Troubleshoot configured Defender AV settings with effective settings in Defender

To ensure Microsoft Defender Antivirus (Defender AV) provides full protection and leverages all its capabilities, it must be configured with the correct antivirus settings. Since Defender AV can be managed through multiple methods, it’s essential to monitor and identify potential conflicts. Over the past several years, I’ve handled numerous deployments and migrations from third-party antivirus solutions to Microsoft Defender for Endpoint/Defender AV. One recurring challenge in these projects has been policy conflicts.

Settings management?

As already mentioned, Defender AV needs to be managed with settings – this can be done via multiple methods and toolings; GPO, PowerShell, Registry, Intune, SCCM, and MDE-Management are all methods that can be used for managing Defender settings.

How can Defender conflict?

Defender settings can come from several management sources. Each source has a different level of authority, and when multiple are in play, it can be hard to find the conflict.

Policy Source	Description
Local Group Policy	Configured via `gpedit.msc`; applies only to the local machine
Domain Group Policy (GPO)	Delivered via Active Directory; applies at site, domain, or OU level
Intune MDM Policies	Cloud-managed via Microsoft Endpoint Manager; applies to enrolled devices
PowerShell Configuration	Set via scripts or manual admin actions (e.g., `Set-MpPreference`)
Registry Edits	Direct changes to Defender keys (not always honored if managed by GPO/MDM)
Third-party AV tools	May disable or suppress Defender completely (via WMI or registry flags) – common on servers.

Precedence

Understanding which policy wins is critical when troubleshooting. This is not fully documented; all based on experience, it is the following:

Group Policy vs Local Settings

Domain GPO always overrides Local Group Policy and manual settings.
Manual Set-MpPreference changes will be reset at the next Group Policy refresh (gpupdate /force or reboot).

Intune

By default, GPO has higher precedence over Intune CSP when a setting conflict occurs. In Microsoft Intune, there is a setting named MDMwinsoverGP. If that’s enabled, Intune takes precedence for supported policies. But this does not support all of the policies, and there are some differences at the policy level. Some policies work while some are not applied – personally, not a huge fan of the MDMwinsoverGP setting. It is better to solve the conflict at the source. If both are managing the same setting, expect potential chaos with conflicts. When GPO says 1 and Intune says 0.

MDMwinsoverGP is only applicable and working on a very select few policies. So it is better to exclude at the domain level directly and not use the MDMwinsoverGP settings, which will avoid a lot of headaches.

Ways to find conflicts:

GPO processing order

gpresult /h report.html

Event Viewer

Event Viewer > Applications and Services Logs > Microsoft > Windows > Windows Defender > Operational

Event ID 5007 — Configuration change applied
Event ID 5010 — Policy application failed
Event ID 2001/2004 — ASR rule applied or blocked
Event ID 1006 — Scan completed (helps confirm scheduling works)

Troubleshooting

During previous onboarding projects, I used several methods to verify which settings were applied on devices.

Domain-joined devices

When devices are part of the domain, one of the first items to check is the items applied from Group Policy. When third-party AVs are installed, it is quite common that policies are set to disable the AV component or the real-time Protection part of Defender AV. A couple of ways to check:

Resultant Set of Policy Utility (Rsop.msc)

One of the most underused but powerful tools in the Windows toolbox is the Resultant Set of Policy utility, or RSOP.msc. RSOP (Resultant Set of Policy) is a Microsoft Management Console (MMC) snap-in that displays the actual policies applied to a computer and user after all Group Policies are processed. RSOP shows you what’s actually in effect – making it incredibly helpful for troubleshooting.

Microsoft Defender settings can be enforced through various layers:

Local Group Policy
Domain-based GPOs
MDM policies (like Intune)
PowerShell or registry overrides

With overlapping sources, it can be hard to know which policies are taking effect. With the use of RSOP, possible conflicts can be validated and viewed. Good to know; RSOP shows only GPO-applied settings.

How to run?

Press Win + R, type rsop.msc, press Enter.
Navigate to:
Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus

You’ll see if settings like Real-Time Protection, Exclusions, or Cloud Protection are enabled/disabled and where they’re applied from (which GPO). From practice, the common things that are actually seen:

Defender AV disabled
Settings from old GPOs (from years ago)
Conflicts in exclusions
Conficts in sample submissions
Old GPO baselines with Defender settings

When using both Intune and Group Policy, it’s important to avoid overlapping or conflicting configurations. Ideally, a setting should be managed from only one source. I generally recommend using Microsoft Intune for configuration management and relying on Group Policy only when a setting cannot be applied through Intune.

Investigation package

Another valuable method for identifying and understanding conflicts is by using the Investigation Package. This package includes a comprehensive collection of files that provide deep insight into a device’s current state. It captures details such as running processes, network connections, installed applications, scheduled tasks, and more.

