an administrator, and set the **SubmitSamplesConsent** value data according to one of the following settings: -- **0** Always prompt. The Windows Defender service prompts you to confirm submission of all required files. This is the default setting for Windows Defender, but is not recommended for Windows Server 2016 installations without a GUI. -- **1** Send safe samples automatically. The Windows Defender service sends all files marked as "safe" and prompts for the remainder of the files. - -- **2** Never send. The Windows Defender service does not prompt and does not send any files. - -- **3** Send all samples automatically. The Windows Defender service sends all files without a prompt for confirmation. +|Setting |Description | +|---------|---------| +|**0** Always prompt. |The Windows Defender Antivirus service prompts you to confirm submission of all required files. This is the default setting for Windows Defender Antivirus, but is not recommended for installations on Windows Server 2016 or 2019 without a GUI. | +|**1** Send safe samples automatically. |The Windows Defender Antivirus service sends all files marked as "safe" and prompts for the remainder of the files. | +|**2** Never send. |The Windows Defender Antivirus service does not prompt and does not send any files. | +|**3** Send all samples automatically. |The Windows Defender Antivirus service sends all files without a prompt for confirmation. | ## Configure automatic exclusions @@ -183,6 +166,30 @@ To help ensure security and performance, certain exclusions are automatically ad See the [Configure exclusions in Windows Defender AV on Windows Server](configure-server-exclusions-windows-defender-antivirus.md) topic for more information. +## Need to uninstall Windows Defender Antivirus? + +If you are using a third-party antivirus solution and you're running into issues with that solution and Windows Defender Antivirus, you can consider uninstalling Windows Defender Antivirus. Before you do that, review the following resources: + +- See the question "Should I run Microsoft security software at the same time as other security products?" on the [Windows Defender Security Intelligence Antivirus and antimalware software FAQ](https://www.microsoft.com/wdsi/help/antimalware-faq#multiple-products). + +- See [Better together: Windows Defender Antivirus and Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/why-use-microsoft-antivirus). This article describes 10 advantages to using Windows Defender Antivirus together with Microsoft Defender Advanced Threat Protection. + +If you determine you do want to uninstall Windows Defender Antivirus, follow these steps: + +### Uninstall Windows Defender Antivirus using the Remove Roles and Features wizard + +1. Refer to [this article](https://docs.microsoft.com/windows-server/administration/server-manager/install-or-uninstall-roles-role-services-or-features#remove-roles-role-services-and-features-by-using-the-remove-roles-and-features-wizard), and use the **Remove Roles and Features Wizard**. + +2. When you get to the **Features** step of the wizard, unselect the **Windows Defender Features** option. If you unselect **Windows Defender** by itself under the **Windows Defender Features** section, you will be prompted to remove the interface option **GUI for Windows Defender**. + +### Uninstall Windows Defender Antivirus using PowerShell + +The following PowerShell cmdlet will also uninstall Windows Defender AV on Windows Server 2016: + +```PowerShell +Uninstall-WindowsFeature -Name Windows-Defender +``` + ## Related topics - [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) From 8f00826545be0542e7e24458fd26a18eadd4ff75 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 25 Feb 2020 15:04:27 -0800 Subject: [PATCH 03/12] Update windows-defender-antivirus-on-windows-server-2016.md --- ...fender-antivirus-on-windows-server-2016.md | 20 +++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md index cd3b2ac628..820d74d3a2 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md +++ b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md @@ -47,10 +47,13 @@ The process of setting up and running Windows Defender Antivirus on a server pla ## Enable the user interface on Windows Server 2016 or 2019 -By default, Windows Defender Antivirus is installed and functional on Windows Server 2016 and Windows Server 2019. The user interface is installed by default on some SKUs, but is not required. If the interface is not installed on your server, you can add it in the **Add Roles and Features Wizard** at the **Features** step, under **Windows Defender Features** by selecting the **GUI for Windows Defender** option. +By default, Windows Defender Antivirus is installed and functional on Windows Server 2016 and Windows Server 2019. The user interface (GUI) is installed by default on some SKUs, but is not required because you can use PowerShell or other methods to manage Windows Defender Antivirus. And if the GUI is not installed on your server, you can add it. ->[!NOTE] ->You can't uninstall the Windows Security app, but you can disable the interface with these instructions. +### Turn on the GUI for Windows Defender Antivirus + +1. Refer to [this article](https://docs.microsoft.com/windows-server/administration/server-manager/install-or-uninstall-roles-role-services-or-features#install-roles-role-services-and-features-by-using-the-add-roles-and-features-wizard), and