Troubleshoot Microsoft Defender Antivirus settings
Applies to:
- Microsoft Defender XDR
- Microsoft Defender for Endpoint Plan 1 and 2
- Microsoft Defender for Business
- Microsoft Defender for Individuals
- Microsoft Defender Antivirus
Microsoft Defender Antivirus provides numerous ways to manage the product, which provides small and medium-sized businesses and enterprise organizations with flexibility by working with the management tools that they already have.
- Microsoft Defender for Endpoint security settings management
- Microsoft Intune (MDM)
- Microsoft Configuration Manager with Tenant Attach
- Microsoft Configuration Manager co-management
- Microsoft Configuration Manager (standalone)
- Group Policy (GPO)
- PowerShell
- Windows Management Instrumentation (WMI)
- Registry
Tip
For best results, use one method of managing Microsoft Defender Antivirus.
Troubleshooting Microsoft Defender Antivirus settings
Suppose that migrating from a non-Microsoft antivirus product, and when you try enabling Microsoft Defender Antivirus, it won't start. Most likely, you're experiencing a policy conflict. You can narrow down the issue by checking this registry key: DisableAntispyware
(dword) 1 (hex) is set.
To remove policy conflicts, here's our current, recommended process:
- Understand the order of precedence.
- Determine where Microsoft Defender Antivirus settings are configured.
- Identify policies and settings.
- Work with your security team to remove or revise conflicting policies.
Step 1: Understand the order of precedence
When policies and settings are configured in multiple tools, in general, here's the order of precedence:
- Microsoft Defender for Endpoint security settings management
- Group Policy (GPO)
- Microsoft Configuration Manager co-management
- Microsoft Configuration Manager (standalone)
- Microsoft Intune (MDM)
- Microsoft Configuration Manager with Tenant Attach
- PowerShell (Set-MpPreference), MpCmdRun.exe, or Windows Management Instrumentation (WMI).
Warning
MDMWinsOverGP is a Policy CSP setting that does not apply for all settings, such as attack surface reduction rules (ASR rules) in Windows 10.
Step 2: Determine where Microsoft Defender Antivirus settings are configured
Find out whether Microsoft Defender Antivirus settings are coming through a policy, MDM, or a local setting. The following table describes policies, settings, and relevant tools.
Policy or setting | Registry location | Tools |
---|---|---|
Policy | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender |
- Microsoft Defender for Endpoint security settings management - Microsoft Configuration Manager co-management - Microsoft Configuration Manager - GPO |
MDM | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager |
- Microsoft Intune (MDM) - Microsoft Configuration Manager with Tenant Attach |
Local setting | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender |
- MpCmdRun.exe - PowerShell (Set-MpPreference) - Windows Management Instrumentation (WMI) |
Step 3: Identify policies or settings
The following table describes how to identify policies and settings.
Method used | What to check |
---|---|
Policy | - If you're using GPO: Select Start, open Command Prompt as an administrator, and then run the command GpResult.exe /h C:\temp\GpResult_output.html . - If you're using Microsoft Configuration Manager co-management or Microsoft Configuration Manager (standalone), go to C:\Windows\CCM\Logs . |
MDM | If you're using Intune, on your device, select Start, open Command Prompt as an administrator, and then run the command mdmdiagnosticstool.exe -zip "c:\temp\MDMDiagReport.zip" . For more details, see Collect MDM logs - Windows Client Management. |
Local setting | Determine whether the policy or setting was deployed during the imaging (sysprep), via PowerShell (for example, Set-MpPreference), Windows Management Instrumentation (WMI), or through a direct modification to the registry. |
Step 4: Remove or revise conflicting policies
Once you have identified the conflicting policy, work with your security administrators to change device targeting so that devices receive the correct Microsoft Defender Antivirus settings.