Windows Defender Antivirus compatibility
- Windows 10
- Windows Server 2016
- Enterprise security administrators
Windows Defender Antivirus is automatically enabled and installed on endpoints and devices that are running Windows 10.
However, on endpoints and devices that are protected with a non-Microsoft antivirus or antimalware app, Windows Defender AV will automatically disable itself. You can then choose to enable an optional, limited protection feature, called limited periodic scanning.
If you are also using Windows Defender Advanced Threat Protection, then Windows Defender AV will enter a passive mode.
The following matrix illustrates the states that Windows Defender AV will enter when third-party antivirus products or Windows Defender ATP are also used.
|Windows version||Antimalware protection offered by||Organization enrolled in Windows Defender ATP||Windows Defender AV state|
|Windows 10||A third-party product that is not offered or developed by Microsoft||Yes||Passive mode|
|Windows 10||A third-party product that is not offered or developed by Microsoft||No||Automatic disabled mode|
|Windows 10||Windows Defender AV||Yes||Active mode|
|Windows 10||Windows Defender AV||No||Active mode|
|Windows Server 2016||A third-party product that is not offered or developed by Microsoft||Yes||Active mode|
|Windows Server 2016||A third-party product that is not offered or developed by Microsoft||No||Active mode|
|Windows Server 2016||Windows Defender AV||Yes||Active mode|
|Windows Server 2016||Windows Defender AV||No||Active mode|
(1) On Windows Server 2016, Windows Defender AV will not enter passive or disabled mode if you have also installed a third-party antivirus product. If you install a third-party antivirus product, you should uninstall Windows Defender AV on Windows Server 2016 to prevent problems caused by having multiple antivirus products installed on a machine.
See the Windows Defender Antivirus on Windows Server 2016 topic for key differences and management options for Windows Server installations.
Windows Defender AV is only available on endpoints running Windows 10 or Windows Server 2016.
In Windows 8.1 and Windows Server 2012, enterprise-level endpoint antivirus protection is offered as System Center Endpoint Protection, which is managed through System Center Configuration Manager.
Windows Defender is also offered for consumer devices on Windows 8.1 and Windows Server 2012, although it does not provide enterprise-level management (or an interface on Windows Server 2012 Server Core installations).
This table indicates the functionality and features that are available in each state:
|State||Description||Real-time protection and cloud-delivered protection||Limited periodic scanning availability||File scanning and detection information||Threat remediation||Threat definition updates|
|Passive mode||Windows Defender AV will not be used as the antivirus app, and threats will not be remediated by Windows Defender AV. Files will be scanned and reports will be provided for threat detections which are shared with the Windows Defender ATP service.|
|Automatic disabled mode||Windows Defender AV will not be used as the antivirus app. Files will not be scanned and threats will not be remediated.||]|
|Active mode||Windows Defender AV is used as the antivirus app on the machine. All configuration made with Configuration Manager, Group Policy, Intune, or other management products will apply. Files will be scanned and threats remediated, and detection information will be reported in your configuration tool (such as Configuration Manager or the Windows Defender AV app on the machine itself).|
Passive mode is enabled if you are enrolled in Windows Defender ATP because the service requires common information sharing from the Windows Defender AV service in order to properly monitor your devices and network for intrusion attempts and attacks.
Automatic disabled mode is enabled so that if the protection offered by a third-party antivirus product goes out of date, is not updated, or stops providing real-time protection from viruses, malware, and other threats, Windows Defender AV will automatically enable itself to ensure antivirus protection is maintained on the endpoint. It also allows you to enable limited periodic scanning, which uses the Windows Defender AV engine to periodically check for threats in addition to your main antivirus app.
In passive and automatic disabled mode, you can still manage updates for Windows Defender AV, however you can't move Windows Defender AV into the normal active mode if your endpoints have an up-to-date third-party product providing real-time protection from malware.
If you uninstall the other product, and choose to use Windows Defender AV to provide protection to your endpoints, Windows Defender AV will automatically return to its normal active mode.
You should not attempt to disable, stop, or modify any of the associated services used by Windows Defender AV, Windows Defender ATP, or the Windows Defender Security Center app.
This includes the wscsvc, SecurityHealthService, MsSense, Sense, WinDefend, or MsMpEng services and process. Manually modifying these services can cause severe instability on your endpoints and open your network to infections and attacks.
It can also cause problems when using third-party antivirus apps and how their information is displayed in the Windows Defender Security Center app.