use the **Add Roles and Features Wizard**. + +2. When you get to the **Features** step of the wizard, under **Windows Defender Features**, select the **GUI for Windows Defender** option. ![Add roles and feature wizard showing the GUI for Windows Defender option](images/server-add-gui.png) @@ -144,15 +147,14 @@ The following table lists the services for Windows Defender Antivirus and the de ## Submit Samples -Sample submission allows Microsoft to collect samples of potentially malicious software. To help provide continued and up-to-date protection, Microsoft researchers use these samples to analyze suspicious activities and produce updated antimalware Security intelligence. +To submit a file, review the [submission guide](https://docs.microsoft.com/windows/security/threat-protection/intelligence/submission-guide), and then visit the [sample submission portal](https://www.microsoft.com/wdsi/filesubmission) -We collect program executable files, such as .exe files and .dll files. We do not collect files that contain personal data, like Microsoft Word documents and PDF files. +Sample submission allows Microsoft to collect samples of potentially malicious software. To help provide continued and up-to-date protection, Microsoft researchers use these samples to analyze suspicious activities and produce updated antimalware Security intelligence. We collect program executable files, such as .exe files and .dll files. We do not collect files that contain personal data, like Microsoft Word documents and PDF files. ### Enable automatic sample submission To enable automatic sample submission, start a Windows PowerShell console as an administrator, and set the **SubmitSamplesConsent** value data according to one of the following settings: - |Setting |Description | |---------|---------| |**0** Always prompt. |The Windows Defender Antivirus service prompts you to confirm submission of all required files. This is the default setting for Windows Defender Antivirus, but is not recommended for installations on Windows Server 2016 or 2019 without a GUI. | @@ -190,6 +192,12 @@ The following PowerShell cmdlet will also uninstall Windows Defender AV on Windo Uninstall-WindowsFeature -Name Windows-Defender ``` +### Turn off the GUI for Windows Defender Antivirus + +>[!NOTE] +>You can't uninstall the Windows Security app, but you can disable the interface with these instructions. + + ## Related topics - [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) From 84424ed3844f053fc309dcbdf92e13c86415d3a3 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 25 Feb 2020 15:10:09 -0800 Subject: [PATCH 04/12] Update windows-defender-antivirus-on-windows-server-2016.md --- ...fender-antivirus-on-windows-server-2016.md | 32 ++++++++++--------- 1 file changed, 17 insertions(+), 15 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md index 820d74d3a2..6253cb79e1 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md +++ b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md @@ -29,11 +29,13 @@ While the functionality, configuration, and management is largely the same for W - In Windows Server, [automatic exclusions](configure-server-exclusions-windows-defender-antivirus.md) are applied based on your defined Server Role. - In Windows Server, Windows Defender Antivirus will not disable itself if you are running another antivirus product. +## The process at a glance + The process of setting up and running Windows Defender Antivirus on a server platform includes several steps: 1. [Enable the interface](#enable-or-disable-the-user-interface-on-windows-server-2016-or-2019) -2. [Install Windows Defender Anvirus]() +2. [Install Windows Defender Antivirus](#install-windows-defender-antivirus-on-windows-server-2016-or-2019) 2. [Verify Windows Defender Antivirus is running](#verify-windows-defender-is-running) @@ -43,13 +45,13 @@ The process of setting up and running Windows Defender Antivirus on a server pla 5. (As needed) [Configure automatic exclusions](#configure-automatic-exclusions) -6. (If needed) [Uninstall Windows Defender Antivirus](#need-to-uninstall-windows-defender-antivirus) +6. (Only if necessary) [Uninstall Windows Defender Antivirus](#need-to-uninstall-windows-defender-antivirus) ## Enable the user interface on Windows Server 2016 or 2019 By default, Windows Defender Antivirus is installed and functional on Windows Server 2016 and Windows Server 2019. The user interface (GUI) is installed by default on some SKUs, but is not required because you can use PowerShell or other methods to manage Windows Defender Antivirus. And if the GUI is not installed on your server, you can add it. -### Turn on the GUI for Windows Defender Antivirus +### Turn on the GUI using the Add Roles and Features Wizard 1. Refer to [this article](https://docs.microsoft.com/windows-server/administration/server-manager/install-or-uninstall-roles-role-services-or-features#install-roles-role-services-and-features-by-using-the-add-roles-and-features-wizard), and use the **Add Roles and Features Wizard**. @@ -57,20 +59,14 @@ By default, Windows Defender Antivirus is installed and functional on Windows Se ![Add roles and feature wizard showing the GUI for Windows Defender option](images/server-add-gui.png) -See the [Install or uninstall roles, role services, or