Forum Discussion

Dan Van Drunen's avatar
Dan Van Drunen
Brass Contributor
Jun 21, 2017

Disabling Windows Defender Security Center in Enterprise (1703)

Question around the Windows Defender Security Center in Enterprise (1703)

 

We have Symantec Endpoint Protection (14 MP1) in our environment, and after upgrading to 1703 it seems the Security Center is starting and enabled (appears in system tray). I created a registry DWORD via GPO preferences to prevent it from starting up, and have also Disabled Defender via GPO. This seems to work nicely.

 

We all know, that having multiple malware/anti-virus solutions running simultaneously is not a good thing. I would like to know what the implications of disabling Defender are, and also if my approach is best practice?

 

  • Hi,

     

    A few answers :-)

    Let's start with - we do NOT support any manual changes to the registry, so those changes are not documented and not supported. 

     

    The GPO setting you set is supported, but all that does is disable Windows Defender antivirus, which would have already been disabled as you are using Symanten Endpoint Protection. Windows 10 only allows you to run 1 antivirus in real time protection at a time.

     

    We know it's a bit complicated, and we are working in the Fall's Creators Update to make it better - but there are actually two things you see:

    1. Windows Defender Security Center (WDSC) which has an overview of a lot of built-in Windows safety features (AV, Firewall, Device performance). So it's relevant even if you use SEP for AV. We currently do not support disabling this UI, but we have heard this feedback and are working on this (though no commitment/timeframe).

     

    2. Windows Defender Antivirus. What you knew before simply as "Windows Defender". That, you can disable via GPO ( You can read more: https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-antivirus/prevent-end-user-interaction-windows-defender-antivirus )

     

    Hope that helps,

    Amitai

    • Mattias Borg's avatar
      Mattias Borg
      Brass Contributor

      Just a question because I'm interrested:

      What's the reason for the choice of 3rd party AV?

      Customers I get in to contact with to discuss client security usually provide the answer "we've always done that".

      Could be other reasons like our sourcing partner require us to use that etc.

       

      I'm not in the discussion to argue about different solutions, I'm just interrested in the reasons.

       

       

      AV/antimalware is just a small piece of the client security and I would say it's almost dead. You need it, but it won't protect you that much.

       

      A common way of attacks today are fileless attacks and most AV solutions can't detect that so there are other configurations to be done besides installing an AV.

       

      I usually recommend customers to go for what's included and configure the other security features in the operatingsystem like UEFI + Secure boot, application Control, CFA, credential guard, ASR, Exploit guard etc.

       

       

       

       

       

  • Hi,

     

    A few answers :-)

    Let's start with - we do NOT support any manual changes to the registry, so those changes are not documented and not supported. 

     

    The GPO setting you set is supported, but all that does is disable Windows Defender antivirus, which would have already been disabled as you are using Symanten Endpoint Protection. Windows 10 only allows you to run 1 antivirus in real time protection at a time.

     

    We know it's a bit complicated, and we are working in the Fall's Creators Update to make it better - but there are actually two things you see:

    1. Windows Defender Security Center (WDSC) which has an overview of a lot of built-in Windows safety features (AV, Firewall, Device performance). So it's relevant even if you use SEP for AV. We currently do not support disabling this UI, but we have heard this feedback and are working on this (though no commitment/timeframe).

     

    2. Windows Defender Antivirus. What you knew before simply as "Windows Defender". That, you can disable via GPO ( You can read more: https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-antivirus/prevent-end-user-interaction-windows-defender-antivirus )

     

    Hope that helps,

    Amitai

    • Stephen Hogan's avatar
      Stephen Hogan
      Iron Contributor
      With regards to WDSC, is there any info from Microsoft about trialling this?
      • Amitai Rottem's avatar
        Amitai Rottem
        Icon for Microsoft rankMicrosoft

        Windows Defender Security Center (WDSC) is built-in to Windows 10 1703, no need to buy (or try :-) )

         

    • Stephen Hogan's avatar
      Stephen Hogan
      Iron Contributor

      A word of caution:

       

      In my previous employment, we used Symantec Endpoint Protection .cloud, and in my current employment, we use Sophos Central, which is also a cloud security product.

       

      In both institutions, I have seen examples where for Windows 7 and Windows 10 environments, that there are occasions where even by installing these security suites, they do not disable Windows Defender outright.

       

      I would definitely perform a check after installing any security suite to ensure Windows Defender is definitely disabled.

    • Dan Van Drunen's avatar
      Dan Van Drunen
      Brass Contributor

      Thanks for your detailed response Amitai!

       

      So just to confirm, with SEP installed, and leaving WDSC enabled, there are no negative side effects? At first glance it looked like Windows Defender and SEP were battling it out for supremacy.

       

      Thanks for your quick response.

    • Stephen Hogan's avatar
      Stephen Hogan
      Iron Contributor

      If we are anything to go by, we have a mix of Win 7, 8.1, 10 clients, and 2012R2 and 2008R2 servers.

       

      We have disabled Windows Defender at GPO level for ALL devices, no exceptions.

       

      We have disabled downloading Windows Defender updates in WSUS.

       

      However, we continue to install MRT/MSRT through Windows Updates each month.

       

      We use Sophos Central Endpoint (with 'Intercept-X' for ransomware detection and elimination).

       

      This has been the set up for the past 3 months.

       

      Client base is approx 60 nodes - no issues so far.

       

       

      • Dan Van Drunen's avatar
        Dan Van Drunen
        Brass Contributor

        Let's not confuse Windows Defender, and Windows Defender Security Center.

         

        This question is specific to the new Security Center included in 1703.

Resources