This article provides troubleshooting information for security administrators who are experiencing issues when switching from a non-Microsoft endpoint protection solution to Microsoft Defender for Endpoint.
Microsoft Defender Antivirus is getting uninstalled on Windows Server
When you make the switch to Defender for Endpoint, you begin with your non-Microsoft antivirus/antimalware protection in active mode. As part of the setup process, you configure Microsoft Defender Antivirus in passive mode. Occasionally, your non-Microsoft antivirus/antimalware solution might prevent Microsoft Defender Antivirus from running on Windows Server. In fact, it can look like Microsoft Defender Antivirus has been removed from Windows Server.
To resolve this issue, take the following steps:
- Set the DisableAntiSpyware registry key to false.
- Add Microsoft Defender for Endpoint to the exclusion list.
- Set Microsoft Defender Antivirus to passive mode manually.
Set the DisableAntiSpyware registry key to false
The DisableAntiSpyware registry key was used in the past to disable Microsoft Defender Antivirus, and deploy another antivirus product, such as McAfee, Symantec, or others. In general, you should not have this registry key on your Windows devices and endpoints; however, if you do have DisableAntiSpyware
configured, here’s how to set its value to false:
- On your Windows Server device, open Registry Editor.
- Navigate to
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender
. - In that folder, look for a DWORD entry called DisableAntiSpyware.
- If you do not see that entry, you’re all set.
- If you do see DisableAntiSpyware, proceed to step 4.
- Right-click the DisableAntiSpyware DWORD, and then choose Modify.
- Set the value to
0
. (This action sets the registry key’s value to false.)
Tip
To learn more about this registry key, see DisableAntiSpyware.
Add Microsoft Defender for Endpoint to the exclusion list
Certain exclusions for Defender for Endpoint must be defined in your existing non-Microsoft endpoint protection solution. Make sure to add the following exclusions:
C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe
C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe
C:\Program Files\Windows Defender Advanced Threat Protection\SenseSampleUploader.exe
C:\Program Files\Windows Defender Advanced Threat Protection\SenseIR.exe
C:\Program Files\Windows Defender Advanced Threat Protection\SenseCM.exe
Set Microsoft Defender Antivirus to passive mode manually
On Windows Server 2019, Windows Server, version 1803 or newer, Windows Server 2016, or Windows Server 2012 R2, you must set Microsoft Defender Antivirus to passive mode manually. This action helps prevent problems caused by having multiple antivirus products installed on a server. You can set Microsoft Defender Antivirus to passive mode using PowerShell, Group Policy, or a registry key.
You can set Microsoft Defender Antivirus to passive mode by setting the following registry key:
Path: HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection
Name: ForceDefenderPassiveMode
Type: REG_DWORD
Value: 1
Note
For passive mode to work on endpoints running Windows Server 2016 and Windows Server 2012 R2, those endpoints must be onboarded using the instructions in Onboard Windows servers.
For more information, see Microsoft Defender Antivirus on Windows Server.
I am having trouble re-enabling Microsoft Defender Antivirus on Windows Server 2016
If you are using a non-Microsoft antivirus/antimalware solution on Windows Server 2016, your existing solution might have required Microsoft Defender Antivirus to be disabled or uninstalled. You can use the Malware Protection Command-Line Utility to re-enable Microsoft Defender Antivirus on Windows Server 2016.
- As a local administrator on the server, open Command Prompt.
- Run the following command:
MpCmdRun.exe -wdenable
- Restart the device.