SOLVED

Disabling Windows Defender Security Center in Enterprise (1703)

Brass Contributor

Question around the Windows Defender Security Center in Enterprise (1703)

 

We have Symantec Endpoint Protection (14 MP1) in our environment, and after upgrading to 1703 it seems the Security Center is starting and enabled (appears in system tray). I created a registry DWORD via GPO preferences to prevent it from starting up, and have also Disabled Defender via GPO. This seems to work nicely.

 

We all know, that having multiple malware/anti-virus solutions running simultaneously is not a good thing. I would like to know what the implications of disabling Defender are, and also if my approach is best practice?

 

17 Replies

We are in the exact scenario. I'm anxious to hear the answer!

If we are anything to go by, we have a mix of Win 7, 8.1, 10 clients, and 2012R2 and 2008R2 servers.

 

We have disabled Windows Defender at GPO level for ALL devices, no exceptions.

 

We have disabled downloading Windows Defender updates in WSUS.

 

However, we continue to install MRT/MSRT through Windows Updates each month.

 

We use Sophos Central Endpoint (with 'Intercept-X' for ransomware detection and elimination).

 

This has been the set up for the past 3 months.

 

Client base is approx 60 nodes - no issues so far.

 

 

To add, this article may be of interest:

Windows 10 Build 14352 lets Windows Insiders run two antivirus programs on their PC http://www.pcworld.com/article/3075857/windows/windows-10-build-14352-lets-windows-insiders-run-two-...

Let's not confuse Windows Defender, and Windows Defender Security Center.

 

This question is specific to the new Security Center included in 1703.

best response confirmed by Dan Van Drunen (Brass Contributor)
Solution

Hi,

 

A few answers 🙂

Let's start with - we do NOT support any manual changes to the registry, so those changes are not documented and not supported. 

 

The GPO setting you set is supported, but all that does is disable Windows Defender antivirus, which would have already been disabled as you are using Symanten Endpoint Protection. Windows 10 only allows you to run 1 antivirus in real time protection at a time.

 

We know it's a bit complicated, and we are working in the Fall's Creators Update to make it better - but there are actually two things you see:

1. Windows Defender Security Center (WDSC) which has an overview of a lot of built-in Windows safety features (AV, Firewall, Device performance). So it's relevant even if you use SEP for AV. We currently do not support disabling this UI, but we have heard this feedback and are working on this (though no commitment/timeframe).

 

2. Windows Defender Antivirus. What you knew before simply as "Windows Defender". That, you can disable via GPO ( You can read more: https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-antivirus/prevent-end-us... )

 

Hope that helps,

Amitai

Not exactly. That is a consumer feature (not relevant for most businesses) that runs Windows Defender Antivirus periodically in the background to find prevalent issues. This is not running two antiviruses at the same time as real time protection.
BTW - that was already released in official Windows release, no need for Insider build 🙂

Thanks for your detailed response Amitai!

 

So just to confirm, with SEP installed, and leaving WDSC enabled, there are no negative side effects? At first glance it looked like Windows Defender and SEP were battling it out for supremacy.

 

Thanks for your quick response.

A word of caution:

 

In my previous employment, we used Symantec Endpoint Protection .cloud, and in my current employment, we use Sophos Central, which is also a cloud security product.

 

In both institutions, I have seen examples where for Windows 7 and Windows 10 environments, that there are occasions where even by installing these security suites, they do not disable Windows Defender outright.

 

I would definitely perform a check after installing any security suite to ensure Windows Defender is definitely disabled.

Absolutely - they are different features. Please note that disabling the Windows Security Center service via regkey edits will *not* disable Windows Defender AV or the Windows Defender Security Center. The Windows Defender Security Center just presents a number of security features in a single place - disabling any one of those features individually will not disable the Windows Defender Security Center. You cannot disable the Windows Defender Security Center.

 

See this doc page for more info about how the Windows Defender Security Center works: https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-security-center/windows-...

 

And this gives an overview of how to use Windows Defender Security Center to configure Windows Defender AV (directly on individual endpoints): https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-antivirus/windows-defend...

Are you confusing this with the Malicious Software Removal Tool, MSRT a.k.a. mrt.exe, at Windows Update time?
With regards to WDSC, is there any info from Microsoft about trialling this?
Thanks for those references Iaan.

Windows Defender Security Center (WDSC) is built-in to Windows 10 1703, no need to buy (or try 🙂 )

 

Stephen - MSRT is something totally different than what we've been discussing. Happy to answer any questions regarding it though. Open a new thread so we don't spam here.

No doubt so that Microsoft can ensure their crap Windows Defender will run no matter what AV software you have installed.  I just got the 1709 version today and now I have yet another two icons for Windows services that I'll never use. I don't need Windows Defender at all and now I can't even opt out of it.


So, what registry changes will prevent this nuisance icon from appearing?

Just a question because I'm interrested:

What's the reason for the choice of 3rd party AV?

Customers I get in to contact with to discuss client security usually provide the answer "we've always done that".

Could be other reasons like our sourcing partner require us to use that etc.

 

I'm not in the discussion to argue about different solutions, I'm just interrested in the reasons.

 

 

AV/antimalware is just a small piece of the client security and I would say it's almost dead. You need it, but it won't protect you that much.

 

A common way of attacks today are fileless attacks and most AV solutions can't detect that so there are other configurations to be done besides installing an AV.

 

I usually recommend customers to go for what's included and configure the other security features in the operatingsystem like UEFI + Secure boot, application Control, CFA, credential guard, ASR, Exploit guard etc.

 

 

 

 

 

1 best response

Accepted Solutions
best response confirmed by Dan Van Drunen (Brass Contributor)
Solution

Hi,

 

A few answers 🙂

Let's start with - we do NOT support any manual changes to the registry, so those changes are not documented and not supported. 

 

The GPO setting you set is supported, but all that does is disable Windows Defender antivirus, which would have already been disabled as you are using Symanten Endpoint Protection. Windows 10 only allows you to run 1 antivirus in real time protection at a time.

 

We know it's a bit complicated, and we are working in the Fall's Creators Update to make it better - but there are actually two things you see:

1. Windows Defender Security Center (WDSC) which has an overview of a lot of built-in Windows safety features (AV, Firewall, Device performance). So it's relevant even if you use SEP for AV. We currently do not support disabling this UI, but we have heard this feedback and are working on this (though no commitment/timeframe).

 

2. Windows Defender Antivirus. What you knew before simply as "Windows Defender". That, you can disable via GPO ( You can read more: https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-antivirus/prevent-end-us... )

 

Hope that helps,

Amitai

View solution in original post