SOLVED

Windows 11 Defender not responding at all - No online solutions working.

Copper Contributor

Hello all!
This is my first post on here, so i am sorry if i maybe mess something up with the formatting or so. But i have been having an issue ever since i got Windows 11 for my Surface Pro 4, which i know is incompatible with Windows 11. The issue is Windows Defender. It will not work no matter what i try to fix the problem. I've been scrolling for a good few hours trying to find solutions, but nothing has worked so far. The only thing i haven't tried is a reinstall, but i just installed all my apps and i really do not want to reinstall Windows. 

I am on windows OS-Version 22000.556. The behaviour of my app also seems to be different than is otherwise described online. If i try to go in to Windows Defender from the settings app, the entire app seems to freeze. The UI elements does not update either. That i know because a resize results in red borders rather than a resize in UI elements. See pictures for reference. However, opening the app from Windows search shows some of the UI Elements, but no buttons or sliders. I have tried doing sfc /scannow But the results does not show anything, and there are also no log files created. Same thing goes for DISM Scanhealth and Repair. Redownload the UI Elements does not help. Also, unrestricting and running the Get-AppxPackage -AllUsers does not work. Rather, it just throws a lot of errors about the apps being on in the background and packages already existing. I have also tried repairing and resetting the Defender app through Settings > Apps > Advanced settings. Furthermore, I do not have any VPN, DNS or Proxy installed/Running. I have also tried repeating all the above steps but restarting in between. I do not have any 3rd party antivirus or anything of that manner downloaded or running. 



I don't know what to do anymore. Any suggestions? 

 

Pictures: 

https://drive.google.com/drive/folders/1E_wMBWH7j9g2MsvqbauBzUnlOFFJR6BK?usp=sharing

 

Update: I have tried to disable real time protection through powershell and regedit but Realtimeprotection is still on, and has been confirmed to be on. Therefore i can conclude that defender isn't responding to any core system variables. 

 

Update 2: I have now downloaded Windows 11 20H2. Although the new UI features are great for touch use, the windows security issue seems to persist to a degree. Now, opening the windows security tab does not crash settings - But it doesn't show windows security. Rather it shows a button to the app. However, the app just crashes now. Any suggestion as to what might fix this? EDIT: After a restart, windows defender shows same symptoms as before. 

13 Replies
Hello,

Try to re-register Defender app using this PowerShell command:

Get-AppxPackage *Microsoft.Windows.SecHealthUI* | Reset-AppxPackage

Let us know if this helps!
Hello!
Thank you for your suggestion. However, it has not helped. The Defender app continues to behave like described in my post.
Try open start and search for feedback and open the Feedback Hub app and report this issue.
Try perform a Clean Boot and see if the problem persist?
Take a look at:
https://support.microsoft.com/en-us/topic/how-to-perform-a-clean-boot-in-windows-da2f9573-6eec-00ad-...
Hi! And thank you for your feedback. I have tried a Clean boot, but the problem seems to persist. Any other suggestions? I will report the issue right away.
best response confirmed by Navilhoss422 (Copper Contributor)
Solution

I have finally (!) resolved the issue. However, i was forced to do a reset of my system. It seems to be working reliably now, even after a restart. Hopefully this problem does not reappear. I honestly think ill sell my Surface Pro if it does - It's just not worth spending so much time for. 

