Windows Defender Antivirus compatibility

Applies to:

Windows Defender Antivirus is automatically enabled and installed on endpoints and devices that are running Windows 10.

However, on endpoints and devices that are protected with a non-Microsoft antivirus or antimalware app, Windows Defender Antivirus will automatically disable itself.

If you are also using Microsoft Defender Advanced Threat Protection, then Windows Defender AV will enter a passive mode. Important: Real time protection and and threats will not be remediated by Windows Defender AV.

The following matrix illustrates the states that Windows Defender AV will enter when third-party antivirus products or Microsoft Defender ATP are also used.

Windows version Antimalware protection offered by Organization enrolled in Microsoft Defender ATP Windows Defender AV state
Windows 10 A third-party product that is not offered or developed by Microsoft Yes Passive mode
Windows 10 A third-party product that is not offered or developed by Microsoft No Automatic disabled mode
Windows 10 Windows Defender AV Yes Active mode
Windows 10 Windows Defender AV No Active mode
Windows Server 2016 A third-party product that is not offered or developed by Microsoft Yes Active mode[1]
Windows Server 2016 A third-party product that is not offered or developed by Microsoft No Active mode[1]
Windows Server 2016 Windows Defender AV Yes Active mode
Windows Server 2016 Windows Defender AV No Active mode

(1) On Windows Server 2016, Windows Defender AV will not enter passive or disabled mode if you have also installed a third-party antivirus product. If you install a third-party antivirus product, you should uninstall Windows Defender AV on Windows Server 2016 to prevent problems caused by having multiple antivirus products installed on a machine. If you are Using Windows Server, version 1803 and Windows 2019, you can enable passive mode by setting this registry key:

  • Path: HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection
  • Name: ForceDefenderPassiveMode
  • Value: 1

See the Windows Defender Antivirus on Windows Server 2016 topic for key differences and management options for Windows Server installations.

Important

Windows Defender AV is only available on endpoints running Windows 10 or Windows Server 2016.

In Windows 8.1 and Windows Server 2012, enterprise-level endpoint antivirus protection is offered as System Center Endpoint Protection, which is managed through System Center Configuration Manager.

Windows Defender is also offered for consumer devices on Windows 8.1 and Windows Server 2012, although it does not provide enterprise-level management (or an interface on Windows Server 2012 Server Core installations).

This table indicates the functionality and features that are available in each state:

State Description Real-time protection and cloud-delivered protection Limited periodic scanning availability File scanning and detection information Threat remediation Security intelligence updates
Passive mode Windows Defender AV will not be used as the antivirus app, and threats will not be remediated by Windows Defender AV. Files will be scanned and reports will be provided for threat detections which are shared with the Microsoft Defender ATP service. Check mark no Check mark no Check mark yes Check mark no Check mark yes
Automatic disabled mode Windows Defender AV will not be used as the antivirus app. Files will not be scanned and threats will not be remediated. Check mark no Check mark yes Check mark no Check mark no Check mark no
Active mode Windows Defender AV is used as the antivirus app on the machine. All configuration made with Configuration Manager, Group Policy, Intune, or other management products will apply. Files will be scanned and threats remediated, and detection information will be reported in your configuration tool (such as Configuration Manager or the Windows Defender AV app on the machine itself). Check mark yes Check mark no Check mark yes Check mark yes Check mark yes

If you are enrolled in Microsoft Defender ATP and you are using a third party antimalware product then passive mode is enabled because the service requires common information sharing from the Windows Defender AV service in order to properly monitor your devices and network for intrusion attempts and attacks.

Automatic disabled mode is enabled so that if the protection offered by a third-party antivirus product expires or otherwise stops providing real-time protection from viruses, malware or other threats, Windows Defender AV will automatically enable itself to ensure antivirus protection is maintained on the endpoint. It also allows you to enable limited periodic scanning, which uses the Windows Defender AV engine to periodically check for threats in addition to your main antivirus app.

In passive and automatic disabled mode, you can still manage updates for Windows Defender AV, however you can't move Windows Defender AV into the normal active mode if your endpoints have an up-to-date third-party product providing real-time protection from malware.

If you uninstall the other product, and choose to use Windows Defender AV to provide protection to your endpoints, Windows Defender AV will automatically return to its normal active mode.

Warning

You should not attempt to disable, stop, or modify any of the associated services used by Windows Defender AV, Microsoft Defender ATP, or the Windows Security app.

This includes the wscsvc, SecurityHealthService, MsSense, Sense, WinDefend, or MsMpEng services and process. Manually modifying these services can cause severe instability on your endpoints and open your network to infections and attacks.

It can also cause problems when using third-party antivirus apps and how their information is displayed in the Windows Security app.