π ~1 min read
Table of contents
Symptom & Impact
Real-time protection remains off despite endpoint protection requirements, often after conflicting baseline deployment. Malware exposure increases and security audits fail. EDR visibility becomes incomplete if core AV components are disabled.
Quick Checks
Review Defender health, tamper protection state, and applied policy precedence across local and domain scopes.
Get-MpComputerStatus
Get-MpPreference
gpresult /h C:Tempdefender-gp.htmlDeep Diagnosis
Inspect Security-Mitigations and Defender operational logs for policy source and enforcement errors.
Get-WinEvent -LogName 'Microsoft-Windows-Windows Defender/Operational' -MaxEvents 150
Get-ItemProperty 'HKLM:SOFTWAREPoliciesMicrosoftWindows Defender'
Get-CimInstance -Namespace rootMicrosoftWindowsDefender -ClassName MSFT_MpComputerStatusPrimary Fix
Remove conflicting disable keys, re-enable Defender components, and force policy refresh from authoritative source.
Still having issues? Our IT Solutions & Services team can diagnose and resolve this for you. Get in touch for a free consultation.
Remove-ItemProperty 'HKLM:SOFTWAREPoliciesMicrosoftWindows Defender' -Name DisableAntiSpyware -ErrorAction SilentlyContinue
Set-MpPreference -DisableRealtimeMonitoring $false
Restart-Service WinDefend
gpupdate /forceVerification
Real-time and behavior monitoring should report enabled with up-to-date signatures.
Get-MpComputerStatus | Select AMRunningMode,RealTimeProtectionEnabled,AntispywareSignatureLastUpdated
Update-MpSignaturePrevention & Hardening
Consolidate AV policy ownership and monitor drift for disable flags via compliance scripts.
Get-ItemProperty 'HKLM:SOFTWAREPoliciesMicrosoftWindows Defender'
Get-MpPreference | Select DisableRealtimeMonitoring,DisableIOAVProtection
Need Expert Help?
If you cannot resolve this yourself, our team offers hands-on Server Management, Managed IT Services, and flexible Support Plans. Contact us today β we respond within one business day.
