ENS takes different actions on Windows Defender depending on the operating system.
Windows Server 2008 R2,
Server 2012,
Windows 7,
and Windows 8.1:
ENS disables Windows Defender. On ENS uninstall, Windows Defender is re-enabled.
Windows Server 2016 and Windows Server 2019:
ENS uninstalls Windows Defender per Microsoft guidelines:
https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016. You must reboot the server to fully uninstall Windows Defender. On ENS uninstall, Windows Defender is reinstalled.
NOTE: When you perform a major upgrade of ENS, for example, from 10.6.x to 10.7.x, ENS uninstalls the old ENS version and then installs the new ENS version. The uninstall of ENS triggers the action to reinstall Windows Defender. The subsequent ENS installation triggers an uninstall of Windows Defender.
Windows 10:
ENS honors the Windows antimalware agreement to not uninstall Windows Defender. ENS integrates with Windows Action Center (WAC). When WAC sees that ENS Threat Prevention is installed, it disables Windows Defender.
NOTES:
- WAC enables Windows Defender if ENS on-access scan is disabled or ENS content is more than three days out of date.
- If you intentionally uninstalled Windows Defender and want it to remain uninstalled, you need to uninstall it after each major upgrade of ENS. When you perform a major upgrade of ENS, for example, from 10.6.x to 10.7.x, ENS uninstalls the old ENS version and then installs the new ENS version. The uninstall of ENS triggers the action to reinstall Windows Defender.
To check whether Windows Defender is disabled on Windows 10 after installing ENS Threat Prevention:
- Open the Control Panel and check the status of Windows Defender.
- Check the status of the Windows Defender services:
- Press Ctrl+Alt+Del, and then select Task Manager.
- Click the Services tab.
- Check the status of the following services:
Windows Defender Network Inspection Service
Windows Defender Service
The Control Panel should show that Windows Defender is disabled and the Windows Defender services should be stopped. If the Windows Defender services are stopped, but the Control Panel shows that Windows Defender is enabled, it is a system issue.
