Set Microsoft Defender Antivirus to Passive or Active Mode
Windows comes preinstalled with Microsft Defender Antivirus on their major operating system. This keeps the server secure from well-known attacks. Please learn how to Set Microsoft Defender Antivirus to Passive or Active Mode. Please see how to Connect to a FileZilla Server: How to install and configure a FileZilla Server on Windows, and how to Remove Microsoft Defender Update on Windows 10 & Server.
By default, Microsoft Defender Antivirus is installed and functional on Windows Server. If you’re using a non-Microsoft antivirus product as your primary antivirus solution on Windows Server. You must set Microsoft Defender Antivirus to passive mode or disabled mode manually. Also, if your Windows Server endpoint is onboarded to Microsoft Defender for Endpoint. You can set Microsoft Defender Antivirus to passive mode.
Verify if Micrsoft Defender is installed.
The image shows Microsoft Defender isn’t installed.
Follow the steps below to install it.
Please install this feature via the Server manager (Add roles and features) or via PowerShell
Select the server from the list to install the feature onto. Select Microsoft Defender Antivirus
Now, Installed
Use the PowerShell cmdlets in the following table
After you’ve installed (or reinstalled) Microsoft Defender Antivirus, your next step is to verify that it’s running.
| Procedure | PowerShell cmdlet |
|---|---|
| Verify that Microsoft Defender Antivirus is running | Get-Service -Name windefend |
| Verify that firewall protection is turned on | Get-Service -Name mpssvc |
Please see how to View Microsoft Defender Antivirus Update Details on Windows 10 Image, and how to update Microsoft Defender Antivirus into the install image of Windows (install.wim).
Enable Microsft Defender Passive Mode
To enable the GUI, please follow the steps to set Microsoft Defender Antivirus to passive mode.
This is done by setting the following registry key and rebooting the server.
Set Microsoft Defender Antivirus to passive mode by using a registry key
Path: HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat ProtectionCreate a New REG_DWORD value
Name: ForceDefenderPassiveMode
Enter the Value: 1 by double-clicking on the name
REG_DWORD value created
What happens if a Primary Antivirus is uninstalled?
If a non-Microsoft antivirus product was installed on Windows Server. Microsoft Defender Antivirus was probably set to passive mode. Note: On a client PC, you do not need to manually set the device to passive mode if the primary antivirus is no longer active. But you will have to force the server to active mode on Windows Server if the primary antivirus solution is no longer working. Please see the table below for more information.
| mode | Consequence |
|---|---|
| Active mode | Active mode uses Microsoft Defender Antivirus as the primary antivirus application on the device. Files are scanned, threats are addressed, and threats detected are reported in your organization’s security reports and in your Windows Security app. |
| Passive mode | In passive mode, Microsoft Defender Antivirus is not used as the primary antivirus application on the device. Files are scanned and threats detected are reported but not remedied by Microsoft Defender Antivirus.Microsoft Defender Antivirus can only run in passive mode on endpoints that are integrated with Microsoft Defender for Endpoint. |
Please see Windows Defender Antivirus Management with Intune, and How to Secure FTP Login Issue: NAT Router Configuration Needed for Passive Mode and Port Forwarding.
Set Microsft Defender Antivirus to Active Mode
If you have reasons to set the Microsoft Defender Antivirus to Active Mode again. Use the follow the same steps as above. But this time, set the value to 0.
On your Windows Server device, open Registry Editor as an administrator.
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection.Set or define an REG_DWORD entry called ForceDefenderPassiveMode, and set its value to 0.
Reboot the device.
Please, see how to shrink and create new partition on Windows Server, how to Fix long path names to files on SQL Server installation media error, and how to Install SQL Server Management Studio 21 on Windows Server.
Am I running in Passive mode?
You can determine if Microsoft Defender Antivirus is running in Passive Mode on a Windows Server, especially when another antivirus or endpoint protection platform like Trellix, Symantec, or CrowdStrike is installed.
To check this, use PowerShell as shown below. This allows you to confirm Defender’s current mode and avoid any potential conflicts with your primary antivirus solution.
Get-MpComputerStatus | Select-Object AMRunningMode
As shown above, Windows Defender Antivirus is not running because it’s in Passive Mode. You can also check this using the registry key below.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows DefenderA value of 0 means Passive Mode is disabled, while a value of 1 means Passive Mode is enabled.
I hope you found this post useful on how to set Microsoft Defender Antivirus to Passive or Active Mode. Please feel free to leave a comment below.
