Windows Defender AV always Active Mode Server 2016

%3CLINGO-SUB%20id%3D%22lingo-sub-165652%22%20slang%3D%22en-US%22%3EWindows%20Defender%20AV%20always%20Active%20Mode%20Server%202016%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-165652%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%20I%20know%20this%20is%20the%20Windows%2010%20security%20community%2C%20but%20couldn't%20spot%20a%20relevant%20Server%202016%20community%2C%20and%20this%20is%20specifically%20Defender%20AV%20and%20Defender%20ATP%20related.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EEssentially%20i%20would%20like%20to%20understand%20how%20the%20decision%2C%20as%20outlined%20here%3A%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fwindows-defender-antivirus%2Fwindows-defender-antivirus-compatibility%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fwindows-defender-antivirus%2Fwindows-defender-antivirus-compatibility%3C%2FA%3E%3C%2FP%3E%0A%3CP%3Ethat%20Defender%20AV%20will%20remain%20in%20Active%20mode%20on%20Server%202016%2C%20even%20if%20enrolled%20in%20ATP%2C%20and%20that%20if%20third%20party%20AV%20is%20installed%20you%20should%20completely%20remove%20Defender%20AV%2C%20was%20made%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThis%20seems%20to%20be%20counter-intuitive%2C%20completely%20against%20the%20point%20of%20Defender%20ATP%20and%20the%20entire%20point%20of%20the%20platform%2C%20especially%20where%20Servers%20are%20concerned%2C%20unless%20i'm%20really%20missing%20something%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHaving%20Defender%20AV%20in%20either%20passive%20mode%20or%20active%20disabled%20mode%20on%20Servers%20with%20third%20party%20AV%20makes%20complete%20sense%2C%20if%20the%20third%20party%20AV%20is%20unable%20to%20perform%20its%20function%2C%20Defender%20AV%20steps%20in%2C%20if%20ATP%20requires%20protection%20intervention%20on%20the%20Server%2C%20Defender%20AV%20steps%20in.%20This%20approach%20loses%20all%20that%20functionality%2C%20with%2C%20as%20afar%20as%20i%20can%20tell%2C%20absolutely%20no%20benefits.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3Ebeyond%20this%20insanity%20above%2C%20it%20also%20turns%20out%20that%20you%20cannot%20get%20the%20WindowsUpdateLog%20without%20Defender%20AV%20feature%20installed%20(yes%20you%20can%20copy%20the%20dll%20over%20but%20come%20on%2C%20seriously%3F!)%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EBeyond%20blinkered%20%22MS%20AV%20is%20rubbish%22%20rhetoric%20which%20just%20shows%20an%20inability%20to%20understand%20the%20current%20protection%20environment%2C%20there%20is%20no%20good%20reason%20to%20not%20have%20Defender%20installed%20on%20Windows%2010%20or%20Windows%20Server%202016%2C%20the%20current%20advice%20and%20behaviour%20of%20the%20AV%20client%20only%20helps%20to%20drive%20ignorance%20and%20potentially%20expose%20systems%20to%20more%20risk%2C%20along%20with%20reducing%20the%20functionality%20and%20value%20of%20Defender%20ATP.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20have%20raised%20a%20uservoice%20request%20to%20change%20this%20behaviour%20for%20anyone%20that%20agrees%20this%20is%20nuts%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fwindowsserver.uservoice.com%2Fforums%2F295065-security-and-assurance%2Fsuggestions%2F33464311-defender-av-should-be-in-passive-mode-when-enrolle%26nbsp%3B%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwindowsserver.uservoice.com%2Fforums%2F295065-security-and-assurance%2Fsuggestions%2F33464311-defender-av-should-be-in-passive-mode-when-enrolle%26nbsp%3B%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-167146%22%20slang%3D%22en-US%22%3ERe%3A%20Windows%20Defender%20AV%20always%20Active%20Mode%20Server%202016%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-167146%22%20slang%3D%22en-US%22%3E%3CP%3EThis%20is%20just%20speculation%2C%20but%20the%20reason%20for%20this%20is%20likely%20because%20of%20the%20way%20WDATP%20is%20integrated%20in%20Windows%2010%20compared%20to%20Servers.%3C%2FP%3E%0A%3CP%3EIn%20Windows%2010%2C%20WDATP%20is%20built-in%20to%20the%20operating%20system%20while%20in%20Windows%20Server%20they've%20patched%20the%20AV%20agent%20to%20provide%20the%20functionality%20for%20WDATP.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EKarim%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Contributor

Hi, I know this is the Windows 10 security community, but couldn't spot a relevant Server 2016 community, and this is specifically Defender AV and Defender ATP related.

 

Essentially i would like to understand how the decision, as outlined here:

https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/windo...

that Defender AV will remain in Active mode on Server 2016, even if enrolled in ATP, and that if third party AV is installed you should completely remove Defender AV, was made?

 

This seems to be counter-intuitive, completely against the point of Defender ATP and the entire point of the platform, especially where Servers are concerned, unless i'm really missing something?

 

Having Defender AV in either passive mode or active disabled mode on Servers with third party AV makes complete sense, if the third party AV is unable to perform its function, Defender AV steps in, if ATP requires protection intervention on the Server, Defender AV steps in. This approach loses all that functionality, with, as afar as i can tell, absolutely no benefits.

 

beyond this insanity above, it also turns out that you cannot get the WindowsUpdateLog without Defender AV feature installed (yes you can copy the dll over but come on, seriously?!) 

 

Beyond blinkered "MS AV is rubbish" rhetoric which just shows an inability to understand the current protection environment, there is no good reason to not have Defender installed on Windows 10 or Windows Server 2016, the current advice and behaviour of the AV client only helps to drive ignorance and potentially expose systems to more risk, along with reducing the functionality and value of Defender ATP.

 

I have raised a uservoice request to change this behaviour for anyone that agrees this is nuts: https://windowsserver.uservoice.com/forums/295065-security-and-assurance/suggestions/33464311-defend...

1 Reply

This is just speculation, but the reason for this is likely because of the way WDATP is integrated in Windows 10 compared to Servers.

In Windows 10, WDATP is built-in to the operating system while in Windows Server they've patched the AV agent to provide the functionality for WDATP. 

 

Karim