Application Resilience policies for Microsoft Defender Antivirus
You can activate an Application Resilience policy for Microsoft Defender Antivirus to collect information about the functional status of Microsoft Defender Antivirus installed on your Windows devices and view the results in reports. You can also configure the policy to attempt to repair the application.
Microsoft Defender Antivirus was formerly known as Windows Defender.

Application Resilience policies for Microsoft Defender Antivirus are supported on devices running:
- a supported version of the Windows operating system
-
PowerShell version 5.1 or higher
Due to PowerShell restrictions imposed by Microsoft, Application Resilience isn't supported for this application on devices running Windows 11 SE.
- any version of Microsoft Defender Antivirus

The following table describes the health checks performed:
If you select Report higher versions as Compliant, higher versions report Compliant if all health checks, other than the version check, pass.
Component | Test performed | ||
---|---|---|---|
Services | Running | ||
|
P | ||
Settings | Enabled | ||
|
P | ||
Anti-spyware definition | |||
|
|||
Application name | |||
The application uses the following name:
|
1Only checked if Microsoft Defender Antivirus is in Active mode
2 Only checked if selected in the policy configuration
3 Only checked if Check if last Anti-spyware Signature update is within how many days? is selected in the policy configuration

You can configure an Application Resilience policy for Microsoft Defender Antivirus to enable the Application Resilience (RAR) component A lightweight software component of the Secure Endpoint Agent that detects the status of third party applications installed on a device. The component may also attempt to repair the third party application if it is non-compliant. The RAR component is deployed on a device only when the device is associated with a customized policy group and that policy group's Application Resilience policy is activated. to attempt to repair Microsoft Defender Antivirus if it's not functioning.
The Report, repair, and reinstall option isn't supported. Depending on the Absolute product licenses associated with your account, the Report and repair option may not be available.
The RAR component of the Secure Endpoint Agent can respond to the following issues:
Issue | Resolution |
---|---|
Repair | |
Real-time protection is disabled1 | The RAR component enables Real-time protection. |
The WinDefend (MsMpEng.exe) service isn't running | The RAR component restarts the service. |
Cloud-delivered protection is disabled2 | The RAR component enables Cloud-delivered protection. |
Automatic sample submission is disabled2 | The RAR component enables Automatic sample submission. |
Potentially unwanted applications (PUA) protection is disabled2 | The RAR component enables PUA protection. |
The Anti-spyware Signature definition hasn't been updated within the configured number of days3 | The RAR components updates the Anti-spyware Signature definition. |
1Only checked if Microsoft Defender Antivirus is in Active mode
2 Only checked if selected in the policy configuration
3 Only checked if Check if last Anti-spyware Signature update is within how many days? is selected in the policy configuration

Before you activate an Application Resilience policy you need to configure the platform version and these settings in addition to the settings in Configuring Application Resilience policies.
To configure the Microsoft Defender Antivirus platform version and specific settings:
-
Under Microsoft Defender Antivirus platform version, enter the platform version of Microsoft Defender Antivirus you expect to be running on your devices.
- The target platform version must be a sequence of digits separated by a period.
- You can use wild card "*" characters after the major version, for example, 4.*, 4.18.*, or 4.18.2003.*.
- [Optional] Select Check if last Anti-spyware Signature update is within how many days? and enter the maximum number of days allowed since the last update.
-
[Optional] Select the options that apply to your configuration:
- Cloud-delivered protection: if selected, the RAR component checks if Cloud-delivered protection is enabled
- Automatic sample submission: if selected, the RAR component checks if Automatic sample submission is enabled
- Tamper protection (report only): if selected, the RAR component checks if Tamper Protection is enabled
- Potentially unwanted applications (PUA) protection: if selected the RAR component checks if PUA protection is enabled