features](https://docs.microsoft.com/windows-server/administration/server-manager/install-or-uninstall-roles-role-services-or-features) topic for information on using the wizard. +### Turn on the GUI using PowerShell -The following PowerShell cmdlet will also enable the interface: +The following PowerShell cmdlet will enable the interface: ```PowerShell Install-WindowsFeature -Name Windows-Defender-GUI ``` -To hide the interface, use the **Remove Roles and Features Wizard** and deselect the **GUI for Windows Defender** option at the **Features** step, or use the following PowerShell cmdlet: - - -```PowerShell -Uninstall-WindowsFeature -Name Windows-Defender-GUI -``` >[!IMPORTANT] > Windows Defender AV will still run normally without the user interface, but the user interface cannot be enabled if you disable the core **Windows Defender** feature. @@ -186,16 +182,22 @@ If you determine you do want to uninstall Windows Defender Antivirus, follow the ### Uninstall Windows Defender Antivirus using PowerShell -The following PowerShell cmdlet will also uninstall Windows Defender AV on Windows Server 2016: +>[!NOTE] +>You can't uninstall the Windows Security app, but you can disable the interface with these instructions. + +The following PowerShell cmdlet will also uninstall Windows Defender AV on Windows Server 2016 or 2019: ```PowerShell Uninstall-WindowsFeature -Name Windows-Defender ``` -### Turn off the GUI for Windows Defender Antivirus +### Turn off the GUI using PowerShell ->[!NOTE] ->You can't uninstall the Windows Security app, but you can disable the interface with these instructions. +To turn off the Windows Defender Antivirus GUI, use the following PowerShell cmdlet: + +```PowerShell +Uninstall-WindowsFeature -Name Windows-Defender-GUI +``` ## Related topics From 33f04cffeaf89cd51733d35687b4ac8d6f8add47 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 25 Feb 2020 15:16:52 -0800 Subject: [PATCH 05/12] Update windows-defender-antivirus-on-windows-server-2016.md --- ...efender-antivirus-on-windows-server-2016.md | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md index 6253cb79e1..d51c702001 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md +++ b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md @@ -136,10 +136,10 @@ The following table lists the services for Windows Defender Antivirus and the de |Service Name|File Location|Description| |--------|---------|--------| -|Windows Defender Service (Windefend)|C:\Program Files\Windows Defender\MsMpEng.exe|This is the main Windows Defender Antivirus service that needs to be running at all times.| -|Windows Error Reporting Service (Wersvc)|C:\WINDOWS\System32\svchost.exe -k WerSvcGroup|This service sends error reports back to Microsoft.| -|Windows Defender Firewall (MpsSvc)|C:\WINDOWS\system32\svchost.exe -k LocalServiceNoNetwork|We recommend leaving the Windows Defender Firewall service enabled.| -|Windows Update (Wuauserv)|C:\WINDOWS\system32\svchost.exe -k netsvcs|Windows Update is needed to get Security intelligence updates and antimalware engine updates| +|Windows Defender Service (Windefend)|`C:\Program Files\Windows Defender\MsMpEng.exe`|This is the main Windows Defender Antivirus service that needs to be running at all times.| +|Windows Error Reporting Service (Wersvc)|`C:\WINDOWS\System32\svchost.exe -k WerSvcGroup`|This service sends error reports back to Microsoft.| +|Windows Defender Firewall (MpsSvc)|`C:\WINDOWS\system32\svchost.exe -k LocalServiceNoNetwork`|We recommend leaving the Windows Defender Firewall service enabled.| +|Windows Update (Wuauserv)|`C:\WINDOWS\system32\svchost.exe -k netsvcs`|Windows Update is needed to get Security intelligence updates and antimalware engine updates| ## Submit Samples @@ -153,10 +153,10 @@ To enable automatic sample submission, start a Windows PowerShell console as an |Setting |Description | |---------|---------| -|**0** Always prompt. |The Windows Defender Antivirus service prompts you to confirm submission of all required files. This is the default setting for Windows Defender Antivirus, but is not recommended for installations on Windows Server 2016 or 2019 without a GUI. | -|**1** Send safe samples automatically. |The Windows Defender Antivirus service sends all files marked as "safe" and prompts for the remainder of the files. | -|**2** Never send. |The Windows Defender Antivirus service does not prompt and does not send any files. | -|**3** Send all samples automatically. |The Windows Defender Antivirus service sends all files without a prompt for confirmation. | +|**0** Always prompt |The Windows Defender Antivirus service prompts you to confirm submission of all required files. This is the default setting for Windows Defender Antivirus, but is not recommended for installations on Windows Server 2016 or 2019 without a GUI. | +|**1** Send safe samples automatically |The Windows Defender Antivirus service sends all files marked as "safe" and prompts for the remainder of the files. | +|**2** Never send |The Windows Defender Antivirus service does not prompt and does not send any files. | +|**3** Send all samples automatically |The Windows Defender Antivirus service sends all files without a prompt for confirmation. | ## Configure automatic exclusions @@ -172,7 +172,7 @@ If you are using a third-party antivirus solution and you're running into issues - See [Better together: Windows Defender Antivirus and Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/why-use-microsoft-antivirus). This article describes 10 advantages to using Windows Defender Antivirus together with Microsoft Defender Advanced Threat Protection. -If you determine you do want to uninstall Windows Defender Antivirus, follow these steps: +If you determine you do want to uninstall Windows Defender Antivirus, follow the steps in the following sections. ### Uninstall Windows Defender Antivirus using the Remove Roles and Features wizard From aee111c71da60fd3da9dd03f389e4927f6f1ee78 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 25 Feb 2020 15:22:40 -0800 Subject: [PATCH 06/12] WDAV updates --- ...indows-defender-antivirus-in-windows-10.md | 2 +- ...fender-antivirus-on-windows-server-2016.md | 22 +++++++++---------- 2 files changed, 12 insertions(+), 12 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md index 1a430158c8..79ba16ef12 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md +++ b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md @@ -50,7 +50,7 @@ Windows Defender Antivirus has the same hardware requirements as of Windows 10. For information on how to configure next-generation protection services, see [Configure Windows Defender Antivirus features](configure-windows-defender-antivirus-features.md). > [!Note] -> Configuration and management is largely the same in Windows Server 2016 and Windows Server 2019, while running Windows Defender Antivirus; however, there are some differences. To learn more, see [Windows Defender Antivirus on Windows Server 2016](windows-defender-antivirus-on-windows-server-2016.md). +> Configuration and management is largely the same in Windows Server 2016 and Windows Server 2019, while running Windows Defender Antivirus; however, there are some differences. To learn more, see [Windows Defender Antivirus on Windows Server 2016 and 2019](windows-defender-antivirus-on-windows-server-2016.md). ## Related articles diff --git a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md index d51c702001..2a083662bf 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md +++ b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md @@ -49,7 +49,7 @@ The process of setting up and running Windows Defender Antivirus on a server pla ## Enable the user interface on Windows Server 2016 or 2019 -By default, Windows Defender Antivirus is installed and functional on Windows Server 2016 and Windows Server 2019. The user interface (GUI) is installed by default on some SKUs, but is not required because you can use PowerShell or other methods to manage Windows Defender Antivirus. And if the GUI is not installed on your server, you can add it. +By default, Windows Defender Antivirus is installed and functional on Windows Server 2016 and Windows Server 2019. The user interface (GUI) is installed by default on some SKUs, but is not required because you can use PowerShell or other methods to manage Windows Defender Antivirus. And if the GUI is not installed on your server, you can add it by using the Add Roles and Features Wizard or PowerShell. ### Turn on the GUI using the Add Roles and Features Wizard @@ -67,13 +67,9 @@ The following PowerShell cmdlet will enable the interface: Install-WindowsFeature -Name Windows-Defender-GUI ``` - ->[!IMPORTANT] -> Windows Defender AV will still run normally without the user interface, but the user interface cannot be enabled if you disable the core **Windows Defender** feature. - ## Install Windows Defender Antivirus on Windows Server 2016 or 2019 -You can use the Add Roles and Features Wizard or PowerShell to install Windows Defender Antivirus. +You can use the **Add Roles and Features Wizard** or PowerShell to install Windows Defender Antivirus. ### Use the Add Roles and Features Wizard @@ -101,11 +97,11 @@ Get-Service -Name windefend To verify that firewall protection is turned on, run the following PowerShell cmdlet: -```PowerShell +```PowerShell Get-Service -Name mpssvc ``` -As an alternative to PowerShell, you can use Command Prompt to verify that Windows Defender AV is running. To do that, run the following command from a command prompt: +As an alternative to PowerShell, you can use Command Prompt to verify that Windows Defender Antivirus is running. To do that, run the following command from a command prompt: ```DOS sc query Windefend @@ -141,7 +137,7 @@ The following table lists the services for Windows Defender Antivirus and the de |Windows Defender Firewall (MpsSvc)|`C:\WINDOWS\system32\svchost.exe -k LocalServiceNoNetwork`|We recommend leaving the Windows Defender Firewall service enabled.| |Windows Update (Wuauserv)|`C:\WINDOWS\system32\svchost.exe -k netsvcs`|Windows Update is needed to get Security intelligence updates and antimalware engine updates| -## Submit Samples +## Submit samples To submit a file, review the [submission guide](https://docs.microsoft.com/windows/security/threat-protection/intelligence/submission-guide), and then visit the [sample submission portal](https://www.microsoft.com/wdsi/filesubmission) @@ -160,7 +156,7 @@ To enable automatic sample submission, start a Windows PowerShell console as an ## Configure automatic exclusions -To help ensure security and performance, certain exclusions are automatically added based on the roles and features you install when using Windows Defender AV on Server 2016. +To help ensure security and performance, certain exclusions are automatically