Forum Discussion

Bob_Panick's avatar
Bob_Panick
Brass Contributor
Jul 19, 2022

Shutdown Defender for Endpoint on Server Quickly

My customer just asked a really good question that I don't know the answer to.  They have Defender for Endpoint managed by MECM (a.k.a. SCCM) on Windows Server 2012 R2, 2016 and 2019.  They have just...
Tiennes's avatar
Tiennes
Brass Contributor

Hi Bob_Panick,

 

This is a question I get from time to time when changes have been made to Dfe and afterward there seem to be problems with a software application. Most times, these problems are related to the ASR rules Controlled Folder Access and/or Block executable files from running unless they meet a prevalence, age, or trusted list criteria.

 

What I can share with you is the way I work with such questions:

 

  1. Check if any events are visible in the Windows Defender Event Viewer on the device related to the application. To access it, open Windows Event Viewer, and browse to Applications and Services Logs > Microsoft > Windows > Windows Defender
  2. Also through 'Advanced Hunting' queries from the Microsoft Defender Portal I check whether there are events related to the specified application.
  3. Checking of the Microsoft Defender Antimalware Protection Logs. (see for the steps: https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-asr-rules?view=o365-worldwide)

 

If nothing of the above steps is giving me something, then most likely your problem is not related to Dfe. Because, if Dfe is actively blocking an application or action, it has a reason for that and it will likely be logged in the event viewer logs.

 

If a customer wants to make sure that Windows Defender is disabled for testing purposes, then I place the specified device in a separate group in the Azure AD and exclude this group from the specified policies (In MEM). After 2 hours of testing, you should know if Dfe is the problem or not.

 

In your case, if you are managing the policies through GPO. Exclude your server from those policies and add the server to a temporary GPO with Windows Defender disabled policy in it. After a gpupdate /force you can confirm by running rsop.msc to confirm if the right GPO is applied and Windows Defender is disabled. After 2 hours of testing, you should know if Dfe is the problem or not.

 

I hope this will help you in your troubleshooting process.

 

With Regards,

Martien van Dijk

 

Bob_Panick's avatar
Bob_Panick
Brass Contributor
Jul 20, 2022
I'll admit checking the Defender console didn't even occur to me, thank you for that suggestion.

On Windows Server 2012 R2 you don't have the Defender event log entries since it's using SCEP. But that's a nice idea on 2016+.

DfE in this case is managed by MECM (a.k.a. SCCM), so excluding them in Azure AD isn't possible I don't believe. Removing them from the MECM collection didn't have any effect on turning off DfE.
  • yongrheemsft's avatar
    yongrheemsft
    Icon for Microsoft rankMicrosoft
    Jul 20, 2022
    Bob_Panick, if using MEMCM (SCCM), you could create a new group policy that sets the "Real-time protection" to disabled, which then you could add the 'device collection' where the Windows Servers are. Make sure to force a machine policy refresh, that would remove MDAV and SCEP out of the picture.

Resources