Microsoft Defender Antivirus in Passive mode will stop running a process scan after a "Security Intelligence Update"

Message Center ID: MC1090687
Microsoft Defender XDR
Plan for Change
Major Change Admin impact
August 2025

Summary

Starting with Platform Update 4.18.2507.x.x in late August 2025, Microsoft Defender Antivirus in Passive mode will no longer automatically run a process scan after a Security Intelligence Update. Organizations relying on this scan must enable it manually via Intune or Group Policy.

Details

We're updating how Microsoft Defender for Endpoint behaves when Microsoft Defender Antivirus is in Passive mode. Starting with Platform Update 4.18.2507.x.x (expected late August 2025), Defender Antivirus will no longer automatically run a process scan after a Security Intelligence Update.

[When this will happen:]

This change will roll out with Platform Update 4.18.2507.x.x, scheduled for release in the last two weeks of August 2025.

[How this affects your organization:]

If your organization uses Microsoft Defender Antivirus in Passive mode, this automatic scan will no longer occur after Security Intelligence Updates. This may affect your threat detection workflows if you rely on this scan as part of your security posture.

To identify devices running in Passive mode:

  • Use Advanced Hunting in Microsoft Defender for Endpoint Plan 2:

DeviceTvmInfoGathering

| where Timestamp > ago(3d)

| extend AvModeTemp = AdditionalFields.AvMode

| extend AVMode = iif(tostring(AvModeTemp) == '0', 'Active', iif(tostring(AvModeTemp) == '1', 'Passive', iif(tostring(AvModeTemp) == '4', 'EDR Blocked', 'Unknown')))

| summarize arg_max(LastSeenTime, *) by DeviceId

| project DeviceName, OSPlatform, AVMode

  • Or locally on a device using PowerShell (Run as Administrator):

get-MpComputerStatus | ft AMRunningMode

[What you can do to prepare:]

If you want to continue running a process scan after each Security Intelligence Update, you’ll need to explicitly enable this setting.

Using Intune:

  1. Go to Devices > Windows > Configuration > Create > New Policy
  2. Set Platform to Windows 10 and later, and Profile type to Settings catalog
  3. Click Create, enter a Name and Description, then click Next
  4. Click Add settings, search for Turn on scan after security intelligence update
  5. Select the setting under:
    • Administrative Templates > Windows Components > Microsoft Defender Antivirus > Security Intelligence Updates
  6. Check the box and set it to Enabled
  7. Complete the remaining setup steps

Using Group Policy:

  1. Navigate to:
    • Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Security Intelligence Updates
  2. Find Turn on scan after security intelligence update
  3. Set it to Enabled

Learn more: Group Policy settings for scheduling scans after protection updates

Notes about protection states with Microsoft Defender for Endpoint + Microsoft Defender Antivirus in Passive mode

Change History

Published: June 9, 2025
Last Updated: June 9, 2025
No change history available

Never Miss a Microsoft 365 Update

Join thousands of IT professionals who rely on DeltaPulse for real-time Microsoft 365 change intelligence, automated notifications, and community insights.

View Full Details Sign Up Free