added based on the roles and features you install when using Windows Defender Antivirus on Windows Server 2016 or 2019. See the [Configure exclusions in Windows Defender AV on Windows Server](configure-server-exclusions-windows-defender-antivirus.md) topic for more information. @@ -178,7 +174,11 @@ If you determine you do want to uninstall Windows Defender Antivirus, follow the 1. Refer to [this article](https://docs.microsoft.com/windows-server/administration/server-manager/install-or-uninstall-roles-role-services-or-features#remove-roles-role-services-and-features-by-using-the-remove-roles-and-features-wizard), and use the **Remove Roles and Features Wizard**. -2. When you get to the **Features** step of the wizard, unselect the **Windows Defender Features** option. If you unselect **Windows Defender** by itself under the **Windows Defender Features** section, you will be prompted to remove the interface option **GUI for Windows Defender**. +2. When you get to the **Features** step of the wizard, unselect the **Windows Defender Features** option. + + If you unselect **Windows Defender** by itself under the **Windows Defender Features** section, you will be prompted to remove the interface option **GUI for Windows Defender**. + + Windows Defender AV will still run normally without the user interface, but the user interface cannot be enabled if you disable the core **Windows Defender** feature. ### Uninstall Windows Defender Antivirus using PowerShell From 9903b02fe4aecc26e5871cbae2f1a2ef39829bb3 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 25 Feb 2020 15:29:17 -0800 Subject: [PATCH 07/12] Update windows-defender-antivirus-on-windows-server-2016.md --- .../windows-defender-antivirus-on-windows-server-2016.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md index 2a083662bf..e2d3eb6f43 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md +++ b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md @@ -33,7 +33,7 @@ While the functionality, configuration, and management is largely the same for W The process of setting up and running Windows Defender Antivirus on a server platform includes several steps: -1. [Enable the interface](#enable-or-disable-the-user-interface-on-windows-server-2016-or-2019) +1. [Enable the interface](#enable-the-user-interface-on-windows-server-2016-or-2019) 2. [Install Windows Defender Antivirus](#install-windows-defender-antivirus-on-windows-server-2016-or-2019) From 8cddba46e0c1385e9a87883fcebcc2c208ca6213 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 25 Feb 2020 15:34:21 -0800 Subject: [PATCH 08/12] Update windows-defender-antivirus-on-windows-server-2016.md --- .../windows-defender-antivirus-on-windows-server-2016.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md index e2d3eb6f43..865d79d28d 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md +++ b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md @@ -24,10 +24,10 @@ manager: dansimp Windows Defender Antivirus is available on Windows Server 2016 and Windows Server 2019. In some instances, Windows Defender Antivirus is referred to as Endpoint Protection; however, the protection engine is the same. -While the functionality, configuration, and management is largely the same for Windows Defender Antivirus on Windows 10, there are a few key differences on Windows Server 2016 or Windows Server 2019: +While the functionality, configuration, and management are largely the same for Windows Defender Antivirus on Windows 10, there are a few key differences on Windows Server 2016 or Windows Server 2019: - In Windows Server, [automatic exclusions](configure-server-exclusions-windows-defender-antivirus.md) are applied based on your defined Server Role. -- In Windows Server, Windows Defender Antivirus will not disable itself if you are running another antivirus product. +- In Windows Server, Windows Defender Antivirus does not automatically disable itself if you are running another antivirus product. ## The process at a glance @@ -158,7 +158,7 @@ To enable automatic sample submission, start a Windows PowerShell console as an To help ensure security and performance, certain exclusions are automatically added based on the roles and features you install when using Windows Defender Antivirus on Windows Server 2016 or 2019. -See the [Configure exclusions in Windows Defender AV on Windows Server](configure-server-exclusions-windows-defender-antivirus.md) topic for more information. +See [Configure exclusions in Windows Defender AV on Windows Server](configure-server-exclusions-windows-defender-antivirus.md). ## Need to uninstall Windows Defender Antivirus? From 4df6bf28b49307434c1bd5a3ede94b6e63f885c1 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 25 Feb 2020 15:36:31 -0800 Subject: [PATCH 09/12] Update windows-defender-antivirus-on-windows-server-2016.md --- .../windows-defender-antivirus-on-windows-server-2016.