Thanks for sharing the update, glad the issue is resolved now!
Thank you for reporting the issue.
I hope we could work on different steps to fix the issue but glad the issue have been solved.
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender
That's the Registry-Editor's path of control by Group Policy.
If not already there, select on Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft and rightclick on it, select NEW, select KEY and name it Windows Defender. What you put in there as config, will be enforced without the need of opening the Windows Defender itself.
I don't know how familiar you are with Registry, but I give you here a compilation of settings that I use on an extreme turning off configuration. Uhm. I will delete as many keys possible that are not required for your intention. Please always look up what a key does, Google or check the
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender
values in
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender
coz that's the exact path for your Windows Defender on currently active settings.
So, this is what I enforced for real time protection:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection]
"DisableRealtimeMonitoring"=dword:00000001
"DisableIOAVProtection"=dword:00000001
"DisableOnAccessProtection"=dword:00000001
"DisableBehaviorMonitoring"=dword:00000001
"DisableScriptScanning"=dword:00000001
"DisableRawWriteNotification"=dword:00000001
"DisableScanOnRealtimeEnable"=dword:00000001
"LocalSettingOverrideDisableRealtimeMonitoring"=dword:00000000
"LocalSettingOverrideDisableBehaviorMonitoring"=dword:00000000
"LocalSettingOverrideDisableIOAVProtection"=dword:00000000
"LocalSettingOverrideRealtimeScanDirection"=dword:00000000
"LocalSettingOverrideDisableOnAccessProtection"=dword:00000000
"RealtimeScanDirection"=dword:00000002
"IOAVMaxSize"=dword:00000001
uhm... well, since I see this post here even shows up detected by Google...
Well, I don't know but I guess more people that use 21390.2025 builds from Windows Insider Builds might find this post here too. Please, delete keys you don't need or know what they are. You will see what I did set, make it the opposite if you rather wanna be protected but have certain things set right. This here is just to show all key setting names, so you can then make your own values. *puts on an insecure smile*

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender]
"ServiceKeepAlive"=dword:00000000
"AllowFastServiceStartup"=dword:00000000
"ProxyBypass"="*"
"RandomizeScheduleTaskTimes"=dword:00000000
"DisableRoutinelyTakingAction"=dword:00000001
"DisableAntiSpyware"=dword:00000001
"ProxyServer"="*"
"DisableLocalAdminMerge"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions]
"DisableAutoExclusions"=dword:00000000
"Exclusions_Extensions"=dword:00000001
"Exclusions_IpAddresses"=dword:00000001
"Exclusions_Paths"=dword:00000001
"Exclusions_Processes"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions]
"exe"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\IpAddresses]
"*"="0"
"192.168.0.2"="0"
"localhost"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths]
"\"C:\\\""="0"
"\"Y:\\\""="0"
"\"Z:\\\""="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Processes]
"\"C:\\Windows\\System32\\sethc.exe\""="0"
"\"C:\\Windows\\System32\\cmd.exe\""="0"
"\"C:\\Program Files\\PowerShell\\7-preview\\pwsh.exe\""="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine]
"EnableFileHashComputation"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\NIS]
"DisableDatagramProcessing"=dword:00000000
"DisableProtocolRecognition"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\NIS\Consumers]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\NIS\Consumers\IPS]
"DisableSignatureRetirement"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Quarantine]
"LocalSettingOverridePurgeItemsAfterDelay"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection]
"DisableRealtimeMonitoring"=dword:00000001
"DisableIOAVProtection"=dword:00000001
"DisableOnAccessProtection"=dword:00000001
"DisableBehaviorMonitoring"=dword:00000001
"DisableScriptScanning"=dword:00000001
"DisableRawWriteNotification"=dword:00000001
"DisableScanOnRealtimeEnable"=dword:00000001
"LocalSettingOverrideDisableRealtimeMonitoring"=dword:00000000
"LocalSettingOverrideDisableBehaviorMonitoring"=dword:00000000
"LocalSettingOverrideDisableIOAVProtection"=dword:00000000
"LocalSettingOverrideRealtimeScanDirection"=dword:00000000
"LocalSettingOverrideDisableOnAccessProtection"=dword:00000000
"RealtimeScanDirection"=dword:00000002
"IOAVMaxSize"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Remediation]
"LocalSettingOverrideScan_ScheduleTime"=dword:00000000
"Scan_ScheduleDay"=dword:00000008

