Ovaj preglednik više nije podržan.
Nadogradite na Microsoft Edge da iskoristite najnovije osobine, sigurnosna ažuriranja i tehničku podršku.
Applies to:
Platforms
Microsoft Defender Antivirus is available on endpoints running the following versions of Windows:
Microsoft Defender Antivirus is also available for older versions of Windows under certain conditions.
On Windows Server 2012 R2, when onboarded using the modern, unified solution, Microsoft Defender Antivirus is installed in Active mode.
On Windows 8.1, with System Center Endpoint Protection, enterprise-level endpoint antivirus protection is offered and managed through Microsoft Endpoint Configuration Manager.
On consumer devices on Windows 8.1, Windows Defender is available (although it doesn't provide enterprise-level management).
If you're using non-Microsoft antivirus/antimalware software, you might be able to run Microsoft Defender Antivirus alongside the other antivirus solution. This article describes what happens with Microsoft Defender Antivirus and non-Microsoft antivirus/antimalware software, with and without Microsoft Defender for Endpoint.
This section describes what happens when you use Microsoft Defender Antivirus alongside non-Microsoft antivirus/antimalware products on endpoints that aren't onboarded to Defender for Endpoint.
In general, Microsoft Defender Antivirus doesn't run in passive mode on devices that aren't onboarded to Defender for Endpoint.
The following table summarizes what to expect:
| Windows version | Primary antivirus/antimalware solution | Microsoft Defender Antivirus state |
|---|---|---|
| Windows 10 Windows 11 |
Microsoft Defender Antivirus | Active mode |
| Windows 10 Windows 11 |
A non-Microsoft antivirus/antimalware solution | Disabled mode (happens automatically) In Windows 11, if SmartAppControl is enabled, Microsoft Defender Antivirus goes into passive mode. |
| Windows Server 2025 Windows Server 2022 Windows Server 2019 Windows Server, version 1803, or newer Windows Server 2016 Windows Server 2012 R2 |
Microsoft Defender Antivirus | Active mode |
| Windows Server 2025 Windows Server 2022 Windows Server 2019 Windows Server, version 1803, or newer Windows Server 2016 |
A non-Microsoft antivirus/antimalware solution | Disabled (set manually; see the note that follows this table) |
If the device is onboarded to Microsoft Defender for Endpoint, you can use Microsoft Defender Antivirus in passive mode as described later in this article.
Bilješka
On Windows Server, if you're running a non-Microsoft antivirus product, you can uninstall Microsoft Defender Antivirus by using the following PowerShell cmdlets (as an administrator):
Uninstall-WindowsFeature Windows-DefenderUninstall-WindowsFeature Windows-Defender and Uninstall-WindowsFeature Windows-Defender-GuiOn Windows Server 2016, you might see Windows Defender Antivirus instead of Microsoft Defender Antivirus.
Make sure to restart your server to finish removing Microsoft Defender Antivirus.
If you uninstall your non-Microsoft antivirus product, make sure that Microsoft Defender Antivirus is re-enabled. See Re-enable Microsoft Defender Antivirus on Windows Server if it was disabled.
Bilješka
In general, Microsoft Defender Antivirus can be set to passive mode only on endpoints that are onboarded to Defender for Endpoint.
Whether Microsoft Defender Antivirus runs in active mode, passive mode, or is disabled depends on several factors, such as:
The following table summarizes the state of Microsoft Defender Antivirus in several scenarios.
| Antivirus/antimalware solution | Onboarded to Defender for Endpoint? | Microsoft Defender Antivirus state | Smart App Control State |
|---|---|---|---|
| Microsoft Defender Antivirus | Yes | Active mode | N/A |
| Microsoft Defender Antivirus | No | Active mode | On, Evaluation, or Off |
| A non-Microsoft antivirus/antimalware solution | Yes | Passive mode (automatically) | N/A |
| A non-Microsoft antivirus/antimalware solution | No | Disabled (automatically) | Evaluation or On |
Bilješka
Smart App Control is a consumer-only product that's used on new Windows 11 installs. It can run alongside your antivirus software and block apps that are considered to be malicious or untrusted. Learn more about Smart App Control.
