As of May 14, 2024, Knowledge Base (KB) articles will only be published and updated in our new Trellix Thrive Knowledge space.
Log in to the Thrive Portal using your OKTA credentials and start searching the new space. Legacy KB IDs are indexed and you will be able to find them easily just by typing the legacy KB ID.
Windows Defender status after you install/uninstall Endpoint Security
Technical Articles ID:
KB88214
Last Modified: 2023-10-31 15:08:40 Etc/GMT
Environment
Endpoint Security (ENS) Threat Prevention 10.x
Microsoft Windows 11, 10, 8.1, 7
Microsoft Windows Server 2022, 2019, 2016, 2012, 2008 R2
Summary
ENS takes different actions on Windows Defender depending on the operating system.
Contents
Click to expand the section you want to view:
ENS honors the Windows antimalware agreement to not uninstall Windows Defender. ENS integrates with Windows Action Center (WAC). When WAC sees that ENS Threat Prevention is installed, it disables Windows Defender. On an ENS uninstall, Windows Defender is re-enabled.
NOTES:
Windows Defender can report as enabled at the same time as ENS if the Windows Security Center service takes too long to load. To correct the issue, the ENS 10.6.1/10.7.0 July 2020 Update and later allow Windows Security Center more time to load before it tries to register with Windows Security Center.
WAC enables Windows Defender if the criteria below are met:
An ENS on-access scan is disabled.
ENS content is more than three days out-of-date.
If you intentionally uninstalled Windows Defender and want it to remain uninstalled, you need to uninstall it after each major upgrade of ENS. When you perform a major upgrade (for example, ENS 10.6.x to 10.7.x), ENS uninstalls the old ENS version. ENS then installs the new ENS version. The uninstall of ENS triggers the action to reinstall Windows Defender.
To verify whether Windows Defender is disabled on Windows 10 or 11 after you install ENS, perform the steps below:
Open the Control Panel and verify the status of Windows Defender.
Verify the status of the Windows Defender services:
Press Ctrl+Alt+Del, and then select Task Manager.
Click the Services tab.
Verify the status of the following services:
Windows Defender Antivirus Network Inspection Service
Windows Defender Antivirus Service
The Control Panel must show that Windows Defender is disabled and the Windows Defender services are stopped. It's a Windows system issue when the Windows Defender services are stopped, but the Control Panel shows that Windows Defender is enabled.
ENS disables Windows Defender. On an ENS uninstall, Windows Defender is re-enabled.
Based on the Microsoft Defender for Endpoint (MDE) state, ENS either disables Windows Defender or moves Windows Defender to passive mode. On an ENS uninstall, Windows Defender is re-enabled.
MDE state
Windows Server version
Windows Defender state
MDE onboarded
Windows Server version 1803 (or later)
Windows Server 2022
Windows Server 2019
Passive mode
MDE onboarded
Windows Server 2016
Disabled
MDE not onboarded
Windows Server version 1803 (or later)
Windows Server 2022
Windows Server 2019
Windows Server 2016
Disabled
Mode descriptions:
Mode
Description
Active mode
In this mode, Microsoft Defender Antivirus is used as the primary antivirus app on the device. Files are scanned, threats are remediated, and detected threats are listed in your organization's security reports and in your Windows Security app.
Passive mode
In this mode, Microsoft Defender Antivirus isn't used as the primary antivirus app on the device. Files are scanned, and detected threats are reported, but threats aren't remediated by Microsoft Defender Antivirus.
NOTE: Microsoft Defender Antivirus can run in passive mode only on endpoints that are onboarded to Microsoft Defender for Endpoint. For details, see the requirements.
Disabled or uninstalled
When disabled or uninstalled, Microsoft Defender Antivirus isn't used. Files aren't scanned, and threats aren't remediated.
NOTE: The distinction between 'disabled' and 'uninstalled' is whether the Microsoft Defender Antivirus feature is installed or not, for a faster reactivation. Microsoft Server operating systems no longer provide an API for third party antivirus solutions therefore Windows Security Virus & Threat Protection may show actions needed if not MDE onboarded until Defender is uninstalled which removes the Virus & Threat Protection settings.
ENS uninstalls Windows Defender according to Microsoft Windows Defender guidelines. You must reboot the server to fully uninstall Windows Defender. On an ENS uninstall, Windows Defender is reinstalled.
NOTE: When you perform a major upgrade of ENS (for example, ENS 10.6.x to 10.7.x), ENS uninstalls the old ENS version. ENS then installs the new ENS version. The uninstall of ENS triggers the action to reinstall Windows Defender. The subsequent ENS installation triggers an uninstall of Windows Defender.
Related Information
For more information, see the following Microsoft documentation: