Troubleshoot Microsoft Defender Antivirus settings

Applies to:

Microsoft Defender Antivirus provides numerous ways to manage the product, which provides small and medium-sized businesses and enterprise organizations with flexibility by working with the management tools that they already have.

  • Microsoft Defender for Endpoint security settings management
  • Microsoft Intune (MDM)
  • Microsoft Configuration Manager with Tenant Attach
  • Microsoft Configuration Manager co-management
  • Microsoft Configuration Manager (standalone)
  • Group Policy (GPO)
  • PowerShell
  • Windows Management Instrumentation (WMI)
  • Registry

Tip

For best results, use one method of managing Microsoft Defender Antivirus.

Troubleshooting Microsoft Defender Antivirus settings

Suppose that migrating from a non-Microsoft antivirus product, and when you try enabling Microsoft Defender Antivirus, it won't start. Most likely, you're experiencing a policy conflict. You can narrow down the issue by checking this registry key: DisableAntispyware (dword) 1 (hex) is set.

To remove policy conflicts, here's our current, recommended process:

  1. Understand the order of precedence.
  2. Determine where Microsoft Defender Antivirus settings are configured.
  3. Identify policies and settings.
  4. Work with your security team to remove or revise conflicting policies.

Step 1: Understand the order of precedence

When policies and settings are configured in multiple tools, in general, here's the order of precedence:

  1. Microsoft Defender for Endpoint security settings management
  2. Group Policy (GPO)
  3. Microsoft Configuration Manager co-management
  4. Microsoft Configuration Manager (standalone)
  5. Microsoft Intune (MDM)
  6. Microsoft Configuration Manager with Tenant Attach
  7. PowerShell (Set-MpPreference), MpCmdRun.exe, or Windows Management Instrumentation (WMI).

Warning

MDMWinsOverGP is a Policy CSP setting that does not apply for all settings, such as attack surface reduction rules (ASR rules) in Windows 10.

Step 2: Determine where Microsoft Defender Antivirus settings are configured

Find out whether Microsoft Defender Antivirus settings are coming through a policy, MDM, or a local setting. The following table describes policies, settings, and relevant tools.

Policy or setting Registry location Tools
Policy HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender - Microsoft Defender for Endpoint security settings management
- Microsoft Configuration Manager co-management
- Microsoft Configuration Manager
- GPO
MDM HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager - Microsoft Intune (MDM)
- Microsoft Configuration Manager with Tenant Attach
Local setting HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender - MpCmdRun.exe
- PowerShell (Set-MpPreference)
- Windows Management Instrumentation (WMI)

Step 3: Identify policies or settings

The following table describes how to identify policies and settings.

Method used What to check
Policy - If you're using GPO: Select Start, open Command Prompt as an administrator, and then run the command GpResult.exe /h C:\temp\GpResult_output.html.
- If you're using Microsoft Configuration Manager co-management or Microsoft Configuration Manager (standalone), go to C:\Windows\CCM\Logs.
MDM If you're using Intune, on your device, select Start, open Command Prompt as an administrator, and then run the command mdmdiagnosticstool.exe -zip "c:\temp\MDMDiagReport.zip". For more details, see Collect MDM logs - Windows Client Management.
Local setting Determine whether the policy or setting was deployed during the imaging (sysprep), via PowerShell (for example, Set-MpPreference), Windows Management Instrumentation (WMI), or through a direct modification to the registry.

Step 4: Remove or revise conflicting policies

Once you have identified the conflicting policy, work with your security administrators to change device targeting so that devices receive the correct Microsoft Defender Antivirus settings.