Share via

Passive Mode defender and updating windws security

Sullivan, James 0 Reputation points
2026-02-24T17:52:50.6066667+00:00

I've been chasing a strange and silly issue with windows security, to preface the issue, we have CrowdStrike enabled as our security across the domain, and we have a security tracker, and one of the issues is windows security is out of date, Unfortunately it doesnt get updated because we have crowdstrike as our security application so it disables defender across the organization.
Our security team has our windows security as a security risk because its out of date,

what i've found -

if we enable the setting below periodic scanning

User's image

it allows the security to update automatically

User's image

So i found a reg change that appeared to be updating on pc's when i enabled this, after finding the Microsoft doc to enable passive mode reg for the domain.

after pushing these reg changes out , it did not change that setting =/

reg

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\PUAPprotection

i re enabled this setting on another pc after setting this and forcepassive mode per microsofts doc and now theres like 100 Reg changes that happen. so im lost , without enabling 50 more reg changes for the domain.

Thank you!

Microsoft Security | Microsoft Defender | Other
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Jerome Suggs 5 Reputation points
    2026-02-24T19:03:27.11+00:00

    When using CrowdStrike (or any third-party AV) as the primary antivirus, Microsoft Defender Antivirus does not behave the same way it does in standalone environments. There are three different states involved:

    • Active mode

    Passive mode

    Periodic (limited) scanning mode

    These are not the same thing.

    Setting the registry value:

    HKLM\SOFTWARE\Microsoft\Windows Defender ForceDefenderPassiveMode = 1

    places Defender into passive mode, but it does not automatically enable periodic scanning or definition update behavior in the same way as toggling it from the Windows Security UI.

    When you enabled Periodic scanning manually, Windows triggered multiple internal state changes (services, policy evaluation, WMI providers, and other configuration keys). That’s why you observed a large number of registry changes — it’s not controlled by a single registry value.

    Also, the key you referenced:

    HKLM\SOFTWARE\Microsoft\Windows Defender\PUAProtection

    only controls Potentially Unwanted Application (PUA) detection. It does not affect passive mode, update state, or definition reporting. So modifying that key would not resolve a “definitions out of date” condition.

    Another important factor: if Tamper Protection is enabled, registry-based changes to Defender settings may not apply as expected.

    Before pushing additional registry changes domain-wide, I would clarify exactly what your security team is measuring:

    Security intelligence (definition) version?

    Engine version?

    Windows Security UI health state?

    Or a compliance scanner expecting Defender to be active?

    In environments with third-party AV, Defender being passive is expected behavior. If definition updates are required for compliance tracking, periodic scanning must be enabled through supported policy methods rather than attempting to replicate the UI behavior with registry edits.

    Relevant Microsoft documentation:

    https://learn.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-compatibility

    https://learn.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-passive-mode

    https://learn.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/limited-periodic-scanning

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.