Windows Defender status after you install/uninstall ENS/VSE

Windows 10

ENS and VSE honor the Windows antimalware agreement to not uninstall Windows Defender. ENS and VSE integrate with Windows Action Center (WAC). When WAC sees that ENS Threat Prevention or VSE is installed, it disables Windows Defender. On an ENS or VSE uninstall, Windows Defender is re-enabled.

NOTES:

Windows Defender can report as enabled at the same time as ENS if the Windows Security Center service takes too long to load. To correct the issue, ENS 10.6.1/10.7.0 July 2020 Update and later allow Windows Security Center more time to load before it tries to register with Windows Security Center.
WAC enables Windows Defender if the criteria below are met:
- An ENS or VSE on-access scan is disabled.
- ENS or VSE content is more than three days out of date.
If you intentionally uninstalled Windows Defender and want it to remain uninstalled, you need to uninstall it after each major upgrade of ENS/VSE. When you perform a major upgrade (for example, ENS 10.6.x to 10.7.x), ENS or VSE uninstalls the old ENS or VSE version. ENS or VSE then installs the new ENS/VSE version. The uninstall of ENS or VSE triggers the action to reinstall Windows Defender.

To verify whether Windows Defender is disabled on Windows 10 after you install ENS or VSE, perform the steps below:

Open the Control Panel and verify the status of Windows Defender.
Verify the status of the Windows Defender services:
1. Press Ctrl+Alt+Del, and then select Task Manager.
2. Click the Services tab.
3. Verify the status of the following services:
  
  Windows Defender Antivirus Network Inspection Service
  Windows Defender Antivirus Service

The Control Panel must show that Windows Defender is disabled and the Windows Defender services are stopped. It's a Windows system issue when the Windows Defender services are stopped, but the Control Panel shows that Windows Defender is enabled.

Windows Server 2008 R2/2012 and Windows 7/8.1

ENS and VSE disable Windows Defender. On an ENS or VSE uninstall, Windows Defender is re-enabled.

Windows Server 2016/2019/2022 and Windows Server version 1803 (or later) with ENS 10.6.1/10.7.0 September 2021 Update (and later)

Based on the Microsoft Defender for Endpoint (MDE) state, ENS either disables Windows Defender or moves Windows Defender to passive mode. On an ENS uninstall, Windows Defender is re-enabled.

MDE state	Windows Server version	Windows Defender state
MDE onboarded	Windows Server version 1803 (or later) Windows Server 2022 Windows Server 2019	Passive mode
MDE onboarded	Windows Server 2016	Disabled
MDE not onboarded	Windows Server version 1803 (or later) Windows Server 2022 Windows Server 2019 Windows Server 2016	Disabled

Windows Server 2016/2019/2022 with VSE and ENS 10.6.1/10.7.0 June 2021 Update (and earlier)

ENS and VSE uninstall Windows Defender according to Microsoft Windows Defender guidelines. You must reboot the server to fully uninstall Windows Defender. On an ENS or VSE uninstall, Windows Defender is reinstalled.

NOTE: When you perform a major upgrade of ENS or VSE (for example, ENS 10.6.x to 10.7.x), ENS or VSE uninstalls the old ENS or VSE version. ENS or VSE then installs the new ENS or VSE version. The uninstall of ENS or VSE triggers the action to reinstall Windows Defender. The subsequent ENS or VSE installation triggers an uninstall of Windows Defender.

Knowledge Center

Windows Defender status after you install/uninstall ENS/VSE

Environment

Summary

Related Information

Affected Products

Languages:

Title

Title

Knowledge Center

Windows Defender status after you install/uninstall ENS/VSE

Environment

Summary

Related Information

Affected Products

Languages:

Choose your region

Title

Title