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md index 865d79d28d..1dcff86fe3 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md +++ b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md @@ -37,7 +37,7 @@ The process of setting up and running Windows Defender Antivirus on a server pla 2. [Install Windows Defender Antivirus](#install-windows-defender-antivirus-on-windows-server-2016-or-2019) -2. [Verify Windows Defender Antivirus is running](#verify-windows-defender-is-running) +2. [Verify Windows Defender Antivirus is running](#verify-windows-defender-antivirus-is-running) 3. [Update your antimalware Security intelligence](#update-antimalware-security-intelligence) From 029aa13b5ef431d6412510b2be8bdeaff7c47f5e Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 25 Feb 2020 15:43:33 -0800 Subject: [PATCH 10/12] Update windows-defender-antivirus-compatibility.md --- ...indows-defender-antivirus-compatibility.md | 50 +++++++++---------- 1 file changed, 24 insertions(+), 26 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md index 64efaa5752..f3813bdb0c 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md +++ b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md @@ -1,6 +1,6 @@ --- title: Windows Defender Antivirus compatibility with other security products -description: Windows Defender AV operates in different ways depending on what other security products you have installed, and the operating system you are using. +description: Windows Defender Antivirus operates in different ways depending on what other security products you have installed, and the operating system you are using. keywords: windows defender, atp, advanced threat protection, compatibility, passive mode search.product: eADQiWindows 10XVcnh ms.pagetype: security @@ -12,7 +12,7 @@ ms.localizationpriority: medium author: denisebmsft ms.author: deniseb ms.custom: nextgen -ms.date: 09/03/2018 +ms.date: 02/25/2020 ms.reviewer: manager: dansimp --- @@ -27,35 +27,33 @@ Windows Defender Antivirus is automatically enabled and installed on endpoints a However, on endpoints and devices that are protected with a non-Microsoft antivirus or antimalware app, Windows Defender Antivirus will automatically disable itself. -If you are also using Microsoft Defender Advanced Threat Protection, then Windows Defender AV will enter a passive mode. Important: Real time protection and and threats will not be remediated by Windows Defender AV. +If you are also using Microsoft Defender Advanced Threat Protection, then Windows Defender Antivirus will enter a passive mode. Important: Real time protection and and threats will not be remediated by Windows Defender Antivirus. -The following matrix illustrates the states that Windows Defender AV will enter when third-party antivirus products or Microsoft Defender ATP are also used. +The following matrix illustrates the states that Windows Defender Antivirus will enter when third-party antivirus products or Microsoft Defender ATP are also used. -| Windows version | Antimalware protection offered by | Organization enrolled in Microsoft Defender ATP | Windows Defender AV state | +| Windows version | Antimalware protection offered by | Organization enrolled in Microsoft Defender ATP | Windows Defender Antivirus state | |---------------------|---------------------------------------------------------------------|-------------------------------------------------|-----------------------------------| | Windows 10 | A third-party product that is not offered or developed by Microsoft | Yes | Passive mode | | Windows 10 | A third-party product that is not offered or developed by Microsoft | No | Automatic disabled mode | -| Windows 10 | Windows Defender AV | Yes | Active mode | -| Windows 10 | Windows Defender AV | No | Active mode | -| Windows Server 2016 | A third-party product that is not offered or developed by Microsoft | Yes | Active mode[[1](#fn1)] | -| Windows Server 2016 | A third-party product that is not offered or developed by Microsoft | No | Active mode[[1](#fn1)] | -| Windows Server 2016 | Windows Defender AV | Yes | Active mode | -| Windows Server 2016 | Windows Defender AV | No | Active mode | +| Windows 10 | Windows Defender Antivirus | Yes | Active mode | +| Windows 10 | Windows Defender Antivirus | No | Active mode | +| Windows Server 2016 or 2019 | A third-party product that is not offered or developed by Microsoft | Yes | Active mode[[1](#fn1)] | +| Windows Server 2016 or 2019 | A third-party product that is not offered or developed by Microsoft | No | Active mode[[1](#fn1)] | +| Windows Server 2016 or 2019 | Windows Defender Antivirus | Yes | Active mode | +| Windows Server 2016 or 2019 | Windows Defender Antivirus | No | Active mode | -(1) On Windows Server 2016, Windows Defender AV will not enter passive or disabled mode if you have also installed a third-party antivirus product. If you install a third-party antivirus product, you should [uninstall Windows Defender AV on Windows Server 2016](windows-defender-antivirus-on-windows-server-2016.md) to prevent problems caused by having multiple antivirus products installed on a machine. +(1) On Windows Server 2016 or 2019, Windows Defender Antivirus will not enter passive or disabled mode if you have also installed a third-party antivirus product. If you install a third-party antivirus product, you should [uninstall Windows Defender Antivirus on Windows Server 2016](windows-defender-antivirus-on-windows-server-2016.md) to prevent problems caused by having multiple antivirus products installed on a machine. If you are Using Windows Server, version 1803 and Windows 2019, you can enable passive mode by setting this registry key: -- Path: HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection +- Path: `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection` - Name: ForceDefenderPassiveMode - Value: 1 -See the [Windows Defender Antivirus on Windows Server 2016](windows-defender-antivirus-on-windows-server-2016.md#install-or-uninstall-windows-defender-av-on-windows-server-2016) topic for key differences and management options for Windows Server installations. - - +See [Windows Defender Antivirus on Windows Server 2016 and 2019](windows-defender-antivirus-on-windows-server-2016.md) for key differences and management options for Windows Server installations. >[!IMPORTANT] ->Windows Defender AV is only available on endpoints running Windows 10 or Windows Server 2016. +>Windows Defender Antivirus is only available on endpoints running Windows 10, Windows Server 2016, and Windows Server 2019. > >In Windows 8.1 and Windows Server 2012, enterprise-level endpoint antivirus protection is offered as [System Center Endpoint Protection](https://technet.microsoft.com/library/hh508760.aspx), which is managed through Microsoft Endpoint Configuration Manager. > @@ -66,20 +64,20 @@ This table indicates the functionality and features that are available in each s State | Description | [Real-time protection](configure-real-time-protection-windows-defender-antivirus.md) and [cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md) | [Limited periodic scanning availability](limited-periodic-scanning-windows-defender-antivirus.md) | [File scanning and detection information](customize-run-review-remediate-scans-windows-defender-antivirus.md) | [Threat remediation](configure-remediation-windows-defender-antivirus.md) | [Security intelligence updates](manage-updates-baselines-windows-defender-antivirus.md) :-|:-|:-:|:-:|:-:|:-:|:-: -Passive mode | Windows Defender AV will not be used as the antivirus app, and threats will not be remediated by Windows Defender AV. Files will be scanned and reports will be provided for threat detections which are shared with the Microsoft Defender ATP service. | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] -Automatic disabled mode | Windows Defender AV will not be used as the antivirus app. Files will not be scanned and threats will not be remediated. | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark no](images/svg/check-no.svg)] -Active mode | Windows Defender AV is used as the antivirus app on the machine. All configuration made with Configuration Manager, Group Policy, Intune, or other management products will apply. Files will be scanned and threats remediated, and detection information will be reported in your configuration tool (such as Configuration Manager or the Windows Defender AV app on the machine itself). | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] +Passive mode | Windows Defender Antivirus will not be used as the antivirus app, and threats will not be remediated by Windows Defender Antivirus. Files will be scanned and reports will be provided for threat detections which are shared with the Microsoft Defender ATP service. | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] +Automatic disabled mode | Windows Defender Antivirus will not be used as the antivirus app. Files will not be scanned and threats will not be remediated. | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark no](images/svg/check-no.svg)] +Active mode | Windows Defender Antivirus is used as the antivirus app on the machine. All configuration made with Configuration Manager, Group Policy, Intune, or other management products will apply. Files will be scanned and threats remediated, and detection information will be reported in your configuration tool (such as Configuration Manager or the Windows Defender Antivirus app on the machine itself). | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] -If you are enrolled in Microsoft Defender ATP and you are using a third party antimalware product then passive mode is enabled because [the service requires common information sharing from the Windows Defender AV service](../microsoft-defender-atp/defender-compatibility.md) in order to properly monitor your devices and network for intrusion attempts and attacks. +If you are enrolled in Microsoft Defender ATP and you are using a third party antimalware product then passive mode is enabled because [the service requires common information sharing from the Windows Defender Antivirus service](../microsoft-defender-atp/defender-compatibility.md) in order to properly monitor your devices and network for intrusion attempts and attacks. -Automatic disabled mode is enabled so that if the protection offered by a third-party antivirus product expires or otherwise stops providing real-time protection from viruses, malware or other threats, Windows Defender AV will automatically enable itself to ensure antivirus protection is maintained on the endpoint. It also allows you to enable [limited periodic scanning](limited-periodic-scanning-windows-defender-antivirus.md), which uses the Windows Defender AV engine to periodically check for threats in addition to your main antivirus app. +Automatic disabled mode is enabled so that if the protection offered by a third-party antivirus product expires or otherwise stops providing real-time protection from viruses, malware or other threats, Windows Defender Antivirus will automatically enable itself to ensure antivirus protection is maintained on the endpoint. It also allows you to enable [limited periodic scanning](limited-periodic-scanning-windows-defender-antivirus.md), which