Update defender-antivirus-compatibility-without-mde.md

denisebmsft · denisebmsft · commit 9a388f481ccf · 2024-12-30T12:09:33.000-08:00
diff --git a/defender-endpoint/defender-antivirus-compatibility-without-mde.md b/defender-endpoint/defender-antivirus-compatibility-without-mde.md
@@ -1,26 +1,23 @@
 ---
-# Required metadata
-# For more information, see https://review.learn.microsoft.com/en-us/help/platform/learn-editor-add-metadata?branch=main
-# For valid values of ms.service, ms.prod, and ms.topic, see https://review.learn.microsoft.com/en-us/help/platform/metadata-taxonomies?branch=main
-
 title: Microsoft Defender Antivirus and non-Microsoft antivirus/antimalware solutions Antivirus protection without Defender for Endpoint
 description: Microsoft Defender Antivirus and non-Microsoft antivirus/antimalware solutions Antivirus protection without Defender for Endpoint
-author:      YongRhee-MSFT # GitHub alias
-ms.author:   yongrhee # Microsoft alias
+author: denisebmsft
+ms.author: deniseb
+ms.reviewer: yongrhee
 ms.service: defender-endpoint
-ms.topic: article
-ms.date:     12/27/2024
+ms.topic: conceptual
+ms.date: 12/30/2024
 ms.subservice: ngp
----
+search.appverid: met150
+ms.localizationpriority: medium
 
-# Microsoft Defender Antivirus and third-party antivirus solutions without Defender for Endpoint
+---
 
-__Applies to:__
+# Microsoft Defender Antivirus and non-Microsoft antivirus solutions without Defender for Endpoint
 
-- [Microsoft Defender for Endpoint Plan 1](/defender-endpoint/microsoft-defender-endpoint)
+**Applies to**:
 
 - [Microsoft Defender for Individuals](https://www.microsoft.com/microsoft-365/microsoft-defender-for-individuals)
-
 - Microsoft Defender Antivirus
 
 This section describes what happens when you use Microsoft Defender Antivirus alongside non-Microsoft antivirus/antimalware products on endpoints that aren't onboarded to Defender for Endpoint.
@@ -39,50 +36,52 @@ The following table summarizes what to expect:
 > [!NOTE]
 > On Windows Server, if you're running a non-Microsoft antivirus product, you can uninstall Microsoft Defender Antivirus by using the following PowerShell cmdlet (as an administrator): `Uninstall-WindowsFeature Windows-Defender`. Restart your server to finish removing Microsoft Defender Antivirus. On Windows Server 2016, you might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus*. If you uninstall your non-Microsoft antivirus product, make sure that Microsoft Defender Antivirus is re-enabled. See **[Re-enable Microsoft Defender Antivirus on Windows Server if it was disabled](/defender-endpoint/enable-update-mdav-to-latest-ws)**.
 
-Check the services and filter drivers for Microsoft Defender Antivirus
-
+Check the services and filter drivers for Microsoft Defender Antivirus by using the following command:
 
 ```powershell
+
 gsv WinDefend, WdBoot, WdFilter, WdNisSvc, WdNisDrv | ft -auto DisplayName, Name, StartType, Status
+
 ```
 
-|Display Name|Name|StartType|Status when Defender AV is enabled| Status when Defender AV is disabled| Comments |
+|Display Name|Name|StartType|Status when Microsoft Defender Antivirus is enabled| Status when Microsoft Defender Antivirus is disabled| Comments |
 | -------- | -------- | -------- | -------- | -------- | -------- |
-|Microsoft Defender Antivirus Boot Driver |WdBoot|Boot |Stopped (0x0 Boot_start)| Stopped (0x3 Demand_start)|It’s normal to be stopped after boot. |
-|Microsoft Defender Antivirus Mini-Filter Driver|WdFilter|Manual |Running (0x0 Boot_start)|Stopped (0x3 Demand_start)|If a 3rd party AV is installed, then this will be stopped. |
-|Microsoft Defender Antivirus Network Inspection System Driver |WdNisDrv|Manual|Running (0x3 Demand_start)|Stopped (0x3 Demand_start)|If a 3rd party AV is installed, then this will be stopped. |
-|Microsoft Defender Antivirus Network Inspection Service |WdNisSvc|Manual|Running (0x3 Demand_start)|Stopped (0x3 Demand_start)|If a 3rd party AV is installed, then this will be stopped. |
-|Microsoft Defender Antivirus Service|WinDefend|Automatic|Running (0x2 Auto_start)|Stopped (0x3 Demand_start)|If a 3rd party AV is installed, then this will be stopped.|
+|Microsoft Defender Antivirus Boot Driver |`WdBoot`|Boot |Stopped (`0x0 Boot_start`)| Stopped (`0x3 Demand_start`)|It's normal to be stopped after boot. |
+|Microsoft Defender Antivirus Mini-Filter Driver|`WdFilter`|Manual |Running (`0x0 Boot_start`)|Stopped (`0x3 Demand_start`)|If a non-Microsoft antivirus solution is installed, expect status to be stopped. |
+|Microsoft Defender Antivirus Network Inspection System Driver |`WdNisDrv`|Manual|Running (`0x3 Demand_start`)|Stopped (`0x3 Demand_start`)|If a non-Microsoft antivirus solution is installed, expect status to be stopped. |
+|Microsoft Defender Antivirus Network Inspection Service |`WdNisSvc`|Manual|Running (`0x3 Demand_start`)|Stopped (`0x3 Demand_start`)|If a non-Microsoft antivirus solution is installed, expect status to be stopped. |
+|Microsoft Defender Antivirus Service|`WinDefend`|Automatic|Running (`0x2 Auto_start`)|Stopped (`0x3 Demand_start`)|If a non-Microsoft antivirus solution is installed, expect status to be stopped.|
 
