none
Windows 10 Enterprise (1709) Windows Defender is ignoring .gpo's for scheduled scans RRS feed

  • Question

  • I set up a Defender scheduled scan using the .gpo settings and it never runs. I tried using the date and time in the /scan options and I also tried using the day and time under the Remediation full scan option. The scans never start. My goal is to set up a full scan to run once a week. I tried using task scheduler but the tasks keep failing with a 2147942402... return code.  I am using mpruncmd.exe with scan -scantype 2 as arguments.  Please help.  It should take 5 minutes to set up a weekly full scan in any antivirus program.  This should not be this hard.  Don't know what I am doing wrong.   Thank you.
    • Edited by ddejac Tuesday, April 10, 2018 9:34 PM
    Tuesday, April 10, 2018 9:33 PM

All replies

  • Hi,

    Could you let us know the exact task content? Which GPO were you configured?

    Here I suggest you set Windows Defender task in one test machine following these steps:

    1.  Search for and open Schedule tasks.
      
    2.  In the left pane, expand Task Scheduler Library > Microsoft > Windows, and then scroll down and double-click (or press) the Windows Defender folder.
      
    3.  In the top center pane, double-click (or press twice) Windows Defender Scheduled Scan

               

    4. In the Windows Defender Scheduled Scan Properties (Local Computer) window, select the Triggers tab, go to the bottom of the window, and then tap or click New.

    5. Specify how often you want scans to run and when you’d like them to start.

    If it fails, please post the full history information for analysis.

    Note: Wipe any privacy information before upload any file to here.


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Wednesday, April 11, 2018 3:04 AM
    Moderator
  • First scenario:  I set the gpo values below to attempt to set up a Weekly scheduled full scan on Wednesdays at 10:30 AM.  Below are the gpo settings.  I had these settings set and the full scan that I expect from these settings did not start at 630 which equals 10:30 AM today which is Wednesday.  Or at least there are no events in the WD Operational event log that show that it started.  However According to the event log I did have a quick scan start at 10:31:08 and finish properly at 10:32:02 which doesn't correspond to what I have set below for daily quick scan.

    Randomize scheduled task times - Disabled

    Specify the day of week to run a scheduled full scan to complete remediation - Disabled

    Specify the day of week to run a scheduled scan - Enabled, set to Wednesday

    Specify the interval to run quick scans per day - Enabled, set to 24

    Specify the scan type to use fo a scheduled scan - Enabled, set to Full system scan

    Specify the time for a daily quick scan - Enabled, set to 780 (which should equal 1pm)

    Specify the time of day to run a scheduled scan - Enabled set to 630 (which should be 10:30 am)

    Start the scheduled scan only when computer is on but not in use - Disabled

    Should my full scan have run at 10:30 AM today (Wednesday) when the machine wasn't idle or am I missing something?  With the settings set above I am expecting the full scan on Wednesdays at 10:30AM and a daily quick scan once a day at 1pm.   The full scan didn't start at 10:30 am and a quick scan ran at 10:31 am.

    ___________________________________

    Second scenario.  I kept all of the gpo settings as set above, I then added a trigger to the Windows Defender Scheduled Scan as Karen_Hu suggested above.  I set it to a One Time run to start at 11:32 am, (idle system not required).  It is using the SYSTEM account and run with highest privileges is checked.

    The task history showed this:

    At 11:35:47  event 107 Task triggered on scheduler, 129 Created task Process, 100 Task started, 200 Action started, 201 Action completed, 102 Task completed. 

    In the Action Completed this was the message:

    Task Scheduler successful completed task"\Microsoft\Windows\Windows Defender Scheduled Scan", instance "{262e7b08......}", action "C\program files\windows defender\mpcmdrun.exe" with return code 2147942402.

    The task's Last Run Result shows: (0x2)

    This is what the mpcmdrun.log entry shows:
    -------------------------------------------------------------------------------------
    MpCmdRun: Command Line: "C:\Program Files\Windows Defender\MpCmdRun.exe" Scan -ScheduleJob -ScanTrigger 55
     Start Time: ‎Wed ‎Apr ‎11 ‎2018 11:35:47

    Starting RunCommandScan.
    RunCommandScan is using default scan type: 2.
    Scanning path as file: (null).
    Start: MpScan(MP_FEATURE_SUPPORTED, dwOptions=16387, Timeout in days = 7)
    MpScan() started
    MpScan() was completed
    ERROR: MpScan(dwOptions=16387) Completion Failed 80508018
    MpCmdRun: End Time: ‎Wed ‎Apr ‎11 ‎2018 11:35:47
    -------------------------------------------------------------------------------------

    Although, it did look like the full scan started, it definitely didn't finish.  The Event viewer showed the full scan started, but no other events after that.  Not even that it errored or stopped.

    ___________

    One more observation I would like to add:

    This gpo - "Specify the day of week to run a scheduled scan"  will not show that it saves any changes you make to it when editing the gpo.  So on the screen after you save it, it still shows as "not Configured". However once you run the gpupdate /force and show the rsop, the changes are visible and the registry settings have been changed accordingly. 


    • Edited by ddejac Wednesday, April 11, 2018 5:11 PM
    Wednesday, April 11, 2018 3:09 PM
  • Hi,

    For first group policy part, i am not understand what you said. If it's possible, please collect your group policy report for analysis.

    To generate the gprepot to confirm it:

    1. Open Command Prompt(Admin).

    2. Type the following command

    gpresult /h c:\gpreport.html

    3. Go to C drive, open the gpreport.html to view. If you don't know how to read this report, just upload it to OneDrive and share the link here.

    Please Note: Wipe any privacy information before uploading any log file to public site.

    For second part, you just see the task history you will see the task start and end time:


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, April 13, 2018 9:11 AM
    Moderator