When it comes to detecting configuration or settings conflicts, the following components are especially useful:

Security event log	Contains the security event log, which contains records of sign-in or sign-out activity, or other security-related events specified by the system’s audit policy. Open the event log file using Event Viewer.
WdSupportLogs	Provides the `MpCmdRunLog.txt` and `MPSupportFiles.cab`

The WdSupportLogs package also contains MPSupportFiles.cab, which includes a much broader set of files that are extremely valuable for troubleshooting. I often rely on MPSupportFiles.cab because it can be easily downloaded directly from the Defender portal. and includes many useful resources.

Some examples of files that are part of the MPSupportFiles.cab, which can be useful for further troubleshooting:

MPRegistry: Contains Defender-related registry output
MPLog-xxx: Operation Defender log
MPOperationalEvents: Event Viewer log entries output of the event logs
MPCmdRun.log: Microsoft Antimalware service command line
MPCmdRun-NetworkService: Microsoft Antimalware service command line
MpCmdRun-SystemTemp: Microsoft Antimalware service command line

Effective settings

Ever wondered exactly which Defender AV settings are configured and where they came from? With the new feature called Effective settings in Defender for Endpoint, it is possible to review the effective configuration and the source the setting came from. This tool is quite new and very helpful for troubleshooting.

Effective Settings is reading the actual settings from the local configuration. If you are managing Windows devices in Defender, you may have encountered this confusion: Where are the settings being applied from? As already mentioned in the blog, there are several sources from which settings can be pushed (ConfigMgr, Intune, GPO, Local settings, and Default Settings enforced by Defender itself). This can be quite challenging during troubleshooting.

The current effective configured value on the device
What method is used to configure the settings (Intune, GPO, Default)
Policy type
Additional values when using ASR rules and exclusions
Additional configuration attempts (with this, you can troubleshoot configuration conflicts)

The presented settings are AV security settings, Attack Surface Reduction rules, and exclusions for Windows platforms.

Portal

Effective settings are visible under the Configuration management tab from the device page. The Security policies tab shows the endpoint security policies that are applied to the device. The Effective settings tab provides visibility into the actual value of each security setting and identifies the source that configured it.

The effective value in the list shows the current value on the machine. So in the below screenshot, you see the “Allow Cloud Protection” with the Effective value of “2”

It lists setting names, policy types, effective values, the source of each effective value, and the last report time. Select a setting to open a side panel with more details. You see the current value, and any other configuration attempts that didn’t take effect.

Configuration attempts will be visible in the “Additional configuration attempts” section

When using MDE Management settings will be reported as “configured by MDE”:

Additional Log Location

Logs are available directly on the system without collecting additional logs. The following overview gives the most common log files and locations for Defender Antivirus and Defender for Endpoint.

Defender Antivirus log files:

C:\ProgramData\Microsoft\Windows Defender\Support

Additional verbose logging can be collected with other diagnostic data collection. Use the following command to get all additional data in a cab file:

C:\Program Files\Windows Defender\MpCmdRun.exe" -GetFiles

Cab file is by default located in the following folder: C:\ProgramData\Microsoft\Windows Defender\Support\MpSupportFiles.cab

Some examples of files part of the mpsupportfiles.cab, which can be useful for further troubleshooting:

MPRegistry: Contains Defender-related registry output
MPLog-xxx: Operation Defender log
MPOperationalEvents: EventViewer log entries output of the event logs
MPCmdRun.log: Microsoft Antimalware service command line
MPCmdRun-NetworkService: Microsoft Antimalware service command line
MpCmdRun-SystemTemp: Microsoft Antimalware service command line

Tip: Most of these files can be collected using the Investigation Package trigger in Defender for Endpoint, as noted earlier in this article.

Additional troubleshooting: Microsoft Defender for Endpoint series – Validate Defender protection and additional troubleshooting – Part6

Recent Posts

Troubleshoot configured Defender AV settings with effective settings in Defender

2025 Microsoft Defender Optimization & Configuration Cheat Sheet

AiTM/ MFA phishing attacks in combination with “new” Microsoft protections (2025 edition)

How to store Defender XDR data for years in Sentinel data lake without expensive ingestion cost

Microsoft Sentinel data lake: How to use/enable and set-up the unified data lake

Defender for Office 365 Auto-Remediation of Malicious Messages (AIR)

Automated incident triage with Security Copilot and Microsoft Sentinel/ Defender XDR

Blog Post

Microsoft MVP

MDE blog series

Supporting this blog

Latest topics

Troubleshoot configured Defender AV settings with effective settings in Defender

2025 Microsoft Defender Optimization & Configuration Cheat Sheet

AiTM/ MFA phishing attacks in combination with “new” Microsoft protections (2025 edition)

