When attempting to enable Windows Defender in passive mode, Symantec Endpoint Protection (SEP) disables it after the group policy updates.
Release :SEP 14.x
By default, SEP will disable Defender to avoid conflict. It does this via local group policy. The SepWscSvc service registers SEP with the Windows Security Center (WSC) and is also responsible for disabling Windows Defender.
To prevent SEP from disabling Windows Defender, enable it via Domain Group Policy. Domain GPOs will take precedence over local GPOs and prevent SEP from disabling Defender.