Microsoft Defender for Endpoint not updating
Introduction
Recently, I came across a nice little challenge, which I want to share with you guys. What was the situation? We have a Windows-network with a bunch of Windows Servers running Windows Server 2016 Datacenter as the operating system. We had migrated the antivirus software from a third-party solution to Microsoft Defender for Endpoint as part of the Microsoft 365 E5 subscription.
Currently, the Microsoft Defender for Endpoint is being managed from a set of GPO policies, and we want to migrate this to the unified Microsoft Defender for Endpoint solution. This solution became available in April 2022. We want migrate the Windows Servers from the GPO to this solution.
The challenge
To onboard Windows Server 2016 on the Unified Solution, we have to make sure that they are Azure Hybrid Joined and that we install the new installation package from MDE on this machine. In the installation wizard we cam across this alert:
1
Please update Windows Defender Antivirus (KB4052623) to the latest version.
Troubleshooting
I was surprised by this message, as the Service Desk has installed all available Windows Updates on all Windows Servers before I started with the migration. From this point, we have to start troubleshooting what was going on.
Check Windows Defender Antivirus version
I started with checking which version of Windows Defender Antivirus is running on this system. And, it seems that this server is running a very old version of Windwos Defender.
How is this possible? For some reason, the antimalware client version was not updated to the latest version. The other strange thing I noticed is that the other components, like engine version and antivirus definition, are blank.
Check Windows Services are running
The second step is to check whether all the Windows Defender Antivirus services are running. And, it seems that the Windows Defender Service service is not in the Running state. I checked the Microsoft Defender Portal and its shows that the server is in the onboarded state.
Check if Windows Defender is installed
It seems that Windows Defender is not running on this machine. With the PowerShell command below I checked whether the Windwos Defender feature is installed on this machine. It has to, because we have this server onboarded on Microsoft Defender.
1
Get-WindowsFeature windows-defender
The result is that the Windows Defender Antivirus feature is installed on this machine.
Solution
I came to the solution to this problem. This server was running third-party antivirus software. Most third-party antivirus software are configuring the Windows Defender Antivirus in a passive mode. Removing a third-party antivirus software will not set Windows Defender Antivirus back in active mode. This has to be done manually.
Install Windows Defender Antivirus
In my situation Windows Defender Antivirus was installed, but it was not running. If you running into the situation that Windows Defender Antivirus feature is not installed, you can install Windows Defender Antivirus by running the following PowerShell commands on every server:
1
2
3
4
5
6
7
# For Windows Server 2016
Dism /Online /Enable-Feature /FeatureName:Windows-Defender-Features
Dism /Online /Enable-Feature /FeatureName:Windows-Defender
Dism /Online /Enable-Feature /FeatureName:Windows-Defender-Gui
# For Windows Server 2019 and Windows Server 2022
Dism /Online /Enable-Feature /FeatureName:Windows-Defender
Start Windows Defender Antivirus
From Windows Defender we can open the Windows Defender Antivirus UI. After opening this UI, I found out that Windows Defender Antivirus was turned off. With a click on a button we can turn Windows Defender Antivirus back in the active mode.
This can also be done from the Windows Registry:
- Open Registry Editor, and then navigate to
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection
. - Edit (or create) a DWORD entry called
ForceDefenderPassiveMode
. - Set the DWORD’s value to
1
. - Under
Base
, selectHexadecimal
.
In Windows Server 2016 Windows Defender Antivirus can also be enabled by following this steps:
- As a local administrator on the server, open Command Prompt.
- Run the following command:
MpCmdRun.exe -wdenable
. - Restart the device.
After enabling Windows Defender Antivirus the UI is showing like this.
Update antimalware client version
The antimalware client version can be updated in to ways:
- Through Windows Update{target=”_blank”}. After enabling Windows Defender Antivirus back on, these Windows Updates come available.
- It’s also possible to update the antimwalre client manually, by downloading the update from the Microsoft security intelligence updates page{target=”_blank”}
Conclusion
Microsoft Defender for Endpoint is a powerful security solution that integrates seamlessly into an existing Microsoft environment. It is crucial to take note of the consequences of using third-party antivirus software that puts the Windows Defender Antivirus in a passive mode. After uninstalling this software, Windows Defender Antivirus must be manually installed or enabled back again. If you skip this step, you are risking that Microsoft Defender for Endpoint will not function properly.
Stay safe!