MDE migration from 3rd party AV run MDE full scan once migrated

Hello hibi6x ,

There is no policy to run only one full scan when defender is switched to active mode.

Assuming your devices are onboarded even while in Passive mode, there is a workaround to achieve your goal using MDE custom detection rules. Here is how:

1. Go to Advanced hunting and run a query to list devices where defender was switched to active mode:
   DeviceRegistryEvents

   | where ActionType == "RegistryValueSet"

   | where InitiatingProcessFileName == "msmpeng.exe"

   | where RegistryKey contains "Windows Defender"

   | where RegistryValueName == "PassiveMode"

   | where RegistryValueData == "0"

   | where PreviousRegistryValueData == "1"

   | project DeviceId,DeviceName,Timestamp,ReportId
   
2. Click on "Create detection rule"
3. Set your own Detection name, Alert title and Description.
4. Set the Severity to "Info".
5. Make sure that Frequency is set to Continuous (NRT) and click Next.
6. Set impacted entities to Device > DeviceId and click Next.
7. In Actions, expand Devices and choose "Run antivirus scan". Then click Next.
   

    

8. In Scope, I suggest testing this on specific device group(s) before changing it to "All devices".
9.  Review the Summary and Submit.

Expected result: On Windows devices, a full scan will be triggered within few minutes after Defender is switched to Active mode. The full scan should be triggered once.

Note: An alert will be generated whenever this is triggered. You can view the alerts/actions triggered when you open the detection rule page. 

For more information regarding Custom Detection rules: Create and manage custom detection rules in Microsoft Defender XDR | Microsoft Learn