Original Articles:
Microsoft Defender Antivirus on Windows Server | Microsoft Docs
Windows Defender Turned Off by Group Policy [Solved] (varonis.com)
Part 1
Enable the user interface on Windows Server
Important
If you're using Windows Server 2012 R2, see Options to install Microsoft Defender for Endpoint.
By default, Microsoft Defender Antivirus is installed and functional on Windows Server. Sometimes, the user interface (GUI) is installed by default. The GUI isn't required; you can use PowerShell, Group Policy, or other methods to manage Microsoft Defender Antivirus. However, many organizations prefer to use the GUI for Microsoft Defender Antivirus. To install the GUI, use one of the procedures in the following table:
| Procedure | What to do |
|---|---|
| Turn on the GUI using the Add Roles and Features Wizard | 1. See Install roles, role services, and features by using the add Roles and Features Wizard, and use the Add Roles and Features Wizard. 2. When you get to the Features step of the wizard, under Windows Defender Features, select the GUI for Windows Defender option. |
| Turn on the GUI using PowerShell | 1. On your Windows Server, open Windows PowerShell as an administrator. 2. Run the following PowerShell cmdlet: Install-WindowsFeature -Name Windows-Defender-GUI |
Install Microsoft Defender Antivirus on Windows Server
If you need to install or reinstall Microsoft Defender Antivirus on Windows Server, use one of the procedures in the following table:
| Procedure | What to do |
|---|---|
| Use the Add Roles and Features Wizard to install Microsoft Defender Antivirus | 1. See Install or Uninstall Roles, Role Services, or Features, and use the Add Roles and Features Wizard. 2. When you get to the Features step of the wizard, select the Microsoft Defender Antivirus option. Also select the GUI for Windows Defender option. |
| Use PowerShell to install Microsoft Defender Antivirus | 1. On your Windows Server, open Windows PowerShell as an administrator. 2. Run the following PowerShell cmdlet: Install-WindowsFeature -Name Windows-Defender |
Part 2
Solution 1: Using Group Policy
- Open Group Policy editor
- Select Local Computer Policy -> Administrative Templates -> Windows Components
- Select Windows Defender and in the right panel and double click the setting “Turn off Windows Defender”
- “Turn off Windows Defender” should be set to Enable if you can’t run Windows Defender. You want to disable this option. You will need local administrative rights to make this change
You should be able to run Windows Defender after you update this GPO.
Solution 2: User Settings
Another option to re-enable Windows Defender is in the Control Panel Settings.
- Click the Start button and type Windows Defender, and double click the icon for Windows Defender Security Center – this might be slightly different depending on your version of Windows.
- Click Settings, you are looking for a button labeled “Real Time Protection.” Make sure it is on.
Solution 3: Using the Command Line
Another solution is to run the following command from PowerShell – make sure to Run As Administrator.
Set-MpPreference -DisableRealtimeMonitoring 0
Solution 4: Using the Registry Editor
Editing the Registry is another possible fix for this issue.
- Run ‘regedit’
- Navigate through the tree to
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender. - Delete DisableAntiSpyware in the right pane.
- Navigate to
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection. - Delete DisableRealtimeMonitoring in the right pane.
People report that sometimes the first one works, sometimes the second, sometimes both. Best to delete both to be sure.
Solution 5: Reviewing Conflicting Programs
It is possible that attackers turned off Windows Defender by some other means and not from direct tampering with computer settings. You may have to investigate further to get everything back up and running.
Check for Malware
Malware can turn off Defender and keep it off despite your best efforts to re-enable it. If you aren’t able to turn Defender back on you might be infected. Install and run another malware detector of your choice and see if you can find and remove the infection.
Another option is to do what Varonis ITSec does and reinstall the OS.
Check Third-Party Antivirus Tools
If none of the other solutions work, make sure if you have another anti-virus application installed that it works with Windows Defender. Some anti-virus programs don’t. Some EDR solutions do.
Windows Defender is a good line of defense in a layered security strategy, but it is relatively easy for attackers to work-around. Just as easily as you can turn it on, they can turn it back off.