uses the Windows Defender Antivirus engine to periodically check for threats in addition to your main antivirus app. -In passive and automatic disabled mode, you can still [manage updates for Windows Defender AV](manage-updates-baselines-windows-defender-antivirus.md), however you can't move Windows Defender AV into the normal active mode if your endpoints have an up-to-date third-party product providing real-time protection from malware. +In passive and automatic disabled mode, you can still [manage updates for Windows Defender Antivirus](manage-updates-baselines-windows-defender-antivirus.md), however you can't move Windows Defender Antivirus into the normal active mode if your endpoints have an up-to-date third-party product providing real-time protection from malware. - If you uninstall the other product, and choose to use Windows Defender AV to provide protection to your endpoints, Windows Defender AV will automatically return to its normal active mode. + If you uninstall the other product, and choose to use Windows Defender Antivirus to provide protection to your endpoints, Windows Defender Antivirus will automatically return to its normal active mode. >[!WARNING] ->You should not attempt to disable, stop, or modify any of the associated services used by Windows Defender AV, Microsoft Defender ATP, or the Windows Security app. +>You should not attempt to disable, stop, or modify any of the associated services used by Windows Defender Antivirus, Microsoft Defender ATP, or the Windows Security app. > >This includes the *wscsvc*, *SecurityHealthService*, *MsSense*, *Sense*, *WinDefend*, or *MsMpEng* services and process. Manually modifying these services can cause severe instability on your endpoints and open your network to infections and attacks. > @@ -89,4 +87,4 @@ In passive and automatic disabled mode, you can still [manage updates for Window ## Related topics - [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) -- [Windows Defender Antivirus on Windows Server 2016](windows-defender-antivirus-on-windows-server-2016.md) +- [Windows Defender Antivirus on Windows Server 2016 and 2019](windows-defender-antivirus-on-windows-server-2016.md) From 71e700ad2336234dfcae5823fb77cadb6d56aad8 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 25 Feb 2020 15:50:06 -0800 Subject: [PATCH 11/12] Update windows-defender-antivirus-compatibility.md --- .../windows-defender-antivirus-compatibility.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md index f3813bdb0c..5a15b041a1 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md +++ b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md @@ -43,7 +43,7 @@ The following matrix illustrates the states that Windows Defender Antivirus will | Windows Server 2016 or 2019 | Windows Defender Antivirus | Yes | Active mode | | Windows Server 2016 or 2019 | Windows Defender Antivirus | No | Active mode | -(1) On Windows Server 2016 or 2019, Windows Defender Antivirus will not enter passive or disabled mode if you have also installed a third-party antivirus product. If you install a third-party antivirus product, you should [uninstall Windows Defender Antivirus on Windows Server 2016](windows-defender-antivirus-on-windows-server-2016.md) to prevent problems caused by having multiple antivirus products installed on a machine. +(1) On Windows Server 2016 or 2019, Windows Defender Antivirus will not enter passive or disabled mode if you have also installed a third-party antivirus product. If you install a third-party antivirus product, you should [consider uninstalling Windows Defender Antivirus on Windows Server 2016 or 2019](windows-defender-antivirus-on-windows-server-2016.md#need-to-uninstall-windows-defender-antivirus) to prevent problems caused by having multiple antivirus products installed on a machine. If you are Using Windows Server, version 1803 and Windows 2019, you can enable passive mode by setting this registry key: - Path: `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection` - Name: ForceDefenderPassiveMode From 07a408eaf4bcff9170505f7aacaaa2bb9ca4c00a Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 25 Feb 2020 15:50:24 -0800 Subject: [PATCH 12/12] Update windows-defender-antivirus-compatibility.md --- .../windows-defender-antivirus-compatibility.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md index 5a15b041a1..8c86ac5722 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md +++ b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md @@ -44,6 +44,7 @@ The following matrix illustrates the states that Windows Defender Antivirus will | Windows Server 2016 or 2019 | Windows Defender Antivirus | No | Active mode | (1) On Windows Server 2016 or 2019, Windows Defender Antivirus will not enter passive or disabled mode if you have also installed a third-party antivirus product. If you install a third-party antivirus product, you should [consider uninstalling Windows Defender Antivirus on Windows Server 2016 or 2019](windows-defender-antivirus-on-windows-server-2016.md#need-to-uninstall-windows-defender-antivirus) to prevent problems caused by having multiple antivirus products installed on a machine. + If you are Using Windows Server, version 1803 and Windows 2019, you can enable passive mode by setting this registry key: - Path: `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection` - Name: ForceDefenderPassiveMode