Microsoft Defender Disabled when deploy Microsoft Defender for Endpoint via Intune

Question

Hi!!

We are deployment Microsoft Defender for Endpoint via Intune and we have an issue with some devices, they appear as disabled in Microsoft Defender Console:

When we run MpComputerStatus this is the result:

There are others devices that using the same way to onboard are active in Microsoft Defender.

Both devices (active and disabled) have the previous Antivirus uninstalled and in both the value of the key DisableAntiSpyware in HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender is "1" (So I asumme that that registry key is not the problem)

 Any help with that disabled devices? Thanks you!!

Answer 1

@Alejandro Miranda, Thanks for posting in Q&A. From your description, I find the registry key you mentioned determine whether to disable Microsoft Defender Antivirus. By default, Microsoft Defender Antivirus automatically turns itself off when it detects another antivirus program on the device. I notice we have other Antivirus uninstalled. It seems the registry has not been changed to 0.

As you mentioned, the registry on both active and disabled device are the same. That sounds strange.

But this is a very related reason. I still suggest change the registry key value to 0 manually on these affected devices to see if the result will be different.

https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware

However, if the issue still persists, please open case with Microsoft Defender for Endpoint support to look into the issue.

https://learn.microsoft.com/en-us/defender-endpoint/contact-support

Thanks for your understanding.

---

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.