How to store Defender XDR data for years in Sentinel data lake without expensive ingestion cost

Microsoft Sentinel data lake: How to use/enable and set-up the unified data lake

Defender for Office 365 Auto-Remediation of Malicious Messages (AIR)

Social Media

Trending Slider

Troubleshoot configured Defender AV settings with effective settings in Defender

2025 Microsoft Defender Optimization & Configuration Cheat Sheet

AiTM/ MFA phishing attacks in combination with “new” Microsoft protections (2025 edition)

How to store Defender XDR data for years in Sentinel data lake without expensive ingestion cost

Microsoft Sentinel data lake: How to use/enable and set-up the unified data lake

Defender for Office 365 Auto-Remediation of Malicious Messages (AIR)

Today's pick

Latest

Popular

Troubleshoot configured Defender AV settings with effective settings in Defender

2025 Microsoft Defender Optimization & Configuration Cheat Sheet

AiTM/ MFA phishing attacks in combination with “new” Microsoft protections (2025 edition)

How to store Defender XDR data for years in Sentinel data lake without expensive ingestion cost

Fast response with Azure AD Continuous Access Evaluation (CAE) and Conditional Access

Downloads blokkeren via Conditional Access App Control vanuit Microsoft Endpoint Manager

Android Enterprise fully managed beschikbaar in Microsoft Intune voor zakelijke omgevingen

Android Enterprise via Microsoft Endpoint Manager als vervanger van Android device administrator

Recent Posts

Troubleshoot configured Defender AV settings with effective settings in Defender

2025 Microsoft Defender Optimization & Configuration Cheat Sheet

AiTM/ MFA phishing attacks in combination with “new” Microsoft protections (2025 edition)

How to store Defender XDR data for years in Sentinel data lake without expensive ingestion cost

Microsoft Sentinel data lake: How to use/enable and set-up the unified data lake

Defender for Office 365 Auto-Remediation of Malicious Messages (AIR)

Automated incident triage with Security Copilot and Microsoft Sentinel/ Defender XDR

Blog Post

Troubleshoot configured Defender AV settings with effective settings in Defender

Settings management?

How can Defender conflict?

Precedence

Group Policy vs Local Settings

Intune

Troubleshooting

Domain-joined devices

Investigation package

Effective settings

Portal

Additional Log Location

Troubleshoot configured Defender AV settings with effective settings in Defender

2025 Microsoft Defender Optimization & Configuration Cheat Sheet

Related posts

Configure File Integrity Monitoring (FIM) using Defender for Cloud and AMA-agent

Which data connector and activity is free in Microsoft Sentinel?

Microsoft Defender for Office 365: Check protection policies with Configuration Analyzer

Microsoft Defender for Endpoint series – Define the AV policy baseline – Part4A

Manage Device control with Microsoft Defender for Endpoint and Endpoint Manager

Protecting Microsoft Teams with Microsoft Sentinel

Leave a Reply Cancel reply

Microsoft MVP

MDE blog series

Supporting this blog

Latest topics

Troubleshoot configured Defender AV settings with effective settings in Defender

2025 Microsoft Defender Optimization & Configuration Cheat Sheet

AiTM/ MFA phishing attacks in combination with “new” Microsoft protections (2025 edition)

How to store Defender XDR data for years in Sentinel data lake without expensive ingestion cost

Microsoft Sentinel data lake: How to use/enable and set-up the unified data lake

Defender for Office 365 Auto-Remediation of Malicious Messages (AIR)

Troubleshoot configured Defender AV settings with effective settings in Defender

2025 Microsoft Defender Optimization & Configuration Cheat Sheet

AiTM/ MFA phishing attacks in combination with “new” Microsoft protections (2025 edition)

How to store Defender XDR data for years in Sentinel data lake without expensive ingestion cost

Microsoft Sentinel data lake: How to use/enable and set-up the unified data lake

Defender for Office 365 Auto-Remediation of Malicious Messages (AIR)

Today's pick

Latest

Popular

Troubleshoot configured Defender AV settings with effective settings in Defender

2025 Microsoft Defender Optimization & Configuration Cheat Sheet

AiTM/ MFA phishing attacks in combination with “new” Microsoft protections (2025 edition)

How to store Defender XDR data for years in Sentinel data lake without expensive ingestion cost

Fast response with Azure AD Continuous Access Evaluation (CAE) and Conditional Access

Downloads blokkeren via Conditional Access App Control vanuit Microsoft Endpoint Manager

Android Enterprise fully managed beschikbaar in Microsoft Intune voor zakelijke omgevingen

Android Enterprise via Microsoft Endpoint Manager als vervanger van Android device administrator