User Profile
Bob_Panick
Brass Contributor
Joined Dec 19, 2018
User Widgets
Recent Discussions
Re: Shutdown Defender for Endpoint on Server Quickly
I'll admit checking the Defender console didn't even occur to me, thank you for that suggestion. On Windows Server 2012 R2 you don't have the Defender event log entries since it's using SCEP. But that's a nice idea on 2016+. DfE in this case is managed by MECM (a.k.a. SCCM), so excluding them in Azure AD isn't possible I don't believe. Removing them from the MECM collection didn't have any effect on turning off DfE.5.8KViews0likes1CommentRe: Shutdown Defender for Endpoint on Server Quickly
Thanks mas18, that's interesting, but unfortunately mostly useless. It doesn't work on WS 2012 R2 or 2016 which is the bulk of the installation. Also, waiting 15 minutes to connect is a problem for the customer. These servers in many cases control production equipment.5.8KViews0likes0CommentsRe: Shutdown Defender for Endpoint on Server Quickly
I ran a few tests: Remove computers from the DfE collection. Results, I can see the policy get evaluated, but nothing happens. I waited 15 minutes and no change. Which begs the question, how do I remove DfE after it's been deployed. Changed the Antimalware Policy for the server's Real-Time protection to Allow users on client computers to configure Real-time protection. This allowed me to turn off Real-Time from the Security settings on 2016 and 2019, which should be the thing that would most likely cause the server problems. However, on WS 2012 R2 this is ineffective because of no interface. So I have a partial solution for 2016 and 2019, and nothing for 2012 R2. I considered the PowerShell command, but my understand is that it doesn't work on 2012 Rw.5.8KViews0likes2CommentsShutdown Defender for Endpoint on Server Quickly
My customer just asked a really good question that I don't know the answer to. They have Defender for Endpoint managed by MECM (a.k.a. SCCM) on Windows Server 2012 R2, 2016 and 2019. They have just asked me, if we think there is an issue with DfE blocking a server application, how do we stop DfE quickly to determine if it is the issue. First thought use the security interface to stop DfE 2012 R2 - No user interface 2016 - No option to stop the service 2019 - Option to turn off real time scanning, but it's blocked. Second idea, stop the service 2012 R2 - Service is blocked from stopping it. 2016 - Stopping the service isn't blocked 2019 - Service is blocked from stopping it. The customer used a local group policy to block Defender, but there should be a better way to do this. The only other thing I've thought of is to remove the computer from the collection that DfE is targeted to in MECM and then update the policy. But I'm not sure how quickly this would work and what the side effects would be. Does anyone else have any ideas?6.5KViews0likes8Comments
Recent Blog Articles
No content to show