Team: Huntress Managed Endpoint Detection and Response (EDR)
Product: Managed Microsoft Defender
Environment: Windows, MacOS
Summary: Managed Defender can be unhealthy for a few reasons. Here we can break down how to resolve some of those reasons.
Unhealthy Status
Microsoft Defender can show unhealthy for a few reasons. Here we will break down a few of the reasons you may encounter and what can be done in an attempt to resolve the status.
-
Scan required - This is usually seen after the agent is finished deploying to the system. Once the agent is installed and running and Managed Defender is in use, it will want an AV scan to be run to make sure it is good to go. You can trigger a scan from the Huntress Managed Defender dashboard or you can do so from your device (Allow some time after the scan for the agent to check in with the dashboard to update the status). Once a scan is run and the device is good, it will show as healthy.
-
Partially Disabled - This is usually encountered when one or more components of Microsoft Defender are disabled.
As shown in the above example, you can see a few components are disabled/not running. Different tasks will need to be carried out depending on what is specifically disabled.
You can start by resetting Defender on the device. This will reset Defender to the defaults. If that doesn’t resolve it or is too broad of an option you can attempt to manually enable the service that you need.
All commands should be run from an elevated PowerShell window.
-
Antimalware/Antispyware/Antivirus - This service cannot be manually turned on or off. To verify it is on check the service. You can quickly check this by running the get-service windefend command in PowerShell. If the service is not running, you can start it by running the following PowerShell command start-service windefend
-
Network Inspection - This service also cannot be manually turned on or off. You will also need to check this service to see if it is running. You can do so by running the following PowerShell commands. To check if it is running get-service wdnissvc. If it is not running run the following in PowerShell as admin start-service wdnissvc.
-
Real-time Protection - Run the following from PowerShell.
Set-MpPreference -DisableRealtimeMonitoring $false
-
On-access Protection - Windows no longer provides the ability to control this feature.
-
IE/Outlook Antivirus - Run the following from PowerShell.
Set-MpPreference -DisableIOAVProtection $false
-
Behavior Monitoring - Run the following from PowerShell. Set-MpPreference -DisableBehaviorMonitoring $false
-
Outdated Definitions - This is encountered when the definitions for the agent/machine have not been updated in some time. To resolve, select the “Manual Update” option to queue the agent up to update the definitions. It is also a good idea to make sure Windows updates are current as Microsoft provides updated security definitions through updates.
- Other AV - This one is pretty straightforward. This is when another AV is installed on the device and has disabled Defender fully or partially. If you are trying to switch over fully to MAV you will need to remove the 3rd party AV entirely. If you are planning to remove a 3rd party AV, be sure all remnants are removed. You can follow this guide on transitioning to Huntress MAV.
5. Defender Status Unknown - Consider Restarting - Microsoft Defender AV is returning an invalid value for the endpoint status, which may be resolved with a reboot or restarting the Huntress Agent service. If running Get-MpComputerStatus on the endpoint is returning any error messages, you would need to troubleshoot the error further. Otherwise if that command returns that Defender is enabled, restarting the Huntress services may help.
There may be some cases where the provided recommendations do not work. Working with Microsoft Support may be required for more in-depth issues with the OS. Please see our Support Limitation here.
Other Scenarios
There may be instances where you cannot get Defender to properly enable. In scenarios like that you may need to repair the OS or if all else fails, an OS reinstall. To repair the OS you can run the following commands.
- DISM /Online /Cleanup-Image /ScanHealth
- SFC /scannow
- Reboot the system if issues are found and attempt to re-enable Defender