Savjet
If you are planning to keep Microsoft Defender Antivirus in passive mode for your Windows Servers, the ForceDefenderPassiveMode setting needs to be set before onboarding the device to Microsoft Defender for Endpoint.
On Windows Server 2025, Windows Server 2022, Windows Server 2019, Windows Server, version 1803 or newer, Windows Server 2016, or Windows Server 2012 R2, Microsoft Defender Antivirus doesn't enter passive mode automatically when you install a non-Microsoft antivirus product. In those cases, set Microsoft Defender Antivirus to passive mode to prevent problems caused by having multiple antivirus products installed on a server. You can set Microsoft Defender Antivirus to passive mode using a registry key as follows:
HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat ProtectionForceDefenderPassiveModeREG_DWORD1You can view your protection status in PowerShell by using the command Get-MpComputerStatus. Check the value for AMRunningMode. You should see Normal, Passive, or EDR Block Mode if Microsoft Defender Antivirus is enabled on the endpoint.
For passive mode to work on endpoints running Windows Server 2016 and Windows Server 2012 R2, those endpoints must be onboarded with the modern, unified solution described in Onboard Windows servers.
Važno
Beginning with platform version 4.18.2208.0 and later, if a server is onboarded to Microsoft Defender for Endpoint, tamper protection allows a switch to active mode, but not to passive mode.
Notice the modified logic for ForceDefenderPassiveMode when tamper protection is enabled: When Microsoft Defender Antivirus is set to active mode, tamper protection prevents it from going back into passive mode even when ForceDefenderPassiveMode is set to 1.
On Windows Server 2016, Windows Server 2012 R2, Windows Server version 1803 or newer, Windows Server 2019, Windows Server 2022, and Windows Server 2025, if you're using a non-Microsoft antivirus product on an endpoint that isn't onboarded to Microsoft Defender for Endpoint, disable/uninstall Microsoft Defender Antivirus manually to prevent problems caused by having multiple antivirus products installed on a server. However, Defender for Endpoint includes capabilities that further extend the antivirus protection that is installed on your endpoint. If you have Defender for Endpoint, you can benefit from running Microsoft Defender Antivirus alongside another antivirus solution.
For example, Endpoint detection and response (EDR) in block mode provides added protection from malicious artifacts even if Microsoft Defender Antivirus isn't the primary antivirus product. Such capabilities require Microsoft Defender Antivirus to be installed and running in passive mode or active mode.
Savjet
On Windows Server 2016, you might see Windows Defender Antivirus instead of Microsoft Defender Antivirus.
In order for Microsoft Defender Antivirus to run in passive mode, endpoints must meet the following requirements:
Operating system: Windows 10 or newer; Windows Server 2025, Windows Server 2022, Windows Server 2019, or Windows Server, version 1803, or newer
(Windows Server 2012 R2 and Windows Server 2016 if onboarded using the modern, unified solution).
Microsoft Defender Antivirus must be installed.
Another non-Microsoft antivirus/antimalware product must be installed and used as the primary antivirus solution. (Add Microsoft Defender for Endpoint to your exclusion list for your existing solution).
Endpoints must be onboarded to Defender for Endpoint.
Windows Security Center Service must be enabled.
Upozorenje
If the Windows Security Center Service is disabled on Windows Clients then Microsoft Defender Antivirus can't detect third-party antivirus installations and will stay Active. This could lead to conflicts between the Microsoft Defender Antivirus and the third-party Antivirus, as both will attempt to provide active protection. This will impact performance and is not supported.
Važno
Defender for Endpoint affects whether Microsoft Defender Antivirus can run in passive mode. And, the state of Microsoft Defender Antivirus can affect certain capabilities in Defender for Endpoint. For example, real-time protection works when Microsoft Defender Antivirus is in active or passive mode, but not when Microsoft Defender Antivirus is disabled or uninstalled.
