Shutdown Defender for Endpoint on Server Quickly

Brass Contributor

My customer just asked a really good question that I don't know the answer to.  They have Defender for Endpoint managed by MECM (a.k.a. SCCM) on Windows Server 2012 R2, 2016 and 2019.  They have just asked me, if we think there is an issue with DfE blocking a server application, how do we stop DfE quickly to determine if it is the issue.

First thought use the security interface to stop DfE

  • 2012 R2 - No user interface
  • 2016 - No option to stop the service
  • 2019 - Option to turn off real time scanning, but it's blocked.

Second idea, stop the service

  • 2012 R2 - Service is blocked from stopping it.
  • 2016 - Stopping the service isn't blocked
  • 2019 - Service is blocked from stopping it.

The customer used a local group policy to block Defender, but there should be a better way to do this.  The only other thing I've thought of is to remove the computer from the collection that DfE is targeted to in MECM and then update the policy.  But I'm not sure how quickly this would work and what the side effects would be.

 

Does anyone else have any ideas?

8 Replies

I ran a few tests:

 

  1. Remove computers from the DfE collection.  Results, I can see the policy get evaluated, but nothing happens. I waited 15 minutes and no change.  Which begs the question, how do I remove DfE after it's been deployed.
  2. Changed the Antimalware Policy for the server's Real-Time protection to Allow users on client computers to configure Real-time protection.  This allowed me to turn off Real-Time from the Security settings on 2016 and 2019, which should be the thing that would most likely cause the server problems.  However, on WS 2012 R2 this is ineffective because of no interface.

So I have a partial solution for 2016 and 2019, and nothing for 2012 R2.  I considered the PowerShell command, but my understand is that it doesn't work on 2012 Rw.

 

 

Update, the command I was talking about is MPCmdRun.exe.
Thanks mas18, that's interesting, but unfortunately mostly useless. It doesn't work on WS 2012 R2 or 2016 which is the bulk of the installation. Also, waiting 15 minutes to connect is a problem for the customer. These servers in many cases control production equipment.
If you are using the unified onboarding method then defender command line interface is available for windows 2012r2. You use use most of defender commands to modify the defender settings. Set-Mppreference can help on that. https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-...

Hi Bob_Panick,

 

This is a question I get from time to time when changes have been made to Dfe and afterward there seem to be problems with a software application. Most times, these problems are related to the ASR rules Controlled Folder Access and/or Block executable files from running unless they meet a prevalence, age, or trusted list criteria.

 

What I can share with you is the way I work with such questions:

 

  1. Check if any events are visible in the Windows Defender Event Viewer on the device related to the application. To access it, open Windows Event Viewer, and browse to Applications and Services Logs > Microsoft > Windows > Windows Defender
  2. Also through 'Advanced Hunting' queries from the Microsoft Defender Portal I check whether there are events related to the specified application.
  3. Checking of the Microsoft Defender Antimalware Protection Logs. (see for the steps: https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-asr-rules?vie...)

 

If nothing of the above steps is giving me something, then most likely your problem is not related to Dfe. Because, if Dfe is actively blocking an application or action, it has a reason for that and it will likely be logged in the event viewer logs.

 

If a customer wants to make sure that Windows Defender is disabled for testing purposes, then I place the specified device in a separate group in the Azure AD and exclude this group from the specified policies (In MEM). After 2 hours of testing, you should know if Dfe is the problem or not.

 

In your case, if you are managing the policies through GPO. Exclude your server from those policies and add the server to a temporary GPO with Windows Defender disabled policy in it. After a gpupdate /force you can confirm by running rsop.msc to confirm if the right GPO is applied and Windows Defender is disabled. After 2 hours of testing, you should know if Dfe is the problem or not.

 

I hope this will help you in your troubleshooting process.

 

With Regards,

Martien van Dijk

 

I'll admit checking the Defender console didn't even occur to me, thank you for that suggestion.

On Windows Server 2012 R2 you don't have the Defender event log entries since it's using SCEP. But that's a nice idea on 2016+.

DfE in this case is managed by MECM (a.k.a. SCCM), so excluding them in Azure AD isn't possible I don't believe. Removing them from the MECM collection didn't have any effect on turning off DfE.
@Bob_Panick, if using MEMCM (SCCM), you could create a new group policy that sets the "Real-time protection" to disabled, which then you could add the 'device collection' where the Windows Servers are. Make sure to force a machine policy refresh, that would remove MDAV and SCEP out of the picture.