Troubleshooting issues when migrating to Microsoft Defender for Endpoint
Applies to:
- Microsoft Defender for Endpoint Plan 1
- Microsoft Defender for Endpoint Plan 2
- Microsoft 365 Defender
This article provides troubleshooting information for security administrators who are experiencing issues when moving from a non-Microsoft endpoint protection solution to Microsoft Defender for Endpoint.
Microsoft Defender Antivirus is getting uninstalled on Windows Server
When you migrate to Defender for Endpoint, you begin with your non-Microsoft antivirus/antimalware protection in active mode. As part of the setup process, you configure Microsoft Defender Antivirus in passive mode. Occasionally, your non-Microsoft antivirus/antimalware solution might prevent Microsoft Defender Antivirus from running on Windows Server. In fact, it can look like Microsoft Defender Antivirus has been removed from Windows Server.
To resolve this issue, take the following steps:
- Add Microsoft Defender for Endpoint to the exclusion list.
- Set Microsoft Defender Antivirus to passive mode manually.
Add Microsoft Defender for Endpoint to the exclusion list
Certain exclusions for Defender for Endpoint must be defined in your existing non-Microsoft endpoint protection solution. Make sure to add the following exclusions:
C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Platform\*\MsSense.exe
C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Platform\*\SenseCnCProxy.exe
C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Platform\*\SenseSampleUploader.exe
C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Platform\*\SenseIR.exe
C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Platform\*\SenseCM.exe
C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\DataCollection
Set Microsoft Defender Antivirus to passive mode manually
On Windows Server 2022, Windows Server 2019, Windows Server, version 1803 or newer, Windows Server 2016, or Windows Server 2012 R2, you must set Microsoft Defender Antivirus to passive mode manually. This action helps prevent problems caused by having multiple antivirus products installed on a server. You can set Microsoft Defender Antivirus to passive mode using PowerShell, Group Policy, or a registry key.
You can set Microsoft Defender Antivirus to passive mode by setting the following registry key:
Path: HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection
Name: ForceDefenderPassiveMode
Type: REG_DWORD
Value: 1
Note
For passive mode to work on endpoints running Windows Server 2016 and Windows Server 2012 R2, those endpoints must be onboarded using the instructions in Onboard Windows servers.
For more information, see Microsoft Defender Antivirus in Windows.
Microsoft Defender Antivirus seems to be stuck in passive mode
If Microsoft Defender Antivirus is stuck in passive mode, set it to active mode manually by following these steps:
On your Windows device, open Registry Editor as an administrator.
Go to
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection.Set or define a REG_DWORD entry called
ForceDefenderPassiveMode, and set its value to0.Reboot the device.
Important
If you're still having trouble setting Microsoft Defender Antivirus to active mode after following this procedure, contact support.
I am having trouble re-enabling Microsoft Defender Antivirus on Windows Server 2016
If you are using a non-Microsoft antivirus/antimalware solution on Windows Server 2016, your existing solution might have required Microsoft Defender Antivirus to be disabled or uninstalled. You can use the Malware Protection Command-Line Utility to re-enable Microsoft Defender Antivirus on Windows Server 2016.
As a local administrator on the server, open Command Prompt.
Run the following command:
MpCmdRun.exe -wdenableRestart the device.
See also
Feedback
Submit and view feedback for