Važno
| Protection | Microsoft Defender Antivirus (Active mode) |
Microsoft Defender Antivirus (Passive mode) |
Microsoft Defender Antivirus (Disabled or uninstalled) |
|---|---|---|---|
| Real-time protection | Yes | See note 1 | No |
| Cloud-delivered protection | Yes | No | No |
| Network protection | Yes | No | No |
| Attack surface reduction rules | Yes | No | No |
| File scanning and detection information | Yes | Yes See note 2 |
No |
| Threat remediation | Yes | See note 3 | No |
| Security intelligence updates | Yes | Yes See note 4 |
No |
| Data Loss Prevention | Yes | Yes | No |
| Controlled folder access | Yes | No | No |
| Web content filtering | Yes | See note 5 | No |
| Device control | Yes | Yes | No |
| PUA protection | Yes | No | No |
When Microsoft Defender Antivirus is in passive mode, real-time protection behaves in the following ways with Microsoft Endpoint Data Loss Prevention (Endpoint DLP):
| Microsoft Defender Antivirus in passive mode | Real-time protection state | Behavior Monitoring state |
|---|---|---|
| Endpoint DLP is disabled | Disabled Doesn't provide any antivirus real-time protection blocking or enforcement. |
Disabled Doesn't provide any antivirus Behavior Monitoring blocking or enforcement. |
| Endpoint DLP is enabled | Enabled for DLP specific functionalities Doesn't provide any antivirus real-time protection blocking or enforcement. Make sure to add Microsoft Defender Antivirus and Microsoft Defender for Endpoint binaries to the exclusion list of the non-Microsoft antivirus or EDR solution. |
Enabled for DLP specific functionalities Doesn't provide any antivirus Behavior Monitoring blocking or enforcement. |
When Microsoft Defender Antivirus is in passive mode, scans aren't scheduled. If scans are scheduled in your configuration, the schedule is ignored. Unless:
"Start the scheduled scan only when computer is on but not in use" is set to "Not configured or enabled". A Windows Task Scheduler is created unless you set "Start the scheduled scan only when computer is on but not in use" to disabled.
"Turn on catch-up quick scan" is set to "Not configured or enabled". Every 30 days (default number of days) a quick catchup scan continues to occur unless "Turn on catch-up quick scan" is set to disabled. Scan tasks that are set up in Windows Task Scheduler continue to run according to their schedule. If you have scheduled tasks, you can remove them, if preferred.
"Turn on scan after security intelligence update" is set to "Not configured or enabled". By default, a quick scan occurs after a "Security Intelligence Update" unless you set "Turn on scan after security intelligence update" to disabled.
When Microsoft Defender Antivirus is in passive mode, it doesn't remediate threats. However, Endpoint detection and response (EDR) in block mode can remediate threats. In this case, you might see alerts showing Microsoft Defender Antivirus as a source, even when Microsoft Defender Antivirus is in passive mode.
The security intelligence update cadence is controlled by Windows Update settings only. Defender-specific update schedulers (daily/weekly at specific time, interval-based) settings only work when Microsoft Defender Antivirus is in active mode. They're ignored in passive mode.
When Microsoft Defender Antivirus is in passive mode, web content filtering only works with the Microsoft Edge browser.
Važno
wscsvc, SecurityHealthService, MsSense, Sense, WinDefend, or MsMpEng services and processes. Manually modifying these services can cause severe instability on your devices and can make your network vulnerable. Disabling, stopping, or modifying those services can also cause problems when using non-Microsoft antivirus solutions and how their information is displayed in the Windows Security app.You can use one of several methods to confirm the state of Microsoft Defender Antivirus. You can:
Važno
Beginning with platform version 4.18.2208.0 and later: If a server has been onboarded to Microsoft Defender for Endpoint, the "Turn off Windows Defender" group policy setting no longer completely disables Windows Defender Antivirus on Windows Server 2012 R2 and later. Instead, it places Microsoft Defender Antivirus into passive mode. In addition, the tamper protection allows a switch to active mode, but not to passive mode.
1. To place it into active mode, switch this value to 0 instead.Bilješka
The modified logic for ForceDefenderPassiveMode when tamper protection is enabled: Once Microsoft Defender Antivirus is toggled to active mode, tamper protection prevents it from going back into passive mode even when ForceDefenderPassiveMode is set to 1.
