Forum Discussion

terrymiller's avatar
terrymiller
Brass Contributor
May 28, 2021

Enable Limited Periodic Scanning in Microsoft Defender Antivirus

I'm looking for help to find a programmatic way to enable limited periodic scanning in Microsoft Defender on Windows 10.  The feature is described here:   https://docs.microsoft.com/en-us/microsoft...
ambarishrh's avatar
ambarishrh
Iron Contributor
Jun 02, 2021

terrymiller found this post which mentions about setting it using GPO https://beingwinsysadmin.blogspot.com/2020/02/sccm-sms-agent-host-ccmexec-hangs-on.html

 

Searching around the internet again I found several other people looking for exactly the same thing I was. A way to automatically turn on “limited periodic scanning”. (https://www.reddit.com/r/sysadmin/comments/ebddsy/gpo_to_enable_periodic_wdefender_scan_even_with/ (1), https://www.reddit.com/r/sysadmin/comments/b5pjws/is_there_a_way_to_enable_windows_defenders/ (2), https://community.spiceworks.com/topic/2139161-windows-defender-limited-periodic-scanning, ...)

 

In prior versions of Windows 10 (up to and including 1803) there was a command line option to turn the “Periodic scanning” feature on:

 

C:\Windows\System32\SystemSettingsAdminFlows.exe Defender SideBySideOn

 

However, since 1809 this command does not seem to do anything anymore. So I was back to having to do this manually on all affected clients? No way.

 

So I unpacked https://docs.microsoft.com/en-us/sysinternals/downloads/procmon (procmon) and started analyzing what happens on the system when you turn on/turn off that switch in the Windows Defender Security Center.

 

After digging through the hundreds of thousands of events (even after filtering out all the irrelevant processes), I found what I was looking for.

 

The switch in the Windows Defender Security Center GUI sets seven (relevant) registry keys:

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]

"DisableAntiSpyware"=dword:00000000

"DisableAntiVirus"=dword:00000000

"PassiveMode"=dword:00000002

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdBoot]

"Group"="Early-Launch"

"Start"=dword:00000000

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdFilter]

"Start"=dword:00000000

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDefend]

"Start"=dword:00000002

 

In addition to that, I also set two more GPOs for Windows Defender:

 

Windows Components\Windows Defender Antivirus

-         Allow antimalware service to remain running always = Enabled

-         Turn off Windows Defender Antivirus = Disabled

 

Which set the following two registry keys:

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender]

"DisableAntiSpyware"=dword:00000000

"ServiceKeepAlive"=dword:00000001

 

With that the “Windows Defender Antivirus Service” (WinDefend) will automatically start and the switch in the “Windows Defender Security Center” GUI will be enabled too.

 

So apparently, the trick was to modify not only the “WinDefend” service but the “WdBoot” and “WdFilter” services too.

 

Most importantly, the SCCM Client will no longer hang either. It will even install updates and software again, even on Windows 10 1903 and 1909. Great success.

 

 

 

Securitygeek's avatar
Securitygeek
Copper Contributor
Aug 05, 2021
thanks for sharing this. Somehow this seems not working for me.. what could go wrong here?

Resources