Home
  •  

Real-Time Protection Status Monitor

Microsoft.WindowsDefender.ProtectedServer.RTPStatus.Monitor (UnitMonitor)

Monitors RTP changes

Knowledge Base article:

Summary

Windows Defender real-time protection is disabled.

Causes

The most common reasons for this error is that local administrator has disabled the real-time protection. Other reasons could be that malware or internal failures caused real-time protection to switch off.

Resolutions

Enable real-time protection on client using Windows Defender UI or WMI/PS commands

Element properties:

TargetMicrosoft.WindowsDefender.ProtectedServer
Parent MonitorMicrosoft.WindowsDefender.ProtectedServer.WindowsDefender.Aggregate.Monitor
CategoryCustom
EnabledTrue
Alert GenerateTrue
Alert SeverityMatchMonitorHealth
Alert PriorityNormal
Alert Auto ResolveTrue
Monitor TypeMicrosoft.WindowsDefender.SecurityVulnerability.RTPMonitorType
RemotableTrue
AccessibilityPublic
Alert Message
Windows Defender RTP Status Alert
This alert will trigger when real time protection (RTP) is turned off
RunAsDefault

Source Code:

<UnitMonitor ID="Microsoft.WindowsDefender.ProtectedServer.RTPStatus.Monitor" Accessibility="Public" Enabled="true" Target="Microsoft.WindowsDefender.ProtectedServer" ParentMonitorID="Microsoft.WindowsDefender.ProtectedServer.WindowsDefender.Aggregate.Monitor" Remotable="true" Priority="Normal" TypeID="Microsoft.WindowsDefender.SecurityVulnerability.RTPMonitorType" ConfirmDelivery="true">

  <Category>Custom</Category>

  <AlertSettings AlertMessage="Microsoft.WindowsDefender.ProtectedServer.RTPStatus.Monitor.Alert">

    <AlertOnState>Error</AlertOnState>

    <AutoResolve>true</AutoResolve>

    <AlertPriority>Normal</AlertPriority>

    <AlertSeverity>MatchMonitorHealth</AlertSeverity>

    <AlertParameters>

      <AlertParameter1>$Target/Property[Type="System!System.Entity"]/DisplayName$</AlertParameter1>

    </AlertParameters>

  </AlertSettings>

  <OperationalStates>

    <OperationalState ID="OnID" MonitorTypeStateID="On" HealthState="Success"/>

    <OperationalState ID="OffID" MonitorTypeStateID="Off" HealthState="Error"/>

  </OperationalStates>

  <Configuration>

    <ComputerName>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ComputerName>

    <DelayTime>20</DelayTime>

  </Configuration>

</UnitMonitor>