Endpoint Protection 14.0 client does not disable Windows Defender on Windows Server 2016

book

Article ID: 164357

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

After installing the SEP (Symantec Endpoint Protection) 14.0 client on Windows Server 2016, Windows Defender is still turned on and may interfere with SEP's ability to protect the system.

Cause

Windows Server 2016 does not offer a Security Center that SEP has historically used to properly disable Windows Defender. This is why SEP 14.0 disables Windows Defender by introducing the following registry value (32-bit REG_DWORD) and setting it to "1".

HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware

The registry value can be added via Microsoft regedit.exe or by running the following command as an administrator:

Reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f

For reasons unknown at this time the above value does not always persist and Windows Defender may be turned on again. 

Symantec will update this document if additional information becomes available.

Environment

SEP 14.0 or later installed on Windows Server 2016.

Resolution

Please disable Windows Defender manually by either making the registry changes described above, or managing Windows Defender via a GPO. For more information, please see the following Microsoft documents:

Configure Windows Defender in Windows 10
https://technet.microsoft.com/en-us/itpro/windows/keep-secure/configure-windows-defender-in-windows-10

Defender Cmdlets
https://technet.microsoft.com/en-us/library/dn433280.aspx