Jun 21 2017 08:15 AM
Jun 21 2017 08:15 AM
Question around the Windows Defender Security Center in Enterprise (1703)
We have Symantec Endpoint Protection (14 MP1) in our environment, and after upgrading to 1703 it seems the Security Center is starting and enabled (appears in system tray). I created a registry DWORD via GPO preferences to prevent it from starting up, and have also Disabled Defender via GPO. This seems to work nicely.
We all know, that having multiple malware/anti-virus solutions running simultaneously is not a good thing. I would like to know what the implications of disabling Defender are, and also if my approach is best practice?
Jun 21 2017 08:22 AM
If we are anything to go by, we have a mix of Win 7, 8.1, 10 clients, and 2012R2 and 2008R2 servers.
We have disabled Windows Defender at GPO level for ALL devices, no exceptions.
We have disabled downloading Windows Defender updates in WSUS.
However, we continue to install MRT/MSRT through Windows Updates each month.
We use Sophos Central Endpoint (with 'Intercept-X' for ransomware detection and elimination).
This has been the set up for the past 3 months.
Client base is approx 60 nodes - no issues so far.
Jun 21 2017 08:23 AM
Jun 21 2017 08:27 AM
Let's not confuse Windows Defender, and Windows Defender Security Center.
This question is specific to the new Security Center included in 1703.
Jun 21 2017 08:27 AMSolution
A few answers :)
Let's start with - we do NOT support any manual changes to the registry, so those changes are not documented and not supported.
The GPO setting you set is supported, but all that does is disable Windows Defender antivirus, which would have already been disabled as you are using Symanten Endpoint Protection. Windows 10 only allows you to run 1 antivirus in real time protection at a time.
We know it's a bit complicated, and we are working in the Fall's Creators Update to make it better - but there are actually two things you see:
1. Windows Defender Security Center (WDSC) which has an overview of a lot of built-in Windows safety features (AV, Firewall, Device performance). So it's relevant even if you use SEP for AV. We currently do not support disabling this UI, but we have heard this feedback and are working on this (though no commitment/timeframe).
2. Windows Defender Antivirus. What you knew before simply as "Windows Defender". That, you can disable via GPO ( You can read more: https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-antivirus/prevent-end-us... )
Hope that helps,
Jun 21 2017 08:30 AM
Jun 21 2017 08:31 AM
Thanks for your detailed response Amitai!
So just to confirm, with SEP installed, and leaving WDSC enabled, there are no negative side effects? At first glance it looked like Windows Defender and SEP were battling it out for supremacy.
Thanks for your quick response.
Jun 21 2017 08:33 AM
A word of caution:
In my previous employment, we used Symantec Endpoint Protection .cloud, and in my current employment, we use Sophos Central, which is also a cloud security product.
In both institutions, I have seen examples where for Windows 7 and Windows 10 environments, that there are occasions where even by installing these security suites, they do not disable Windows Defender outright.
I would definitely perform a check after installing any security suite to ensure Windows Defender is definitely disabled.
Jun 21 2017 08:34 AM
Absolutely - they are different features. Please note that disabling the Windows Security Center service via regkey edits will *not* disable Windows Defender AV or the Windows Defender Security Center. The Windows Defender Security Center just presents a number of security features in a single place - disabling any one of those features individually will not disable the Windows Defender Security Center. You cannot disable the Windows Defender Security Center.
See this doc page for more info about how the Windows Defender Security Center works: https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-security-center/windows-...
And this gives an overview of how to use Windows Defender Security Center to configure Windows Defender AV (directly on individual endpoints): https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-antivirus/windows-defend...
Jun 21 2017 08:35 AM
Jun 21 2017 08:36 AM
Jun 21 2017 08:55 AM
Windows Defender Security Center (WDSC) is built-in to Windows 10 1703, no need to buy (or try :) )
Jun 21 2017 08:57 AM
Dec 06 2017 03:18 PM
No doubt so that Microsoft can ensure their crap Windows Defender will run no matter what AV software you have installed. I just got the 1709 version today and now I have yet another two icons for Windows services that I'll never use. I don't need Windows Defender at all and now I can't even opt out of it.
Dec 28 2017 10:56 AM
So, what registry changes will prevent this nuisance icon from appearing?
Jul 05 2018 01:40 AM - edited Jul 06 2018 01:30 AM
Just a question because I'm interrested:
What's the reason for the choice of 3rd party AV?
Customers I get in to contact with to discuss client security usually provide the answer "we've always done that".
Could be other reasons like our sourcing partner require us to use that etc.
I'm not in the discussion to argue about different solutions, I'm just interrested in the reasons.
AV/antimalware is just a small piece of the client security and I would say it's almost dead. You need it, but it won't protect you that much.
A common way of attacks today are fileless attacks and most AV solutions can't detect that so there are other configurations to be done besides installing an AV.
I usually recommend customers to go for what's included and configure the other security features in the operatingsystem like UEFI + Secure boot, application Control, CFA, credential guard, ASR, Exploit guard etc.