ENS and VSE take different actions on Windows Defender depending on the operating system.
Windows Server 2008 R2,
Server 2012,
Windows 7,
and Windows 8.1:
ENS and VSE disable Windows Defender. On an ENS or VSE uninstall, Windows Defender is re-enabled.
Windows Server 2016 and Windows Server 2019:
ENS and VSE uninstall Windows Defender according to Microsoft guidelines:
https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016. You must reboot the server to fully uninstall Windows Defender. On ENS or VSE uninstall, Windows Defender is reinstalled.
NOTE: When you perform a major upgrade of ENS or VSE, for example, from ENS 10.6.x to 10.7.x, ENS and VSE uninstall the old ENS or VSE version. They then install the new ENS or VSE version. The uninstall of ENS or VSE triggers the action to reinstall Windows Defender. The subsequent ENS or VSE installation triggers an uninstall of Windows Defender.
Windows 10:
ENS and VSE honor the Windows antimalware agreement to not uninstall Windows Defender. ENS and VSE integrate with Windows Action Center (WAC). When WAC sees that ENS Threat Prevention or VSE is installed, it disables Windows Defender.
NOTES:
- Windows Defender can report as enabled at the same time as ENS if the Windows Security Center service takes too long to load. To correct the issue, ENS 10.6.1/10.7.0 July 2020 Update and later allows Windows Security Center more time to load before it tries to register with Windows Security Center.
- WAC enables Windows Defender if an ENS or VSE on-access scan is disabled, or if ENS or VSE content is more than three days out of date.
- If you intentionally uninstalled Windows Defender and want it to remain uninstalled, you need to uninstall it after each major upgrade of ENS or VSE. When you perform a major upgrade of ENS or VSE, for example, from ENS 10.6.x to 10.7.x, ENS and VSE uninstall the old ENS or VSE version. It then installs the new ENS or VSE version. The uninstall of ENS or VSE triggers the action to reinstall Windows Defender.
To verify whether Windows Defender is disabled on Windows 10 after you install ENS Threat Prevention or VSE:
- Open the Control Panel and verify the status of Windows Defender.
- Verify the status of the Windows Defender services:
- Press Ctrl+Alt+Del, and then select Task Manager.
- Click the Services tab.
- Verify the status of the following services:
Windows Defender Antivirus Network Inspection Service
Windows Defender Antivirus Service
The Control Panel must show that Windows Defender is disabled and the Windows Defender services as stopped. If the Windows Defender services are stopped, but the Control Panel shows that Windows Defender is enabled, it is a system issue.