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting]
"CriticalFailureTimeout"=dword:00000000
"DisableGenericRePorts"=dword:00000001
"DisableEnhancedNotifications"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan]
"DisableArchiveScanning"=dword:00000001
"DisableScanningNetworkFiles"=dword:00000001
"DisableRemovableDriveScanning"=dword:00000001
"DisableRestorePoint"=dword:00000001
"DisableScanningMappedNetworkDrivesForFullScan"=dword:00000001
"AllowPause"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates]
"DisableScanOnUpdate"=dword:00000001
"ScheduleDay"=dword:00000008
"DisableUpdateOnStartupWithoutEngine"=dword:00000001
"UpdateOnStartUp"=dword:00000000
"MeteredConnectionUpdates"=dword:00000000
"DisableScheduledSignatureUpdateOnBattery"=dword:00000001
"ForceUpdateFromMU"=dword:00000000
"RealtimeSignatureDelivery"=dword:00000000
"SignatureDisableNotification"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\SmartScreen]
"ConfigureAppInstallControlEnabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet]
"LocalSettingOverrideSpynetReporting"=dword:00000000
"DisableBlockAtFirstSeen"=dword:00000001
"SpynetReporting"=dword:00000000
"SubmitSamplesConsent"=dword:00000002

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\UX Configuration]
"UILockdown"=dword:00000000
"Notification_Suppress"=dword:00000001
"SuppressRebootNotification"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR]
"ExploitGuard_ASR_ASROnlyExclusions"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\ASROnlyExclusions]
"\"C:\\\""="0"
"\"Y:\\\""="0"
"\"Z:\\\""="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access]
"EnableControlledFolderAccess"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection]
"EnableNetworkProtection"=dword:00000000
"AllowNetworkProtectionOnWinServer"=dword:00000000


#

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender]
"ServiceKeepAlive"=dword:00000000
"AllowFastServiceStartup"=dword:00000000
"ProxyBypass"="*"
"RandomizeScheduleTaskTimes"=dword:00000000
"DisableRoutinelyTakingAction"=dword:00000001
"DisableAntiSpyware"=dword:00000001
"ProxyServer"="*"
"DisableLocalAdminMerge"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions]
"DisableAutoExclusions"=dword:00000000
"Exclusions_Extensions"=dword:00000001
"Exclusions_IpAddresses"=dword:00000001
"Exclusions_Paths"=dword:00000001
"Exclusions_Processes"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions]
"exe"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\IpAddresses]
"*"="0"
"192.168.0.2"="0"
"localhost"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths]
"\"C:\\\""="0"
"\"Y:\\\""="0"
"\"Z:\\\""="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Processes]
"\"C:\\Windows\\System32\\sethc.exe\""="0"
"\"C:\\Windows\\System32\\cmd.exe\""="0"
"\"C:\\Program Files\\PowerShell\\7-preview\\pwsh.exe\""="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine]
"EnableFileHashComputation"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\NIS]
"DisableDatagramProcessing"=dword:00000000
"DisableProtocolRecognition"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\NIS\Consumers]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\NIS\Consumers\IPS]
"DisableSignatureRetirement"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Quarantine]
"LocalSettingOverridePurgeItemsAfterDelay"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection]
"DisableRealtimeMonitoring"=dword:00000001
"DisableIOAVProtection"=dword:00000001
"DisableOnAccessProtection"=dword:00000001
"DisableBehaviorMonitoring"=dword:00000001
"DisableScriptScanning"=dword:00000001
"DisableRawWriteNotification"=dword:00000001
"DisableScanOnRealtimeEnable"=dword:00000001
"LocalSettingOverrideDisableRealtimeMonitoring"=dword:00000000
"LocalSettingOverrideDisableBehaviorMonitoring"=dword:00000000
"LocalSettingOverrideDisableIOAVProtection"=dword:00000000
"LocalSettingOverrideRealtimeScanDirection"=dword:00000000
"LocalSettingOverrideDisableOnAccessProtection"=dword:00000000
"RealtimeScanDirection"=dword:00000002
"IOAVMaxSize"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Remediation]
"LocalSettingOverrideScan_ScheduleTime"=dword:00000000
"Scan_ScheduleDay"=dword:00000008

