Forum Discussion

Nigel_Ward's avatar
Nigel_Ward
Copper Contributor
Apr 03, 2022

Microsoft Defender for Endpoint

I'm currently trying to implement MDE to replace existing EDR solution.  Policies and test group have been created.  MS test powershell does generate the appropriate alert.  But Windows Defender A...
JosePinos55's avatar
JosePinos55
MCT
Apr 03, 2022
Hello Nigel_Ward

I would recommend you run this command Get-MpComputerStatus and ensure Defender is running on active mode. Could you also share the results here?

Also, it is recommended to run Windows updates, make sure everything is up to date.
Nigel_Ward's avatar
Nigel_Ward
Copper Contributor
Apr 03, 2022

Thanks JosePinos55 .  After a restart Defender AV appears to run briefly and then stops with a warning that the device is unprotected

PS C:\WINDOWS\system32> Get-MpComputerStatus


AMEngineVersion : 0.0.0.0
AMProductVersion : 4.18.2201.10
AMRunningMode : Not running
AMServiceEnabled : False
AMServiceVersion : 0.0.0.0
AntispywareEnabled : False
AntispywareSignatureAge : 4294967295
AntispywareSignatureLastUpdated :
AntispywareSignatureVersion : 0.0.0.0
AntivirusEnabled : False
AntivirusSignatureAge : 4294967295
AntivirusSignatureLastUpdated :
AntivirusSignatureVersion : 0.0.0.0
BehaviorMonitorEnabled : False
ComputerID : 2013D332-78B8-43C2-BCAE-***************
ComputerState : 0
DeviceControlDefaultEnforcement : N/A
DeviceControlPoliciesLastUpdated : 01/01/1601 00:00:00
DeviceControlState : N/A
FullScanAge : 4294967295
FullScanEndTime :
FullScanStartTime :
IoavProtectionEnabled : False
IsTamperProtected : False
IsVirtualMachine : False
LastFullScanSource : 0
LastQuickScanSource : 0
NISEnabled : False
NISEngineVersion : 0.0.0.0
NISSignatureAge : 4294967295
NISSignatureLastUpdated :
NISSignatureVersion : 0.0.0.0
OnAccessProtectionEnabled : False
QuickScanAge : 4294967295
QuickScanEndTime :
QuickScanStartTime :
RealTimeProtectionEnabled : False
RealTimeScanDirection : 0
TamperProtectionSource : Signatures
TDTMode : N/A
TDTStatus : N/A
TDTTelemetry : N/A
PSComputerName :

  • Nigel_Ward's avatar
    Nigel_Ward
    Copper Contributor
    Apr 03, 2022

    No errors here

    • Jonhed's avatar
      Jonhed
      Iron Contributor
      Apr 04, 2022
      Do you have any GPO settings that disable defender antivirus?

      GPO will take precedence over Intune policies.
      • Nigel_Ward's avatar
        Nigel_Ward
        Copper Contributor
        Apr 09, 2022
        I found this did the job.

        https://www.varonis.com/blog/windows-defender-turned-off-by-group-policy

        Run ‘regedit’

        Navigate through the tree to HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender.

        Delete DisableAntiSpyware in the right pane.

        Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection.

        Delete DisableRealtimeMonitoring in the right pane.

Resources