IRONSMITHINTEL
HIGH
|Auth: none|Reboot: not required|Est. 10 minutes|Manual only

Ensure Windows Defender Is Active on All Servers Without Third-Party AV

Servers without any antivirus protection are trivially compromised by commodity malware — verify Windows Defender is running on every server that doesn't have a third-party AV solution.

Published May 7, 2026
Why patchRisk explained in plain English
Worst-case scenarioIf unpatched

On a server with no AV protection, an attacker can deploy common tools like Mimikatz, Cobalt Strike beacons, or ransomware payloads without any detection or blocking. Defenders have no visibility into malicious activity on servers without EDR or AV coverage.

How the attack works

Windows Defender provides real-time protection against malware, including commodity ransomware and known attack tools. Servers where Windows Defender has been disabled (often to reduce performance overhead) and no third-party AV has been installed run with no malware protection. Commodity malware and off-the-shelf attack frameworks like Metasploit are trivially blocked by updated Defender but will execute without restriction on unprotected servers.

Am I affected?Quick check

Probably yes if any of these apply:

All Windows Servers without a third-party AV or EDR solution
Running Windows Defender disabled with no replacement AV

Affected OS versions

Windows Server 2016Windows Server 2019Windows Server 2022
Fixed inWindows Defender enabled and updated
Real-world incidentsWhat we've seen

Many servers have Defender disabled during initial setup to reduce resource usage and are never re-enabled. During incident response, responders frequently find that ransomware deployed entirely commodity tools that modern AV signatures would have blocked if Defender had been active.

How to patch

Manual remediation steps

10 minutes

Check Windows Defender Status

Get-MpComputerStatus | Select-Object AMServiceEnabled, AntispywareEnabled, RealTimeProtectionEnabled, AntivirusSignatureLastUpdated

Enable Windows Defender

# Enable real-time protection
Set-MpPreference -DisableRealtimeMonitoring $false

# Verify the service is running
Get-Service -Name WinDefend | Select-Object Name, Status, StartType
Start-Service -Name WinDefend -ErrorAction SilentlyContinue

Update Signatures

Update-MpSignature
Get-MpComputerStatus | Select-Object AntivirusSignatureLastUpdated, AntivirusSignatureVersion

Verification

Get-MpComputerStatus | Select-Object AMServiceEnabled, RealTimeProtectionEnabled, AntivirusSignatureAge
# AMServiceEnabled and RealTimeProtectionEnabled must be True
# AntivirusSignatureAge should be 0 or 1 (updated today or yesterday)
PowerShell automationComing soon

No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.