On a Windows device, open the Windows Security app.
Select Virus & threat protection.
Under Who's protecting me? select Manage providers.
On the Security providers page, under Antivirus, you should see Microsoft Defender Antivirus is turned on.
On a Windows device, open the Task Manager app.
Select the Details tab.
Look for MsMpEng.exe in the list.
Važno
Use this procedure only to confirm whether Microsoft Defender Antivirus is running on an endpoint.
On a Windows device, open Windows PowerShell.
Run the following PowerShell cmdlet: Get-Process.
Review the results. You should see MsMpEng.exe if Microsoft Defender Antivirus is enabled.
Važno
Use this procedure only to confirm whether antivirus protection is enabled on an endpoint.
On a Windows device, open Windows PowerShell.
Run following PowerShell cmdlet: Get-MpComputerStatus | select AMRunningMode.
Review the results. You should see Normal, Passive, or EDR Block Mode if antivirus protection is enabled on the endpoint.
The following sections describe what to expect when Microsoft Defender Antivirus is:
In active mode, Microsoft Defender Antivirus is used as the antivirus app on the machine. Settings that are configured by using Configuration Manager, Group Policy, Microsoft Intune, or other management products apply. Files are scanned, threats are remediated, and detection information is reported in your configuration tool (such as in the Microsoft Intune admin center or the Microsoft Defender Antivirus app on the endpoint).
In passive mode, Microsoft Defender Antivirus isn't used as the antivirus app, and threats aren't* remediated by Microsoft Defender Antivirus. However, Endpoint detection and response (EDR) in block mode can remediate threats. Files are scanned by EDR, and reports are provided for threat detections that are shared with the Defender for Endpoint service. You might see alerts showing Microsoft Defender Antivirus as a source, even when Microsoft Defender Antivirus is in passive mode.
When Microsoft Defender Antivirus is in passive mode, you can still manage updates for Microsoft Defender Antivirus; however, you can't move Microsoft Defender Antivirus into active mode if your devices have a non-Microsoft antivirus product that is providing real-time protection from malware.
Make sure to get your antivirus and antimalware updates, even if Microsoft Defender Antivirus is running in passive mode. See Manage Microsoft Defender Antivirus updates and apply baselines. Passive mode is only supported on Windows Server 2012 R2 & 2016 when the machine is onboarded using the modern, unified solution.
When disabled or uninstalled, Microsoft Defender Antivirus isn't used as the antivirus app. Files aren't scanned and threats aren't remediated. Disabling or uninstalling Microsoft Defender Antivirus isn't recommended in general; if possible, keep Microsoft Defender Antivirus in passive mode if you're using a non-Microsoft antimalware/antivirus solution.
In cases where Microsoft Defender Antivirus is disabled automatically, it can be re-enabled automatically if the non-Microsoft antivirus/antimalware product expires, is uninstalled, or otherwise stops providing real-time protection from viruses, malware, or other threats. The automatic re-enabling of Microsoft Defender Antivirus helps to ensure that antivirus protection is maintained on your endpoints.
If you're looking for Antivirus related information for other platforms, see:
Savjet
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.
Obučavanje
Modul
MD-102 2-Manage Microsoft Defender for Endpoint - Training
This module explores using Microsoft Defender for Endpoint to provide additional protection and monitor devices against threats.
Certifikacija
Microsoft 365 Certified: Endpoint Administrator Associate - Certifications
Plan and execute an endpoint deployment strategy, using essential elements of modern management, co-management approaches, and Microsoft Intune integration.
Dokumentacija
Migrate to Microsoft Defender for Endpoint - Setup - Microsoft Defender for Endpoint
Move to Defender for Endpoint. Review the setup process, which includes installing Microsoft Defender Antivirus.
Microsoft Defender Antivirus in Windows Overview - Microsoft Defender for Endpoint
Learn how to manage, configure, and use Microsoft Defender Antivirus, built-in antimalware and antivirus protection.
Learn how to troubleshoot issues when you migrate to Microsoft Defender for Endpoint.