Tuesday, 27 December 2022

Re-enabling Defender on Windows 2016 servers via command line

I've carried out a number of Microsoft Defender for Endpoint deployments recently. I find that workstations are easy enough to deal with but it can be a pain working with low level servers. Windows Defender shipped natively with Windows 2016 Servers and organizations came up with some pretty creative ways to stop Defender from running. In fairness, at the time, Defender caused some pretty serious CPU spikes when co-existing with a third party antivirus solution.

I've come across three scenarios in particular. They are easy enough to deal with in the UI but I just wanted to show how you can also deal with these using commands. This was essential for me when working at scale and using management tools to automate the solution.

Scenario 1: the Defender feature had been uninstalled.

The Defender features can be added back using the "Add Roles and Features wizard". Don't forget to add the sub-features as well.

Scenario 1 command line:

Dism /Online /Enable-Feature /FeatureName:Windows-Defender-Features

Dism /Online /Enable-Feature /FeatureName:Windows-Defender

Dism /Online /Enable-Feature /FeatureName:Windows-Defender-Gui

Don't forget to add a reboot step afterwards.

Scenario 2: Defender service had been disabled.


You'll be notified that the Defender service is stopped and you won't be able to start it. I found this scenario when Microsoft Defender Antivirus was disabled through Group Policy.


First make sure that you reverse this policy. Just set it to Not Configured, do not choose Disable.

Scenario 2 command line:

Then re-enable Defender using this command:

MpCmdRun.exe -wdenable

It must be executed from "C:\Program Files\Windows Defender" and you must add a step to reboot the system afterwards.


Scenario 3: Defender is turned off.


Essentially this means that Real-time protection is turned off.


It can be turned on in Settings > Windows Defender.

Scenario 3 command line:

You can turn on Real-time protection programatically using PowerShell

Set-MpPreference -DisableRealtimeMonitoring 0


You don't need a reboot for this one.

I hope this information is helpful to automate your Defender deployment. 

Until next time.....


4 comments:

  1. How to stop defender when the server onboarded to micosoft 365 defender?

    ReplyDelete
    Replies
    1. Why would you want to stop Defender, especially if it supports passive mode or can use EDR block?

      Delete
  2. I'm facing an error message while trying it: "The referenced assenbly could not be found". Any thoughts or hints?

    ReplyDelete
  3. Hi there, I'm trying to follow these steps and got an error message: "The referenced assembly could not be found". Can you tell me how to get past it?

    ReplyDelete