Windows Defender Antivirus compatibility

Applies to:

  • Windows 10
  • Windows Server 2016

Audience

  • Enterprise security administrators

Windows Defender Antivirus is automatically enabled and installed on endpoints and devices that are running Windows 10.

However, on endpoints and devices that are protected with a non-Microsoft antivirus or antimalware app, Windows Defender AV will automatically disable itself. You can then choose to enable an optional, limited protection feature, called limited periodic scanning.

If you are also using Windows Defender Advanced Threat Protection, then Windows Defender AV will enter a passive mode.

The following matrix illustrates the states that Windows Defender AV will enter when third-party antivirus products or Windows Defender ATP are also used.

Windows version Antimalware protection offered by Organization enrolled in Windows Defender ATP Windows Defender AV state
Windows 10 A third-party product that is not offered or developed by Microsoft Yes Passive mode
Windows 10 A third-party product that is not offered or developed by Microsoft No Automatic disabled mode
Windows 10 Windows Defender AV Yes Active mode
Windows 10 Windows Defender AV No Active mode
Windows Server 2016 A third-party product that is not offered or developed by Microsoft Yes Active mode[1]
Windows Server 2016 A third-party product that is not offered or developed by Microsoft No Active mode[1]
Windows Server 2016 Windows Defender AV Yes Active mode
Windows Server 2016 Windows Defender AV No Active mode

(1) On Windows Server 2016, Windows Defender AV will not enter passive or disabled mode if you have also installed a third-party antivirus product. If you install a third-party antivirus product, you should uninstall Windows Defender AV on Windows Server 2016 to prevent problems caused by having multiple antivirus products installed on a machine.

See the Windows Defender Antivirus on Windows Server 2016 topic for key differences and management options for Windows Server installations.

Important

Windows Defender AV is only available on endpoints running Windows 10 or Windows Server 2016.

In Windows 8.1 and Windows Server 2012, enterprise-level endpoint antivirus protection is offered as System Center Endpoint Protection, which is managed through System Center Configuration Manager.

Windows Defender is also offered for consumer devices on Windows 8.1 and Windows Server 2012, although it does not provide enterprise-level management (or an interface on Windows Server 2012 Server Core installations).

This table indicates the functionality and features that are available in each state:

State Description Real-time protection and cloud-delivered protection Limited periodic scanning availability File scanning and detection information Threat remediation Threat definition updates
Passive mode Windows Defender AV will not be used as the antivirus app, and threats will not be remediated by Windows Defender AV. Files will be scanned and reports will be provided for threat detections which are shared with the Windows Defender ATP service. Check mark no Check mark yes Check mark yes Check mark no Check mark yes
Automatic disabled mode Windows Defender AV will not be used as the antivirus app. Files will not be scanned and threats will not be remediated. Check mark no Check mark yes Check mark no Check mark no Check mark no ]
Active mode Windows Defender AV is used as the antivirus app on the machine. All configuration made with Configuration Manager, Group Policy, Intune, or other management products will apply. Files will be scanned and threats remediated, and detection information will be reported in your configuration tool (such as Configuration Manager or the Windows Defender AV app on the machine itself). Check mark yes Check mark no Check mark yes Check mark yes Check mark yes

Passive mode is enabled if you are enrolled in Windows Defender ATP because the service requires common information sharing from the Windows Defender AV service in order to properly monitor your devices and network for intrusion attempts and attacks.

Automatic disabled mode is enabled so that if the protection offered by a third-party antivirus product goes out of date, is not updated, or stops providing real-time protection from viruses, malware, and other threats, Windows Defender AV will automatically enable itself to ensure antivirus protection is maintained on the endpoint. It also allows you to enable limited periodic scanning, which uses the Windows Defender AV engine to periodically check for threats in addition to your main antivirus app.

In passive and automatic disabled mode, you can still manage updates for Windows Defender AV, however you can't move Windows Defender AV into the normal active mode if your endpoints have an up-to-date third-party product providing real-time protection from malware.

If you uninstall the other product, and choose to use Windows Defender AV to provide protection to your endpoints, Windows Defender AV will automatically return to its normal active mode.

Warning

You should not attempt to disable, stop, or modify any of the associated services used by Windows Defender AV, Windows Defender ATP, or the Windows Defender Security Center app.

This includes the wscsvc, SecurityHealthService, MsSense, Sense, WinDefend, or MsMpEng services and process. Manually modifying these services can cause severe instability on your endpoints and open your network to infections and attacks.

It can also cause problems when using third-party antivirus apps and how their information is displayed in the Windows Defender Security Center app.