question

AS-4082 avatar image
0 Votes"
AS-4082 asked LeonLaude commented

Unable to set Server 2019 1809 Defender passive mode

I've to set a Windows Server 2019 1809 Defender into passive mode.
I followed the instructions on microsoft-defender-antivirus-on-windows-server and set Defender into passive mode using a registry key. I also did a reboot of the server.

Path: HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection
Name: ForceDefenderPassiveMode
Type: REG_DWORD
Value: 1

To check Defender mode I run the powershell commad "Get-MpComputerStatus" to get the AMRunningMode, as discribed here:
edr-in-block-mode - How do I confirm Microsoft Defender Antivirus is in active or passive mode?.

As result, AMRunningMode is still "Normal" instead "Passive Mode".

I'm wondering, why the registry key isn't working.

windows-server-2019
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

LeonLaude avatar image
0 Votes"
LeonLaude answered LeonLaude commented

Hi @AS-4082,

Have you made sure you meet all the requirements to run Microsoft Defender Antivirus in passive mode?

Requirements for Microsoft Defender Antivirus to run in passive mode

In order for Microsoft Defender Antivirus to run in passive mode, endpoints must meet the following requirements:

Operating system: Windows 10 or later; Windows Server, version 1803, or newer; or Windows Server 2019
- Microsoft Defender Antivirus must be installed
- Another non-Microsoft antivirus/antimalware product must be installed and used as the primary antivirus solution
- Endpoints must be onboarded to Defender for Endpoint


Reference:
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-compatibility?view=o365-worldwide#requirements-for-microsoft-defender-antivirus-to-run-in-passive-mode


If the reply was helpful please don't forget to upvote and/or accept as answer, thank you!


Best regards,
Leon

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks for answering @LeonLaude

  • Microsoft Defender Antivirus must be installed
    -> True, fresh Windows Server 2019 installation without OS "modifications".

  • Another non-Microsoft antivirus/antimalware product must be installed and used as the primary antivirus solution
    -> True, CrowdStrike (Windows Sensor), but not recognised as alternative AV solution by OS.

  • Endpoints must be onboarded to Defender for Endpoint
    -> N/A, no Defender for Endpoint in place (no centrally managed MS Endpoint protection)

I also got the options of disabling Real-time Protection, uninstalling Defender at all (Uninstall-WindowsFeature -Name Windows-Defender). But I thought, passive mode would be better because of additional security layer instead of uninstalling Defender.

0 Votes 0 ·

If Windows does not recognize CrowdStrike as an antivirus solution, this could potentially be an issue.
I stumbled upon this Reddit thread over here:
https://www.reddit.com/r/crowdstrike/comments/iqcenl/does_crowdstrike_disable_windows_security_systems/

0 Votes 0 ·