6

I've spent a few months rolling out Group Policy for Windows Defender on a small business domain (about 25 workstations), and gathering the results with Event Viewer. (We are not running SCCM) I have it set to run a quick scan everyday, and a full scan once weekly. The group policy is enforced, and the GPResult output shows it's being processed on the workstations. They randomly scan, without rhyme or reason, very infrequently and never when I specified, like once a week for either scan if lucky. The scan's ALWAYS quit early. Full scans quit EXACTLY one hour after start, and the quick scans quit after 9 or 10 minutes.

In an attempt to wrangle in these machines, I'm trying to create a scheduled task to run the quick and full scans explicitly. When the task is created (user is SYSTEM), it will NEVER run. It quits the job instantly with return code 2147942402. I've seen people solve this issue on home machines by running the task as the users account, and saving the credentials. This is obviously a workaround that will not scale to corporate setting.

At this point I've exhausted searching the web, and I'm curious with these awful results, how anyone uses Defender in a business. It doesn't respond to GPO and it won't run as non-user account. Does anyone have any insight as to how to deploy Defender in a small business domain?

There is no way we're buying into the cloud management services from MS just to get this inept AV scanner to run, I'd rather go third party if this is a losing scenario. Please speak up if you've successfully used Defender in a business environment, I can't find anyone on the web with similar issues. Is everyone using third party AV?

GPO Settings:
Windows Defender Antivirus:
    Turn Off Windows Defender Antivirus             Disabled
    Randomize scheduled task times                  Disabled
MAPS:
    Join Microsoft MAPS                             Disabled
    Configure local setting override for reporting to Microsoft Disabled
Real-time Protection:
    Turn off real-time protection                   Disabled
    Turn on behavior monitoring                     Enabled
    Scan all downloaded files and attachments       Enabled
Scan:
    Check for the latest virus and spyware defs before run… Enabled
    Scan removable drives                                   Disabled
    Run full scan on mapped network drives                  Disabled
    Scan network files                                      Disabled
    Specify the interval to run quick scans per day         Enabled (24)
    Specify the scan type to use for a scheduled scan       Enabled (Full system scan)
    Specify the day of the week to run a scheduled scan*    Enabled (Wed)
    *This value did not show once saved, had to update ADMXtemplates to 1809  
    Specify the time for a daily quick scan                 Enabled (360)(6AM)
    Specify the time of day to run a scheduled scan         Enabled (1320)(10PM)
    Configure local setting override for the scan type to use for…  Disabled
    Configure local setting override for schedule scan day          Disabled
    Configure local setting override for scheduled quick scan ti…   Disabled
    Configure local setting override for scheduled scan time        Disabled
corporate_IT_drone
  • 61
  • 4
  • About how many computers does your company have? Also, have you tried settings up scheduled tasks for this and deploying them with something like PDQ or sccm? I'm not familiar with using defender in an enterprise environment but that's how I imagine it would be done. – McITGuy Apr 08 '19 at 17:39
  • I mentioned it's about 25 workstations. Yes I've tried scheduled tasks, but they don't work even in testing, so haven't deployed yet, but would probably just use GPOs. – corporate_IT_drone Apr 08 '19 at 17:41
  • Though I'm not managing such a small environment, and also instead using 3rd party AV, I can't believe you've so much tough time with Defender! Are you sure that the local system account is ineffective to run scheduled quick/full scan? It's hard to digest! I think you should start with investigating the limited time of scanning. – Am_I_Helpful Apr 08 '19 at 17:42
  • The limited time of scans is a problem the way that Defender creates its scheduled tasks. This is why I gave up deploying it with GPO and I want to create my own Scheduled Tasks explicitly, however it doesn't seem that you can do that and run it as SYSTEM. Nothing I've tried can get these machines to scan when you want them to. It blows my mind how difficult this has been. – corporate_IT_drone Apr 08 '19 at 17:47
  • Do you receive any events when the scans stop? – Michael Hampton Apr 08 '19 at 17:50
  • Event Viewer sometimes shows a Warning, Event 1002, scan has been stopped before completion. This happens when you let Defender schedule it's own tasks, they will quit after one hour. When I create my own task, it will not run, and gives the error I mention in the post. – corporate_IT_drone Apr 08 '19 at 17:57
  • 1
    What are the Group Policy settings you have actually configured? For example if not explicitly configured the "Randomize scheduled task times" is enabled by default as per https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus – Sim Apr 16 '19 at 04:56
  • 1
    Also the setting "Start the scheduled scan only when computer is on but not in use" may stop the scans based on user interaction see https://social.technet.microsoft.com/Forums/windows/en-US/a890ee38-cfef-4b46-88f7-2009bc02ee04/windows-defender-scan-has-been-stopped-before-completion?forum=win10itproapps – Sim Apr 16 '19 at 04:57
  • 1
    @Sim Thanks for suggestion about randomizing time. I've Disabled this now, but even when that policy is enabled it says the randomization is +/- 30 minutes from scheduled time which is not the case here. Also when testing Scheduled tasks, we did not enable "Start scan when computer is on but not in use" – corporate_IT_drone Apr 17 '19 at 16:01

1 Answers1

0

Sorry to be a salesman but if you run out of patience we've had a lot of luck wit webroot. Configuration is easy and it is extremely lightweight. https://www.webroot.com/us/en/business/help-me-choose

Matt D
  • 61
  • 2