Set Microsoft Defender AV to Passive mode on a Windows Server

Managing security tools can get a bit tricky when you’re running multiple solutions on the same server. Let’s say you’ve got a setup using a third-party antivirus as your primary security suite, but Windows Defender is still active. This can create conflicts, and the best way to address this is to switch Microsoft Defender Antivirus (AV) into passive mode.In this article, we shall discuss the steps to Set Microsoft Defender AV to Passive mode on a Windows Server. Please see how to Change the number of MachineAccountQuota a user can add to AD.

Also, see how to set Set Microsoft Defender AV to Passive mode on a Windows Server, How to Create a User and Custom Domain in Entra ID, and how to Block IP Addresses Using Group Policy (GPO) in Active Directory.

Why Use Passive Mode?

When running a non-Microsoft antivirus product as your primary defense on Windows Server, it’s essential to prevent conflicts by switching Microsoft Defender AV to passive mode or disabling it manually. Here’s the key:

• Passive Mode: Use this when your server is onboarded to Microsoft Defender for Endpoint. Defender AV will work quietly in the background without interfering.
• Disabled / Uninstalled Mode: If Defender for Endpoint isn’t in use, disable Defender AV entirely to avoid redundancy and save system resources.

Pro Tip: If you uninstall your third-party antivirus, don’t forget to re-enable Microsoft Defender AV. It’s your safety net!

Please see “Secure FTP Login Issue: NAT Router Configuration for Passive Mode and Port Forwarding“, and “how to fix The Group Policy settings for BitLocker startup options are in conflict and cannot be applied“.

Prerequisites

Your server must be onboarded to Microsoft Defender for Endpoint. Why? Because passive mode requires the device to be integrated with Defender for Endpoint to continue monitoring threats without active scanning.

For detailed steps on onboarding to Defender for Endpoint, check out the official Microsoft documentation.

Managing Defender AV on Windows Server

Here’s a detailed breakdown of how to configure Microsoft Defender AV to passive mode or disable it completely.

Please see how to install and configure an FTP Server on Windows Server, and how to “Connect to a FileZilla Server: How to install and configure a FileZilla Server on Windows“.

1. Set Microsoft Defender AV to Passive Mode (Registry Method)

Let’s start by figuring out how Defender is currently behaving. Open PowerShell as administrator and run:

Type the following command and hit Enter:

Get-Service -Name windefend

If the Status says “Running,” that means Defender is actively running.

Now, let’s set Defender to passive mode. Press Windows + R and type regedit to open the registry editor.

Navigate to the following registry path:

HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection

Edit or create a DWORD (32-bit) key named ForceDefenderPassiveMode.

Right click the reg_word, select modify and set its value to 1.

Restart your server to apply changes.

2. Disable Defender AV Using Group Policy

Alternatively, if you prefer using Group Policy, configure the following setting. Press Windows + R and type gpedit.msc to launch the group Policy editor.

Navigate to the following path:

Computer Configuration > Administrative Templates > Windows Components > Windows Defender ATP

Locate Turn on Microsoft Defender Antivirus passive mode, set it to Enabled, and click OK.

3. Uninstall Microsoft Defender AV (PowerShell Method)

If you need to get rid of Defender AV entirely, enter the following command:

Uninstall-WindowsFeature -Name Windows-Defender

This completely removes Microsoft Defender Antivirus from the server.

Please, see how to shrink and create new partition on Windows Server, how to Fix long path names to files on SQL Server installation media error, and how to Install SQL Server Management Studio 21 on Windows Server.

Determine if you are running in a Passive mode

You can determine if Microsoft Defender Antivirus is running in Passive Mode especially on a Windows Server. In scenarios where other antivirus or endpoint protection platforms are installed (e.g., Trellix, Symantec, CrowdStrike).

You can use PowerShell to determine if the server is running in a passive mode as shown below. This helps you avoid any conflict whatsoever with the primary antivirus solution installed on your device.

Get-MpComputerStatus | Select-Object AMRunningMode

As you can see above, Windows Defender Anti Virus is currently not running and it is in the passive mode. You could also use the registry key as shown below. Where the Passive Mode disabled value is 0 for disable and Passive Mode enabled value is 1.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender

Here is how to fix Unable to run downloaded Programs due to Defender SmartScreen, how to Manage Microsoft Defender Antivirus with Argon ACMP, and What you need to know about Microsoft Defender Antivirus

Conclusion

Switching Microsoft Defender to passive mode ensures smooth operation alongside third-party antivirus solutions. With passive mode enabled, your server benefits from the monitoring capabilities of Defender for Endpoint without interfering with your primary security suite.

I hope you find this post helpful on how to Set Microsoft Defender AV to Passive mode on a Windows Server. If you have any questions, feel free to leave them in the comment section below.