 ### Frequently Asked Questions (FAQ)
 
 Q: Can I update Microsoft Defender Antivirus components such as "Security intelligence update" or "Engine update" "Platform update" when Microsoft Defender Antivirus is disabled?
 
-A: No.  When Microsoft Defender Antivirus is disabled, since the services and drivers are not running, you will not be able to update the components such as "Security intelligence update" or "Engine update" "Platform update".
+A: No. When Microsoft Defender Antivirus is disabled, since the services and drivers are not running, you will not be able to update the components such as "Security intelligence update" or "Engine update" "Platform update".
 
 > [!TIP]
-> If you are migrating to Microsoft Defender for Endpoint, when onboarded, Microsoft Defender Antivirus will go into 'passive mode' in Windows clients and via a registry key in Windows Servers, where you will be able to update the different components of Microsoft Defender Antivirus.
+> If you are migrating to Microsoft Defender for Endpoint, when onboarded, Microsoft Defender Antivirus goes into passive mode automatically on Windows clients, and can be set to passive mode using a registry key on Windows Server. You can update the different components of Microsoft Defender Antivirus.
 
 Q: Can I manually change the start type of the services and drivers for Microsoft Defender Antivirus?
 
-A: We do not support the manual modification of the start type of the services and drivers for Microsoft Defender Antivirus in Windows images.  On Windows clients, the supported method is via the third-party antivirus solution registering to Windows Security Center (WSC) api.  Or on Windows Servers uninstalling Microsoft Defender Antivirus feature, via the Roles and Features MMC or via Powershell (Run as admin): 
-
+A: We do not support the manual modification of the start type of the services and drivers for Microsoft Defender Antivirus in Windows images. On Windows clients, the supported method is by registring your non-Microsoft antivirus in Windows Security (WSC) api. Or, on Windows Server, you can uninstall the Microsoft Defender Antivirus feature by using roles and features MMC or by running the following PowerShell command (as an administrator): 
 
 ```powershell
+
 Uninstall-WindowsFeature Windows-Defender
+
 ```
 
-Q: Can I use Microsoft Defender Antivirus in "passive mode" without onboarding to Microsoft Defender for Endpoint?
+Q: Can I use Microsoft Defender Antivirus in passive mode without onboarding to Microsoft Defender for Endpoint?
 
-A: No.  "Passive mode" is a functionality of Microsoft Defender for Endpoint Plan 2.
+A: No. Passive mode is functionality in Microsoft Defender for Endpoint Plan 2.
 
-Q: Can I use "EDR in block mode" without onboarding to Microsoft Defender for Endpoint?
+Q: Can I use [EDR in block mode](edr-in-block-mode.md) without onboarding to Microsoft Defender for Endpoint?
 
-A: No.  "EDR in block mode" is a functionality of Microsoft Defender for Endpoint Plan 2.
+A: No. EDR in block mode is a functionality in Microsoft Defender for Endpoint Plan 2.
 
-Q: Can I use "Indicators" - "File hash" or "IP address/URL's" or "Certificates" with Microsoft Defender Antivirus (active mode) with M365 E3/A3 license?
+Q: Can I use indicators, such as file hash, IP address/URL's, or certificates with Microsoft Defender Antivirus (in active mode) with my Microsoft 365 E3/A3 license?
 
-A: Yes, please review [Microsoft Defender for Endpoint Plan 1 Now Included in M365 E3/A3 Licenses](https://techcommunity.microsoft.com/blog/microsoftdefenderatpblog/microsoft-defender-for-endpoint-plan-1-now-included-in-m365-e3a3-licenses/3060639) and [Overview of Microsoft Defender for Endpoint Plan 1](/defender-endpoint/defender-endpoint-plan-1)
+A: Yes. See [Tech Community Blog: Microsoft Defender for Endpoint Plan 1 Now Included in M365 E3/A3 Licenses](https://techcommunity.microsoft.com/blog/microsoftdefenderatpblog/microsoft-defender-for-endpoint-plan-1-now-included-in-m365-e3a3-licenses/3060639) and [Overview of Microsoft Defender for Endpoint Plan 1](/defender-endpoint/defender-endpoint-plan-1)
 
 ## See also
 
