Devices stuck in Passive Mode

Copper Contributor

Hello.  We recently have switched over to Defender for Endpoint as our primary anti-virus.  We were exploring ASR rules when we realized that a large number of our endpoints were not being put into an active state.  Defender Device Health Report is showing about 30% of the devices are stuck in Passive mode. ASR rules will not apply if the devices are in Passive mode.

  • We are currently Co-Managing devices between SCCM and Intune
  • In SCCM, Endpoint Protection is set to be fully managed by Intune
  • I've checked that Defender XDR is connected to Intune in the Defender Settings.
  • EDR Block Mode is turned off
  • We have an AntiVirus policy in Intune pushed out to All Devices and all the devices reporting in Passive mode in Defender are showing as Succeeded in Intune

 

I have one of the laptops showing in Passive mode and when I run Get-MpComputerStatus it shows AMRunningMode as Passive.

  • I tried the MS suggested fix of creating a registry DWORD entry called ForceDefenderPassiveMode and set it to 0 but that has had no effect on the device.  It is still showing in Passive mode. 
  • I've confirmed there isn't another Anti-Virus software installed on the device. 
  • There is no GPO applied to disable Defender

 

Does anyone have any suggestions or run into this problem before?

 

7 Replies

@griggs31 

Users are encountering a problem where their devices are consistently stuck in passive mode. Passive mode typically refers to a state where a device or system is not actively engaged or responsive, causing disruptions in normal functionality.

Symptoms:

  • Unresponsiveness: Devices, applications, or components remain unresponsive or sluggish when attempting to use them.

  • Limited Functionality: Users may experience a reduction in functionality, with devices not performing as expected.

  • No Active Feedback: Devices do not provide active feedback or respond to user input as they normally would.

Possible Causes:

  • Software Glitch: A glitch or bug in the operating system or specific software may be causing devices to remain in passive mode.

  • Driver Issues: Outdated or incompatible drivers for hardware components may prevent devices from actively engaging with the system.

  • Power Management Settings: Incorrect power management settings can force devices into passive mode to conserve energy, leading to unresponsiveness.

  • Malware or Security Software: Malware or certain security software may interfere with device functionality, forcing them into a passive state.

Workarounds:

  1. Restart Devices:

    • A simple restart may help resolve temporary glitches or software issues causing devices to be stuck in passive mode.
  2. Check Power Management Settings:

    • Review the power management settings for affected devices. Ensure that they are configured correctly and are not set to enter passive mode excessively.
  3. Update Drivers:

    • Update drivers for the affected devices. Visit the device manufacturer's website or use the Windows Device Manager to ensure that the latest drivers are installed.
  4. Disable Power-Saving Features:

    • Disable aggressive power-saving features that might force devices into passive mode. Adjust power plans in the operating system settings accordingly.
  5. Run Anti-Malware Scan:

    • Perform a thorough anti-malware scan to ensure that the devices are not being impacted by malicious software.
  6. Check System Logs:

    • Examine system logs for any error messages or warnings related to the devices. This can provide insights into potential issues causing passive mode.
  7. Restore to a Previous State:

    • If the issue started after a recent software update or installation, consider restoring the system to a previous state using System Restore (Windows) or Time Machine (Mac).
  8. Contact Support:

    • If the problem persists, contact the device manufacturer's support or the operating system support for further assistance. Provide details about your system configuration and the steps you've taken to troubleshoot.

Reporting the Issue:

  • If the problem appears to be a software bug, consider reporting it to the operating system or software vendor. Provide detailed information about the issue, including system specifications, software versions, and any error messages encountered.

Addressing the issue promptly can help restore normal device functionality and enhance the overall user experience.

How are you onboarding the devices to Defender? Are you moving away from a non-MS AV solution?

Hi @griggs31,  Not sure if this help but in my test lab a few weeks ago, I found that by removing that registry, Defender turn itself on and become active immediately. I was setting it to 0 but didn't work, so deleted it and wah-la.

(HKLM\Software\Policies\Microsoft\Windows Advanced Threat Protection\ForceDefenderPassiveMode)


Your issue relates to Windows Defender running in passive mode and integration with Defender for Endpoint and Intune. While I can't offer a specific solution, I can give you some suggestions that will hopefully help you resolve the issue:

1. **Verify Intune and Defender for Endpoint integration:** Make sure Defender for Endpoint has successfully connected to Intune. check for any synchronization issues or errors. Ensure that the antivirus policy in Intune has been successfully pushed to all devices.

2. **Check Antivirus Policy Settings:** In Intune, ensure that the antivirus policy is configured correctly. It may be necessary to check for conflicting policies or settings that may cause a device to remain in passive mode.

3. **Using PowerShell for detailed checking:** In addition to `Get-MpComputerStatus`, you can use other PowerShell commands to check the antivirus status of the device in detail. For example, commands such as `Get-MpPreference` and `Get-MpThreatCatalog` may provide additional information.

4. **Viewing the event log:** Check the event log of the device, especially the events related to Windows Defender, for more diagnostic information. Search for relevant error or warning messages in the event log.

5. **Update Windows Defender definition files:** Ensure that Windows Defender's virus and malware definition files are up to date. Sometimes, outdated definition files may cause the device to enter passive mode.

6. **Contact Microsoft Support:** If none of the above steps resolves the issue, it may be necessary to contact Microsoft Support with more detailed device information for specialized assistance.

Regarding VM backups, while backups are an important data protection measure, they may not be directly related to the specific issue of Windows Defender passive mode. Backups are often used to guard against data loss, where your main concern is to ensure that Defender is functioning properly. However, regular backups are still a good security practice that can help restore your system in an emergency.

Finally, make sure you back up your system or create a system restore point before attempting any changes, just in case something unexpected happens.
@rahuljindal-MVP We are onboarding via SCCM but have Intune set as the Manager of Endpoint Protection. The devices are co-managed. We un-installed the previous anti-virus some time ago so defender should be the sole anti-virus solution on the devices.
Is Defender available a provider in Security Center? Do you have this registry configured by any chance?
HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender, DisableAntiSpyware=1
I think we discovered the problem. We are currently Co-Managed between SCCM and Intune. We were using SCCM for the Onboarding piece of Defender but some time ago we chose to set Intune as the primary manager of Endpoint Protection. Our guess is that this was causing some kind of conflict because the devices were looking to SCCM for their policy (and were showing as Onboarded) but they should have been onboarded via Intune. We did a test by offboarding a few devices, then re-Onboarding them with Intune and those devices are no longer stuck in Passive Mode.

We are working on doing a larger scale offboard then re-onboard now to confirm the fix.