Troubleshooting issues when migrating to Microsoft Defender for Endpoint

Applies to:

This article provides troubleshooting information for security administrators who are experiencing issues when moving from a non-Microsoft endpoint protection solution to Microsoft Defender for Endpoint.

Microsoft Defender Antivirus is getting uninstalled on Windows Server

When you migrate to Defender for Endpoint, you begin with your non-Microsoft antivirus/antimalware protection in active mode. As part of the setup process, you configure Microsoft Defender Antivirus in passive mode. Occasionally, your non-Microsoft antivirus/antimalware solution might prevent Microsoft Defender Antivirus from running on Windows Server. In fact, it can look like Microsoft Defender Antivirus has been removed from Windows Server.

To resolve this issue, take the following steps:

  1. Add Microsoft Defender for Endpoint to the exclusion list.
  2. Set Microsoft Defender Antivirus to passive mode manually.

Add Microsoft Defender for Endpoint to the exclusion list

OS Exclusions
Windows 11

Windows 10, version 1803 or later (See Windows 10 release information)

Windows 10, version 1703 or 1709 with KB4493441 installed
C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe

C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe

C:\Program Files\Windows Defender Advanced Threat Protection\SenseSampleUploader.exe

C:\Program Files\Windows Defender Advanced Threat Protection\SenseIR.exe

C:\Program Files\Windows Defender Advanced Threat Protection\SenseCM.exe

C:\Program Files\Windows Defender Advanced Threat Protection\SenseNdr.exe

C:\Program Files\Windows Defender Advanced Threat Protection\Classification\SenseCE.exe

C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\DataCollection

Windows Server 2022

Windows Server 2019

Windows Server 2016

Windows Server 2012 R2

Windows Server, version 1803
On Windows Server 2012 R2 and Windows Server 2016 running the modern, unified solution, the following exclusions are required after updating the Sense EDR component using KB5005292:

C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Platform\*\MsSense.exe

C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Platform\*\SenseCnCProxy.exe

C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Platform\*\SenseIR.exe

C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Platform\*\SenseCE.exe

C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Platform\*\SenseSampleUploader.exe

C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Platform\*\SenseCM.exe

C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\DataCollection
Windows 8.1

Windows 7

Windows Server 2008 R2 SP1
C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\Monitoring Host Temporary Files 6\45\MsSenseS.exe

NOTE: Monitoring Host Temporary Files 6\45 can be different numbered subfolders.

C:\Program Files\Microsoft Monitoring Agent\Agent\AgentControlPanel.exe

C:\Program Files\Microsoft Monitoring Agent\Agent\HealthService.exe

C:\Program Files\Microsoft Monitoring Agent\Agent\HSLockdown.exe

C:\Program Files\Microsoft Monitoring Agent\Agent\MOMPerfSnapshotHelper.exe

C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe

C:\Program Files\Microsoft Monitoring Agent\Agent\TestCloudConnection.exe

Important

As a best practice, keep your organization's devices and endpoints up to date. Make sure to get the latest updates for Microsoft Defender for Endpoint and Microsoft Defender Antivirus, and keep your organization's operating systems and productivity apps up to date.

Set Microsoft Defender Antivirus to passive mode manually

On Windows Server 2022, Windows Server 2019, Windows Server, version 1803 or newer, Windows Server 2016, or Windows Server 2012 R2, you must set Microsoft Defender Antivirus to passive mode manually. This action helps prevent problems caused by having multiple antivirus products installed on a server. You can set Microsoft Defender Antivirus to passive mode using PowerShell, Group Policy, or a registry key.

You can set Microsoft Defender Antivirus to passive mode by setting the following registry key:

Path: HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection

Name: ForceDefenderPassiveMode

Type: REG_DWORD

Value: 1

Note

For passive mode to work on endpoints running Windows Server 2016 and Windows Server 2012 R2, those endpoints must be onboarded using the instructions in Onboard Windows servers.

For more information, see Microsoft Defender Antivirus in Windows.

Microsoft Defender Antivirus seems to be stuck in passive mode

If Microsoft Defender Antivirus is stuck in passive mode, set it to active mode manually by following these steps:

  1. On your Windows device, open Registry Editor as an administrator.

  2. Go to Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection.

  3. Set or define a REG_DWORD entry called ForceDefenderPassiveMode, and set its value to 0.

  4. Reboot the device.

Important

If you're still having trouble setting Microsoft Defender Antivirus to active mode after following this procedure, contact support.

I am having trouble re-enabling Microsoft Defender Antivirus on Windows Server 2016

If you are using a non-Microsoft antivirus/antimalware solution on Windows Server 2016, your existing solution might have required Microsoft Defender Antivirus to be disabled or uninstalled. You can use the Malware Protection Command-Line Utility to re-enable Microsoft Defender Antivirus on Windows Server 2016.

  1. As a local administrator on the server, open Command Prompt.

  2. Run the following command: MpCmdRun.exe -wdenable

  3. Restart the device.

See also

Tip

Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.