Share via

Help putting defender on servers in passive mode

Anonymous
2023-10-20T15:31:20+00:00

Hello Microsoft Experts

I have a server that we want to protect with Sophos protection but the server also has basic defender baked into the OS. Sophos recommends that we manually add a registry key to the server.

HIVE/KEY: HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection. Name: ForceDefenderPassiveMode. Type: REG_DWORD.

I checked on the server that the key exists and it does however when I check for the value AMRunningMode it returns Normal when it should be passive. This article tells me that we need to have these servers onboarded for them to run in passive mode is that true?

I found this on Sophos KB page re: Sophos Central Windows devices running side by side with Windows Defender may cause performance issues/conflicts "As per the Microsoft guidance, unless you are onboarded to Defender for Endpoint and running Microsoft Defender in passive mode, it will need to be disabled or uninstalled."

Are you able to confirm the above and if so how would we disable Defender for a server count of over 100+

Thanks

Windows Server | Performance and maintenance

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question. To protect privacy, user profiles for migrated questions are anonymized.

0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2023-10-23T03:12:01+00:00

    Hello

    Thank you for posting in Microsoft Community forum!

    Yes, your understanding is correct. Running Sophos Central Windows devices side by side with Windows Defender may cause performance issues or conflicts. As per Microsoft’s guidance, unless you are onboarded to Defender for Endpoint and running Microsoft Defender in passive mode, it will need to be disabled or uninstalled.

    The ForceDefenderPassiveMode registry key is used to set Microsoft Defender Antivirus to run in passive mode. However, the AMRunningMode value returning “Normal” indicates that Microsoft Defender Antivirus is not in passive mode.

    To onboard servers to run Windows Defender in passive mode, you can follow the steps provided in the Microsoft documentation.

    For disabling Windows Defender on multiple servers, you can use Group Policy, Registry Editor, or PowerShell. Here’s a brief overview of how you can do it using Group Policy:

    Press the Windows key + R to open the Run dialog box.

    Type gpedit.msc and press Enter.

    In the Local Group Policy Editor, navigate to Computer Configuration > Administrative Templates > Windows Components > Windows Defender Antivirus.

    Double-click on the “Turn off Windows Defender Antivirus” policy.

    Select the “Enabled” option and click “Apply” and “OK”.

    Restart your computer to apply the changes.

    Please note that these steps need to be performed on each server. If you have a large number of servers, you might want to automate this process using a script or a configuration management tool.

    Remember, disabling Windows Defender will leave your system vulnerable to malware and other threats. If you do choose to disable it, make sure you have another antivirus program installed and running on your system.

    0 comments