Post

Microsoft Defender for Endpoint not updating

Introduction

Recently, I came across a nice little challenge, which I want to share with you guys. What was the situation? We have a Windows-network with a bunch of Windows Servers running Windows Server 2016 Datacenter as the operating system. We had migrated the antivirus software from a third-party solution to Microsoft Defender for Endpoint as part of the Microsoft 365 E5 subscription.

Currently, the Microsoft Defender for Endpoint is being managed from a set of GPO policies, and we want to migrate this to the unified Microsoft Defender for Endpoint solution. This solution became available in April 2022. We want migrate the Windows Servers from the GPO to this solution.

The challenge

To onboard Windows Server 2016 on the Unified Solution, we have to make sure that they are Azure Hybrid Joined and that we install the new installation package from MDE on this machine. In the installation wizard we cam across this alert:

1
Please update Windows Defender Antivirus (KB4052623) to the latest version.

Please update Windows Defender Antivirus (KB4052623) to the latest version

Troubleshooting

I was surprised by this message, as the Service Desk has installed all available Windows Updates on all Windows Servers before I started with the migration. From this point, we have to start troubleshooting what was going on.

Check Windows Defender Antivirus version

I started with checking which version of Windows Defender Antivirus is running on this system. And, it seems that this server is running a very old version of Windwos Defender.

Windows Defender Antivirus outdated version

How is this possible? For some reason, the antimalware client version was not updated to the latest version. The other strange thing I noticed is that the other components, like engine version and antivirus definition, are blank.

Check Windows Services are running

The second step is to check whether all the Windows Defender Antivirus services are running. And, it seems that the Windows Defender Service service is not in the Running state. I checked the Microsoft Defender Portal and its shows that the server is in the onboarded state.

Windows Defender Service is not running

Check if Windows Defender is installed

It seems that Windows Defender is not running on this machine. With the PowerShell command below I checked whether the Windwos Defender feature is installed on this machine. It has to, because we have this server onboarded on Microsoft Defender.

1
Get-WindowsFeature windows-defender

The result is that the Windows Defender Antivirus feature is installed on this machine.

Solution

I came to the solution to this problem. This server was running third-party antivirus software. Most third-party antivirus software are configuring the Windows Defender Antivirus in a passive mode. Removing a third-party antivirus software will not set Windows Defender Antivirus back in active mode. This has to be done manually.

Install Windows Defender Antivirus

In my situation Windows Defender Antivirus was installed, but it was not running. If you running into the situation that Windows Defender Antivirus feature is not installed, you can install Windows Defender Antivirus by running the following PowerShell commands on every server:

1
2
3
4
5
6
7
# For Windows Server 2016
Dism /Online /Enable-Feature /FeatureName:Windows-Defender-Features
Dism /Online /Enable-Feature /FeatureName:Windows-Defender
Dism /Online /Enable-Feature /FeatureName:Windows-Defender-Gui

# For Windows Server 2019 and Windows Server 2022
Dism /Online /Enable-Feature /FeatureName:Windows-Defender

Start Windows Defender Antivirus

From Windows Defender we can open the Windows Defender Antivirus UI. After opening this UI, I found out that Windows Defender Antivirus was turned off. With a click on a button we can turn Windows Defender Antivirus back in the active mode.

Windows Defender Antivirus is turned off

This can also be done from the Windows Registry:

  1. Open Registry Editor, and then navigate to Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection.
  2. Edit (or create) a DWORD entry called ForceDefenderPassiveMode.
  3. Set the DWORD’s value to 1.
  4. Under Base, select Hexadecimal.

In Windows Server 2016 Windows Defender Antivirus can also be enabled by following this steps:

  1. As a local administrator on the server, open Command Prompt.
  2. Run the following command: MpCmdRun.exe -wdenable.
  3. Restart the device.

After enabling Windows Defender Antivirus the UI is showing like this.

Windows Defender enabled

Update antimalware client version

The antimalware client version can be updated in to ways:

  1. Through Windows Update{target=”_blank”}. After enabling Windows Defender Antivirus back on, these Windows Updates come available.
  2. It’s also possible to update the antimwalre client manually, by downloading the update from the Microsoft security intelligence updates page{target=”_blank”}

antimalware client version uptodate

Conclusion

Microsoft Defender for Endpoint is a powerful security solution that integrates seamlessly into an existing Microsoft environment. It is crucial to take note of the consequences of using third-party antivirus software that puts the Windows Defender Antivirus in a passive mode. After uninstalling this software, Windows Defender Antivirus must be manually installed or enabled back again. If you skip this step, you are risking that Microsoft Defender for Endpoint will not function properly.

Stay safe!

References

This post is licensed under CC BY 4.0 by the author.