Windows Defender Real-time pretection configuration question.

MV 96 Reputation points
2021-07-27T23:57:49.633+00:00

Hello,

I am setting up a GPO for my servers and I am following this guide.

https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-real-time-protection-microsoft-defender-antivirus?view=o365-worldwide

My problem is that when I Enable "Configure monitoring for incoming and outgoing file and program activity" for "bi-drectional (full on-access)" the setting changes to disabled and I don't understand why. Has anyone had this issue?

Windows Server 2019
Windows Server 2019
A Microsoft server operating system that supports enterprise-level management updated to data storage.
3,756 questions
{count} votes

Accepted answer
  1. Teemo Tang 11,411 Reputation points
    2021-07-28T07:11:27.49+00:00

    Hello,

    I test Configure monitoring for incoming and outgoing file and program activity policy on my Server 2019 and Windows 10 21H1 machine, result is same as yours: when I enable it and select bi-drectional (full on-access), this policy’s state becomes Disabled; When I select scan only incoming(disable on-open) or scan only outgoing(disable on-close), this policy’s state becomes Enabled.

    118534-image.png

    118585-image.png

    Therefore, I understand your confusion, but, it is a completely normal phenomenon, all this should be the case. Let’s check the explanation of this GPO:

    The options for this setting are mutually exclusive:
    0 = Scan incoming and outgoing files (default)
    1 = Scan incoming files only
    2 = Scan outgoing files only

    Any other value, or if the value does not exist, resolves to the default (0).
    If you enable this setting, the specified type of monitoring will be enabled.
    If you disable or do not configure this setting, monitoring for incoming and outgoing files will be enabled.

    Look at the last sentence, If you disable or do not configure this setting, monitoring for incoming and outgoing files will be enabled. That is it! When this GPO disabled, monitoring for incoming and outgoing files is enabled, when this GPO enabled, monitoring for only incoming files or only outgoing files is enabled. The registry value also prove it, we all know, registry value 0 stands for disabled, 1 stand for enabled, so the value for Scan incoming and outgoing files (default) is 0, it means that GPO is disabled, but in this GPO, disabled state means Scan both of incoming and outgoing files, that’s just what we want.

    Hope my clarification is clear.

    -------------------------------------------------------------------------------------

    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Information posted in the given link is hosted by a third party. Microsoft does not guarantee the accuracy and effectiveness of information.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.