• Insight
  • 3 min read

Case of the Non-working MEMCM Agent

Recent work with a customer revealed a strange issue with Microsoft Endpoint Manager Configuration Manager.

When I started troubleshooting and tried simple things like restarting the ccmexec service it refused to stop. After further investigation we discovered the WinDefend service was stopped. For those of you reading who don’t already know, this is the Windows Defender service.

In the past this has not been a deal breaker. The ccmexec service has still started but with warnings. A recent change has made this service required prerequisite during start and stop operations for ccmexec. This means if the service is disabled errors or failure to start the service will happen.

If you are using a standard image this is generally not an issue as the service is set to automatic and will always be running. However, if you have been using a third party antivirus/antimalware solution you may have turned it off.

Note, even if you are running a third party antivirus solution disabling the service should not be needed as any antivirus certified for Windows 10 will inform Windows Defender that it has been started and taken over responsibilities. Defender will then turn off active scanning and inform you another solutions is being used.


With the root cause found, change a group policy for Windows Defender to instead of disabling it, it enables it. Note the GPO is “backwards” and disabled will actually turn it back on.

Now you can also use MDM or any other solution to set the same setting. The most common way would be to use PowerShell for it. Here is a short snippet to make sure the service is set to automatic and then starting it.

Set-Service -Name WinDefend -StartupType Automatic
Start-Service -Name WinDefend

Please note, the service cannot be started and set to automatic if a GPO is disabling it.