Microsoft Defender for Endpoint

Copper Contributor

I'm currently trying to implement MDE to replace existing EDR solution.  Policies and test group have been created.  MS test powershell does generate the appropriate alert. 

But Windows Defender AV refuses to run on the test device.  Service is set to manual, Windows security says it's managed by the organisation, a remote initiated scan fails.

Any ideas?

5 Replies
Hello @Nigel_Ward

I would recommend you run this command Get-MpComputerStatus and ensure Defender is running on active mode. Could you also share the results here?

Also, it is recommended to run Windows updates, make sure everything is up to date.

Thanks @JosePinos55 .  After a restart Defender AV appears to run briefly and then stops with a warning that the device is unprotected

PS C:\WINDOWS\system32> Get-MpComputerStatus


AMEngineVersion : 0.0.0.0
AMProductVersion : 4.18.2201.10
AMRunningMode : Not running
AMServiceEnabled : False
AMServiceVersion : 0.0.0.0
AntispywareEnabled : False
AntispywareSignatureAge : 4294967295
AntispywareSignatureLastUpdated :
AntispywareSignatureVersion : 0.0.0.0
AntivirusEnabled : False
AntivirusSignatureAge : 4294967295
AntivirusSignatureLastUpdated :
AntivirusSignatureVersion : 0.0.0.0
BehaviorMonitorEnabled : False
ComputerID : 2013D332-78B8-43C2-BCAE-***************
ComputerState : 0
DeviceControlDefaultEnforcement : N/A
DeviceControlPoliciesLastUpdated : 01/01/1601 00:00:00
DeviceControlState : N/A
FullScanAge : 4294967295
FullScanEndTime :
FullScanStartTime :
IoavProtectionEnabled : False
IsTamperProtected : False
IsVirtualMachine : False
LastFullScanSource : 0
LastQuickScanSource : 0
NISEnabled : False
NISEngineVersion : 0.0.0.0
NISSignatureAge : 4294967295
NISSignatureLastUpdated :
NISSignatureVersion : 0.0.0.0
OnAccessProtectionEnabled : False
QuickScanAge : 4294967295
QuickScanEndTime :
QuickScanStartTime :
RealTimeProtectionEnabled : False
RealTimeScanDirection : 0
TamperProtectionSource : Signatures
TDTMode : N/A
TDTStatus : N/A
TDTTelemetry : N/A
PSComputerName :

No errors here

Do you have any GPO settings that disable defender antivirus?

GPO will take precedence over Intune policies.
I found this did the job.

https://www.varonis.com/blog/windows-defender-turned-off-by-group-policy

Run ‘regedit’

Navigate through the tree to HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender.

Delete DisableAntiSpyware in the right pane.

Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection.

Delete DisableRealtimeMonitoring in the right pane.