-
Notifications
You must be signed in to change notification settings - Fork 363
Expand file tree
/
Copy pathtroubleshoot-microsoft-defender-antivirus-when-migrating.yml
More file actions
164 lines (116 loc) · 9.98 KB
/
troubleshoot-microsoft-defender-antivirus-when-migrating.yml
File metadata and controls
164 lines (116 loc) · 9.98 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
### YamlMime:FAQ
metadata:
title: Troubleshoot Microsoft Defender Antivirus while migrating from a non-Microsoft solution
description: Troubleshoot common errors when migrating to Microsoft Defender Antivirus.
ms.service: defender-endpoint
ms.localizationpriority: medium
ms.topic: faq
author: batamig
ms.author: bagol
ms.custom: nextgen
ms.reviewer: yonghree
manager: bagol
ms.subservice: ngp
ms.collection:
- m365-security
- tier1
- mde-ngp
search.appverid: met150
ms.date: 03/26/2025
title: Troubleshoot Microsoft Defender Antivirus while migrating from a non-Microsoft solution
summary: |
**Applies to:**
- [Microsoft Defender for Endpoint Plan 1](microsoft-defender-endpoint.md)
- [Microsoft Defender for Endpoint Plan 2](microsoft-defender-endpoint.md)
- [Microsoft Defender Antivirus](https://www.microsoft.com/windows/comprehensive-security)
**Platforms**
- Windows
Use this article to resolve issues while migrating from a non-Microsoft security solution to Microsoft Defender Antivirus.
sections:
- name: General
questions:
- question: Review event logs
answer: |
1. Open the Event viewer app by selecting the Search icon in the taskbar, and searching for *event viewer*.
Information about Microsoft Defender Antivirus can be found under **Applications and Services Logs** \> **Microsoft** \> **Windows** \> **Windows Defender**.
1. From there, select **Open** underneath **Operational**.
Selecting an event from the details pane shows you more information about an event in the lower pane, under the **General** and **Details** tabs.
- question: Microsoft Defender Antivirus doesn't start.
answer: |
This issue can manifest in the form of several different event IDs, all of which have the same underlying cause.
### Associated event IDs
#### Event ID 15
- **Log name**: Application
- **Description**: Updated Windows Defender status successfully to SECURITY_PRODUCT_STATE_OFF.
- **Source**: Security Center
#### Event ID 5007
- **Log name**: Microsoft-Windows-Windows Defender/Operational
- **Description**: Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event, you should review the settings as this issue could be due to malware. <br> **Old value:** Default\IsServiceRunning = 0x0 <br> **New value:** HKLM\SOFTWARE\Microsoft\Windows Defender\IsServiceRunning = 0x1
- **Source**: Windows Defender
#### Event ID 5010
- **Log name**: Microsoft-Windows-Windows Defender/Operational
- **Description**: Microsoft Defender Antivirus scanning for spyware and other potentially unwanted software is disabled.
- **Source**: Windows Defender
### How to tell if Microsoft Defender Antivirus doesn't start because a non-Microsoft antivirus is installed.
On a Windows 10 or Windows 11 device, if you aren't using Microsoft Defender for Endpoint, and you have a non-Microsoft antivirus installed, then Microsoft Defender Antivirus is automatically turned off. If you're using Microsoft Defender for Endpoint with a non-Microsoft antivirus installed, Microsoft Defender Antivirus starts in passive mode, with reduced functionality.
> [!TIP]
> The scenario described earlier applies only to Windows 10 and Windows 11. Other versions of Windows have [different responses](microsoft-defender-antivirus-compatibility.md) to Microsoft Defender Antivirus being run alongside non-Microsoft security software.
#### Use Services app to check if Microsoft Defender Antivirus is turned off.
To open the Services app, select the Search icon from the taskbar and search for *services*. You can also open the app from the command-line by typing *services.msc*.
Information about Microsoft Defender Antivirus is listed within the Services app under **Windows Defender** \> **Operational**. The antivirus service name is *Microsoft Defender Antivirus Service*.
While checking the app, you might see that *Microsoft Defender Antivirus Service* is set to manual, but when you try to start this service manually, you get a warning. The warning might say, *The Microsoft Defender Antivirus Service service on Local Computer started and then stopped. Some services stop automatically if they aren't in use by other services or programs.*
This issue indicates that Microsoft Defender Antivirus was automatically turned off to preserve compatibility with a non-Microsoft antivirus.
