I'm dealing with a pretty bizarre situation at work involving a customer's server configurations. They're running Microsoft Defender in passive mode, and we set the ForceDefenderPassiveMode registry key to 0 to disable it. However, they're convinced there was never a Group Policy Object (GPO) affecting this key, as it was supposedly added manually.
Here's where it gets wild: we've tested the key reset on several servers, and for most gpupdate commands, it stays at 0. But when we use 'gpupdate /force /target:computer,' it flips right back to 1. We even left it at 0 overnight, only to find it reverted back to 1 in the morning—suggesting GPO background refresh might be in play. We've tried renaming the Registry.pol file, but it's hit or miss.
Any ideas on where to dig deeper or what else could be causing this?
5 Answers
Just a heads up, I've noticed a change. Now when I run 'gpupdate /force', it instantly puts the setting back. This was definitely not the case yesterday.
If you're still convinced it's GPO-related, consider moving those test servers into an isolated OU that doesn’t inherit any policies. That might help you figure out if GPO is truly responsible for the changes. Also, just in case, check for any anti-tamper settings defined in Defender; I’ve run into issues with that when updating services.
It sounds like there might be an issue with your Domain Controllers. Are you sure there's only one primary DC? Sometimes, if they're not replicating the SYSVOL correctly, you can see behavior like this. You might want to check your replication status across all DCs to make sure they're in sync. Here's a helpful guide on troubleshooting replication failures: https://learn.microsoft.com/en-us/troubleshoot/windows-server/active-directory/diagnose-replication-failures.
Have you checked what RSOP or gpresult is showing? Running those tools might reveal if there's some other setting being applied from a different policy. Old sysadmins tend to create a mess with overlapping policies, and it could make troubleshooting this a real headache.
I ran gpresult and found 'ForceDefenderPassiveMode' listed as an 'Extra Registry Setting' under Local Group Policy in the HTML report. But I couldn't find anything related in local gpedit.msc, which is frustrating!
I'm betting there's a forgotten GPO that was applied ages ago. The customer should double-check their policies. It often happens that older policies can sneak back up on you, especially if they're rarely revisited.
I checked GPMC Detect Now, and it shows all 9 DCs are in sync. So, that doesn't seem to be the issue.