Security recommendation "Turn on antivirus"

%3CLINGO-SUB%20id%3D%22lingo-sub-3240813%22%20slang%3D%22en-US%22%3ESecurity%20recommendation%20%22Turn%20on%20antivirus%22%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3240813%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%20I%20have%2050%202012R2%20servers%20onboarded%20to%20Defender%20for%20endpoint.%26nbsp%3B%3C%2FP%3E%3CP%3EIn%20security%20recommendations%2021%20of%20the%2050%20servers%20gets%20a%20recommendation%20to%20%22Turn%20on%20antivirus%22%20and%20%22Turn%20on%20real-time%20protection.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFrom%20what%20I%20see%20on%20the%20servers%20windefend%20service%20is%20running%20and%20looking%20good.%3C%2FP%3E%3CP%3EWhy%20does%20it%20recommend%20these%20actions%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3241559%22%20slang%3D%22en-US%22%3ERe%3A%20Security%20recommendation%20%22Turn%20on%20antivirus%22%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3241559%22%20slang%3D%22en-US%22%3EMake%20sure%20those%20servers%20are%20update.%3CBR%20%2F%3ESometimes%2C%20there%20might%20be%20delay%20and%20you%20could%20wait%20to%20receive%20the%20report.%3CBR%20%2F%3ETry%20restart%20affected%20devices%20and%20see%20if%20the%20problem%20persist%3F%3C%2FLINGO-BODY%3E
New Contributor

Hi, I have 50 2012R2 servers onboarded to Defender for endpoint. 

In security recommendations 21 of the 50 servers gets a recommendation to "Turn on antivirus" and "Turn on real-time protection. 

 

From what I see on the servers windefend service is running and looking good.

Why does it recommend these actions?

7 Replies
Make sure those servers are update.
Sometimes, there might be delay and you could wait to receive the report.
Try restart affected devices and see if the problem persist?

@Reza_Ameri  Thanks for answering. 

The devices are updated and rebooted but I still get the recommendation to turn on defender antivirus and real time protection.

Yes I see its quite a delay on the reporting, especially "software inventory" in the defender portal. 

 

Just for test disjoint one or some of clients and join them and see if the problem persist?
You may file a support ticket with Microsoft too.
Having the exact same issues here, server 2012R2, just onboarded one server and showing to turn on AV and real time scan etc even thought powershell command shows its active and running, any one has any answer to this..
Do you have more than one servers onboarded?
And do any of the others report the same?
"Solved" it. After the servers got new updates the message disappeared. No idea what caused this, might have been a bug. As I cross checked the configuration several times and they seemed identical.
The servers were rebooted before the patch as well, so it's not the reboot that solved it.
Thank you for the update, from what you explained it might have been a bug which has been resolved when you update your device.