Forum Discussion
Enable Limited Periodic Scanning in Microsoft Defender Antivirus
I'm looking for help to find a programmatic way to enable limited periodic scanning in Microsoft Defender on Windows 10. The feature is described here:
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/limited-periodic-scanning-microsoft-defender-antivirus?view=o365-worldwide
Some background - Limited Periodic Scanning is a feature that allows you to use Defender as a secondary A/V when you have another product installed as your registered anti-malware program. In my case, we're using CrowdStrike Falcon.
The link above shows how to enable limited periodic scanning via the GUI in the Settings applet. However, I'd like to enable it with PowerShell or GPO.
Why, enable limited periodic scanning if you already have an enterprise A/V solution installed?
In my case I want to be able to trigger full Defender scans remotely from Microsoft Endpoint Configuration Manager (MEMCM). If limited periodic scanning is off, MEMCM can't trigger a scan.
--Terry
4 Replies
terrymiller found this post which mentions about setting it using GPO https://beingwinsysadmin.blogspot.com/2020/02/sccm-sms-agent-host-ccmexec-hangs-on.html
Searching around the internet again I found several other people looking for exactly the same thing I was. A way to automatically turn on “limited periodic scanning”. (https://www.reddit.com/r/sysadmin/comments/ebddsy/gpo_to_enable_periodic_wdefender_scan_even_with/ (1), https://www.reddit.com/r/sysadmin/comments/b5pjws/is_there_a_way_to_enable_windows_defenders/ (2), https://community.spiceworks.com/topic/2139161-windows-defender-limited-periodic-scanning, ...)
In prior versions of Windows 10 (up to and including 1803) there was a command line option to turn the “Periodic scanning” feature on:
C:\Windows\System32\SystemSettingsAdminFlows.exe Defender SideBySideOn
However, since 1809 this command does not seem to do anything anymore. So I was back to having to do this manually on all affected clients? No way.
So I unpacked https://docs.microsoft.com/en-us/sysinternals/downloads/procmon (procmon) and started analyzing what happens on the system when you turn on/turn off that switch in the Windows Defender Security Center.
After digging through the hundreds of thousands of events (even after filtering out all the irrelevant processes), I found what I was looking for.
The switch in the Windows Defender Security Center GUI sets seven (relevant) registry keys:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=dword:00000000
"DisableAntiVirus"=dword:00000000
"PassiveMode"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdBoot]
"Group"="Early-Launch"
"Start"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdFilter]
"Start"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDefend]
"Start"=dword:00000002
In addition to that, I also set two more GPOs for Windows Defender:
Windows Components\Windows Defender Antivirus
- Allow antimalware service to remain running always = Enabled
- Turn off Windows Defender Antivirus = Disabled
Which set the following two registry keys:
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender]
"DisableAntiSpyware"=dword:00000000
"ServiceKeepAlive"=dword:00000001
With that the “Windows Defender Antivirus Service” (WinDefend) will automatically start and the switch in the “Windows Defender Security Center” GUI will be enabled too.
So apparently, the trick was to modify not only the “WinDefend” service but the “WdBoot” and “WdFilter” services too.
Most importantly, the SCCM Client will no longer hang either. It will even install updates and software again, even on Windows 10 1903 and 1909. Great success.
- thanks for sharing this. Somehow this seems not working for me.. what could go wrong here?
ambarishrh Awesome thanks!
- Thanks for this reply, Ambarish! I'll give this a try.
