# Windows Defender Running Job

This guide shows a **job** that checks whether the Windows Defender Antivirus service (**WinDefend**) is running and, if not, starts it. The job is deployed to endpoints using a **JobUpdate** policy. **Audience:** IT admins deploying Keeper Privilege Manager on Windows. ### What the Job Does * **Checks** the status of the **WinDefend** service (Windows Defender Antivirus Service). * **If the service is stopped,** starts it with `Start-Service -Name WinDefend`. * **If the service is already running,** does nothing and exits successfully. * **Runs** on a **schedule** (default: every 60 minutes) and on **Startup**, so Defender is periodically verified and restored if it was stopped. The job uses a single PowerShell task in the **Service** context. The agent typically runs as LOCAL SYSTEM, which can start the WinDefend service. ### Prerequisites * Keeper Privilege Manager agent installed and running on **Windows**. * PowerShell at `C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe`. * Ability to create **JobUpdate** policies and run **Process Configuration Policies** (e.g. from Keeper Admin Console). ### Job Definition (full JSON) Use this job JSON in a JobUpdate policy (**Extension.JobJson**) or save as `Jobs/ensure-windows-defender-running.json` for file-based deployment. ``` { "id": "ensure-windows-defender-running", "name": "Ensure Windows Defender is running", "description": "Checks if the Windows Defender Antivirus service (WinDefend) is running; if not, starts it. Deploy via JobUpdate policy. Runs on schedule (default every 60 min) and on Startup.", "enabled": true, "asUser": false, "priority": 5, "schedule": { "intervalMinutes": 60 }, "events": [ { "eventType": "Startup" } ], "parameters": [], "tasks": [ { "id": "check-and-start-defender", "name": "Check Windows Defender service and start if stopped", "ExecutionType": "Service", "command": "powershell.exe", "executablePath": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", "arguments": "-NoProfile -ExecutionPolicy Bypass -Command \"& { $s = Get-Service -Name WinDefend -ErrorAction SilentlyContinue; if (-not $s) { exit 1 }; if ($s.Status -ne 'Running') { Start-Service -Name WinDefend -ErrorAction Stop }; exit 0 }\"", "expectedExitCode": 0, "timeoutSeconds": 30, "continueOnFailure": false } ], "mqttTopics": { "allowedPublications": ["KeeperLogger"], "allowedSubscriptions": [] }, "osFilter": { "windows": true, "linux": false, "macOS": false } } ``` *** ### Deploy the Job via JobUpdate Policy 1. **Create a JobUpdate policy** in your policy store or Keeper Admin Console with: * **PolicyType:** `JobUpdate` * **Status:** `enabled` * **Extension:** * **JobId:** `ensure-windows-defender-running` * **Action:** `Add` * **JobJson:** The full job object above (single line or formatted). 2. **Example policy structure:** ``` { "PolicyId": "deploy-ensure-windows-defender-running", "PolicyName": "Deploy job: Ensure Windows Defender is running", "PolicyType": "JobUpdate", "Status": "enabled", "Extension": { "JobId": "ensure-windows-defender-running", "Action": "Add", "JobJson": { "id": "ensure-windows-defender-running", "name": "Ensure Windows Defender is running", "description": "Checks if the Windows Defender Antivirus service (WinDefend) is running; if not, starts it.", "enabled": true, "asUser": false, "priority": 5, "schedule": { "intervalMinutes": 60 }, "events": [{ "eventType": "Startup" }], "parameters": [], "tasks": [ { "id": "check-and-start-defender", "name": "Check Windows Defender service and start if stopped", "ExecutionType": "Service", "command": "powershell.exe", "executablePath": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", "arguments": "-NoProfile -ExecutionPolicy Bypass -Command \"& { $s = Get-Service -Name WinDefend -ErrorAction SilentlyContinue; if (-not $s) { exit 1 }; if ($s.Status -ne 'Running') { Start-Service -Name WinDefend -ErrorAction Stop }; exit 0 }\"", "expectedExitCode": 0, "timeoutSeconds": 30, "continueOnFailure": false } ], "mqttTopics": { "allowedPublications": ["KeeperLogger"], "allowedSubscriptions": [] }, "osFilter": { "windows": true, "linux": false, "macOS": false } } } } ``` 3. **Assign the policy** to the desired Windows collections or machines. 4. **Run Process Configuration Policies** on the agents so they receive the job: * Rely on the normal schedule (e.g. after policy sync), or * Trigger manually: `POST https://127.0.0.1:6889/api/Jobs/process-configuration-policies/run` (Admin auth). 5. **Confirm the job is present:**\ `GET https://127.0.0.1:6889/api/Jobs` — you should see `ensure-windows-defender-running`. ### When the Job Runs * **Startup** — Runs once when the agent (or machine) starts. * **Every 60 minutes** — Per `schedule.intervalMinutes`. Change `intervalMinutes` in the job JSON if you want a different interval. No manual trigger is required unless you want to run it once on demand (e.g. `POST .../api/Jobs/ensure-windows-defender-running/run`). ### Verification * **Service status (PowerShell):** ``` Get-Service -Name WinDefend ``` Status should be **Running** after the job has run (or after starting it manually for testing). * **Agent logs:** Check for task `check-and-start-defender` and any PowerShell or service errors. * **Run job once (optional):** ``` Invoke-RestMethod -Method Post -Uri "https://127.0.0.1:6889/api/Jobs/ensure-windows-defender-running/run" -SkipCertificateCheck ``` ### Troubleshooting

Issue	What to check
Job not on endpoint	JobUpdate policy assigned; Process Configuration Policies has run; `GET /api/Jobs` shows the job.
Exit code 1	WinDefend service may not exist (e.g. different SKU); check `Get-Service WinDefend` on the machine.
Access denied starting service	Agent must run as an account that can start services (e.g. LOCAL SYSTEM).
Start-Service fails (e.g. "Disabled" state)	The service must be set to Automatic or Manual; if it is Disabled, Start-Service will fail. Use `Set-Service -Name WinDefend -StartupType Automatic` (in an elevated prompt) or services.msc.
Different interval	Edit JobJson in the policy: change `schedule.intervalMinutes` (e.g. 30), then run Process Configuration Policies again (or use JobUpdate Action Update with the full revised job).

### Reference * **Job id:** `ensure-windows-defender-running` * **Job file (if not using policy):** `Jobs/ensure-windows-defender-running.json` * **Service name:** `WinDefend` (Windows Defender Antivirus Service) * **Platform:** Windows only. For general job and policy details, see the Getting Started [Jobs & Applications](/keeperpam/endpoint-privilege-manager/setup/jobs-and-applications.md) page. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.keeper.io/keeperpam/endpoint-privilege-manager/user-guides/windows-defender-running-job-guide.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.