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting]
"CriticalFailureTimeout"=dword:00000000
"DisableGenericRePorts"=dword:00000001
"DisableEnhancedNotifications"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan]
"DisableArchiveScanning"=dword:00000001
"DisableScanningNetworkFiles"=dword:00000001
"DisableRemovableDriveScanning"=dword:00000001
"DisableRestorePoint"=dword:00000001
"DisableScanningMappedNetworkDrivesForFullScan"=dword:00000001
"AllowPause"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates]
"DisableScanOnUpdate"=dword:00000001
"ScheduleDay"=dword:00000008
"DisableUpdateOnStartupWithoutEngine"=dword:00000001
"UpdateOnStartUp"=dword:00000000
"MeteredConnectionUpdates"=dword:00000000
"DisableScheduledSignatureUpdateOnBattery"=dword:00000001
"ForceUpdateFromMU"=dword:00000000
"RealtimeSignatureDelivery"=dword:00000000
"SignatureDisableNotification"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\SmartScreen]
"ConfigureAppInstallControlEnabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet]
"LocalSettingOverrideSpynetReporting"=dword:00000000
"DisableBlockAtFirstSeen"=dword:00000001
"SpynetReporting"=dword:00000000
"SubmitSamplesConsent"=dword:00000002

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\UX Configuration]
"UILockdown"=dword:00000000
"Notification_Suppress"=dword:00000001
"SuppressRebootNotification"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR]
"ExploitGuard_ASR_ASROnlyExclusions"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\ASROnlyExclusions]
"\"C:\\\""="0"
"\"Y:\\\""="0"
"\"Z:\\\""="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access]
"EnableControlledFolderAccess"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection]
"EnableNetworkProtection"=dword:00000000
"AllowNetworkProtectionOnWinServer"=dword:00000000
For making policies instantly take action, use command prompt or powershell as admin and start the ~15seconds long command:
gpupdate /force /wait:-1
Several settings but require you to restart the PC. ... as usual, it's a bit unpredictable on Registry edit time of activation. :)
last edit:
I forgot to mention EXPLOIT GUARD feature of WinDefend. It needs an outer configuration file. In my Registry-edits you see I used a file "C:\0\Settings.xml" or in "C:\!\Settings.xml"... create an .XML and put this in there: then turn on what you like, false to true.

<?xml version="1.0" encoding="UTF-8"?>
<MitigationPolicy>
<SystemConfig>
<DEP Enable="false" EmulateAtlThunks="false" />
<ASLR ForceRelocateImages="false" RequireInfo="false" BottomUp="false" HighEntropy="false" />
<SystemCalls DisableWin32kSystemCalls="false" />
<ExtensionPoints DisableExtensionPoints="false" />
<DynamicCode BlockDynamicCode="false" AllowThreadsToOptOut="false" />
<ControlFlowGuard Enable="false" SuppressExports="false" StrictControlFlowGuard="false" />
<SignedBinaries MicrosoftSignedOnly="false" AllowStoreSignedBinaries="false" EnforceModuleDependencySigning="false" />
<Fonts DisableNonSystemFonts="false" AuditOnly="false" />
<ImageLoad BlockRemoteImageLoads="false" AuditRemoteImageLoads="false" BlockLowLabelImageLoads="false" AuditLowLabelImageLoads="false" PreferSystem32="false" AuditPreferSystem32="false" />
<SEHOP Enable="false" TelemetryOnly="false" />
<Heap TerminateOnError="false" />
<UserShadowStack UserShadowStack="false" UserShadowStackStrictMode="false" AuditUserShadowStack="false" />
</SystemConfig>
</MitigationPolicy>
https://techcommunity.microsoft.com/t5/windows-11/windows-11-defender-not-responding-at-all-no-onlin...

please check my uploaded solution that is possible. It enforces it by Registry and Policy privilege. More is mentioned.
**bleep** it. The ExploitGuard key was wrong pathed. Just noticed it.

This here is correct:
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender ExploitGuard\Exploit Protection]
"ExploitProtectionSettings"="C:\\0\\Settings.xml"

this one is wrong ... delete this full tab:
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard]
1 best response

Accepted Solutions
best response confirmed by Navilhoss422 (Copper Contributor)
Solution

I have finally (!) resolved the issue. However, i was forced to do a reset of my system. It seems to be working reliably now, even after a restart. Hopefully this problem does not reappear. I honestly think ill sell my Surface Pro if it does - It's just not worth spending so much time for. 

View solution in original post