If we are anything to go by, we have a mix of Win 7, 8.1, 10 clients, and 2012R2 and 2008R2 servers.

We have disabled Windows Defender at GPO level for ALL devices, no exceptions.

We have disabled downloading Windows Defender updates in WSUS.

However, we continue to install MRT/MSRT through Windows Updates each month.

We use Sophos Central Endpoint (with 'Intercept-X' for ransomware detection and elimination).

This has been the set up for the past 3 months.

Client base is approx 60 nodes - no issues so far.

Let's not confuse Windows Defender, and Windows Defender Security Center.

This question is specific to the new Security Center included in 1703.

Thanks for your detailed response Amitai!

So just to confirm, with SEP installed, and leaving WDSC enabled, there are no negative side effects? At first glance it looked like Windows Defender and SEP were battling it out for supremacy.

Thanks for your quick response.

A word of caution:

In my previous employment, we used Symantec Endpoint Protection .cloud, and in my current employment, we use Sophos Central, which is also a cloud security product.

In both institutions, I have seen examples where for Windows 7 and Windows 10 environments, that there are occasions where even by installing these security suites, they do not disable Windows Defender outright.

I would definitely perform a check after installing any security suite to ensure Windows Defender is definitely disabled.

Absolutely - they are different features. Please note that disabling the Windows Security Center service via regkey edits will *not* disable Windows Defender AV or the Windows Defender Security Center. The Windows Defender Security Center just presents a number of security features in a single place - disabling any one of those features individually will not disable the Windows Defender Security Center. You cannot disable the Windows Defender Security Center.

See this doc page for more info about how the Windows Defender Security Center works: https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-security-center/windows-...

And this gives an overview of how to use Windows Defender Security Center to configure Windows Defender AV (directly on individual endpoints): https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-antivirus/windows-defend...

Windows Defender Security Center (WDSC) is built-in to Windows 10 1703, no need to buy (or try :) )

No doubt so that Microsoft can ensure their crap Windows Defender will run no matter what AV software you have installed.  I just got the 1709 version today and now I have yet another two icons for Windows services that I'll never use. I don't need Windows Defender at all and now I can't even opt out of it.

Just a question because I'm interrested:

What's the reason for the choice of 3rd party AV?

Customers I get in to contact with to discuss client security usually provide the answer "we've always done that".

Could be other reasons like our sourcing partner require us to use that etc.

I'm not in the discussion to argue about different solutions, I'm just interrested in the reasons.

AV/antimalware is just a small piece of the client security and I would say it's almost dead. You need it, but it won't protect you that much.

A common way of attacks today are fileless attacks and most AV solutions can't detect that so there are other configurations to be done besides installing an AV.

I usually recommend customers to go for what's included and configure the other security features in the operatingsystem like UEFI + Secure boot, application Control, CFA, credential guard, ASR, Exploit guard etc.