#### Generate a detailed report
You can generate a detailed report about currently active group policies by opening a command prompt in **Run as admin** mode, then entering the following command:
```console
GPresult.exe /h gpresult.html
```
This command generates a report located at *./gpresult.html*. Open this file and you might see the following results, depending on how Microsoft Defender Antivirus was turned off.
##### Group policy results
##### If security settings are implemented via group policy (GPO) at the domain or local level, or through System center configuration manager (SCCM)
Within the GPResults report, under the heading, *Windows Components/Microsoft Defender Antivirus*, you might see something like the following entry, indicating that Microsoft Defender Antivirus is turned off.
- **Policy**: Turn off Microsoft Defender Antivirus
- **Setting**: Enabled
- **Winning GPO**: Win10-Workstations
###### If security settings are implemented via Group policy preference (GPP)
Under the heading, *Registry item (Key path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender, Value name: DisableAntiSpyware)*, you might see something like the following entry, indicating that Microsoft Defender Antivirus is turned off.
- **DisableAntiSpyware**
- Winning GPO: Win10-Workstations
- Result: Success
- **General**
- Action: Update
- **Properties**
- Hive: HKEY_LOCAL_MACHINE
- Key path: SOFTWARE\Policies\Microsoft\Windows Defender
- Value name: DisableAntiSpyware
- Value type: REG_DWORD
- Value data: 0x1 (1)
###### If security settings are implemented via registry key
The report might contain the following text, indicating that Microsoft Defender Antivirus is turned off:
> Registry (regedit.exe)
>
> HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender
> DisableAntiSpyware (dword) 1 (hex)
###### If security settings are set in Windows or your Windows Server image
Your imagining admin might have set the security policy, [DisableAntiSpyware](/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware), locally via *GPEdit.exe*, *LGPO.exe*, or by modifying the registry in their task sequence. You can [configure a Trusted Image Identifier](/windows-hardware/manufacture/desktop/configure-a-trusted-image-identifier-for-windows-defender) for Microsoft Defender Antivirus.
### Turn Microsoft Defender Antivirus back on
Microsoft Defender Antivirus automatically turns on if no other antivirus is currently active. You need to turn the non-Microsoft antivirus off to ensure Microsoft Defender Antivirus can run with full functionality.
> [!WARNING]
> Solutions suggesting that you edit the Windows Defender start values for `wdboot`, `wdfilter`, `wdnisdrv`, `wdnissvc`, and `windefend` in `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services` are unsupported, and might force you to reimage your system.
Passive mode is available if you start using Microsoft Defender for Endpoint and a non-Microsoft antivirus together with Microsoft Defender Antivirus. Passive mode allows Microsoft Defender Antivirus to scan files and update itself, but it doesn't remediate threats in passive mode. In addition, behavior monitoring via [Real Time Protection](configure-real-time-protection-microsoft-defender-antivirus.md) isn't available in passive mode, unless [Endpoint data loss prevention (DLP)](/purview/endpoint-dlp-getting-started) is deployed.
Another feature, known as [limited periodic scanning](limited-periodic-scanning-microsoft-defender-antivirus.md), is available to end-users when Microsoft Defender Antivirus is set to turn off automatically. This feature allows Microsoft Defender Antivirus to scan files periodically alongside a non-Microsoft antivirus, using a limited number of detections.
> [!IMPORTANT]
> Limited periodic scanning isn't recommended in enterprise environments. The detection, management, and reporting capabilities available when running Microsoft Defender Antivirus in this mode are reduced as compared to active mode.
> [!TIP]
> If you're looking for Antivirus related information for other platforms, see:
> - [Set preferences for Microsoft Defender for Endpoint on macOS](mac-preferences.md)
> - [Microsoft Defender for Endpoint on Mac](microsoft-defender-endpoint-mac.md)
> - [macOS Antivirus policy settings for Microsoft Defender Antivirus for Intune](/mem/intune/protect/antivirus-microsoft-defender-settings-macos)
> - [Set preferences for Microsoft Defender for Endpoint on Linux](linux-preferences.md)
> - [Microsoft Defender for Endpoint on Linux](microsoft-defender-endpoint-linux.md)
> - [Configure Defender for Endpoint on Android features](android-configure.md)
> - [Configure Microsoft Defender for Endpoint on iOS features](ios-configure-features.md)
additionalContent: |
## See also
- [Microsoft Defender Antivirus compatibility](microsoft-defender-antivirus-compatibility.md)
- [Microsoft Defender Antivirus in the Windows Security app](microsoft-defender-security-center-antivirus.md)