Just to keep the post updated, This case is being handled by Support and I am having a close watch over this. I will keep this updated once we receive an update on the troubleshooting from the ticket. Thank you @kylekat for taking your time and effort in creating a Service Request with us and uploading data as requested for troubleshooting.
This is definitely not a cosmetic issue... Windows Security is running scans and functioning in addition to ENS... This includes the decrease in performance of running multiple anti-virus solutions.
However, I have noticed that Windows Security seems to crash frequently now, with the "Virus & Threat Protection" "tile" in Windows Security indicating "Threat service has stopped. Restart it now." (which then causes windows to notify about NO antivirus because it thinks ALL are turned off...)
Furthermore, one thing support had me do was run
get-wmiobject -namespace "root\securitycenter2" -class "antivirusproduct"
It reveals that "Windows Defender" is registered once, and "McAfee Endpoint Security" is registered twice, with conflicting information.
IMHO, development should release a patch that uninstalls the errant duplicate provider (or removes all "McAfee Endpoint Security" and re-registers one), which I'm sure they know how to do because they do it during an uninstallation...
I am facing a similar problem (duplicate A/V entries in WMI) with ESET Internet Security (see https://stackoverflow.com/questions/58805468/why-does-wmi-show-duplicate-entries-for-the-same-a-v-pr...). Could this be a Windows problem, are ESET and McAfee both doing it wrong or shouldn't we be using WMI to query the A/V providers anymore?
Getting the same issue here too... We're only just transitioning from VSE to ENS & doesn't appear to affect everyone.
There are a few important things to note here:
1. If you are using windows 1809 and any ENS version lower than May Update, then this was a known issue and you need to upgrade ENS to at least May Update (KB91428)
2. If you have the July Repost, Windows 1903 and the notification is intermittent then please raise a new service request and quote KB91830. Support will then ask you for a specific set of data which will need to be supplied for an escalation to engineering.
So far I've seen this on 2 systems running 1809, though haven't manually checked all systems we've deployed to (around 60, mixed of 1607, 1809, server 2012/2016).
Should be the latest releases of ENS as was deployed with McAfee consultant just last week. Will load up a SR tomorrow when back in the office.
As I said a few posts ago:
"If you have the July Repost, Windows 1903 and the notification is intermittent then please raise a new service request and quote KB91830. Support will then ask you for a specific set of data which will need to be supplied for an escalation to engineering."
We have now seen a few escalations to engineering and so the issue is already being worked on but it would be great to get your SR to engineering as well so that you can be easily informed about the fix and that way you would be considered for POC testing if we get one for this issue. If you can't/ don't want to supply the data then I suggest you subscribe to KB91830 which we will be updating as soon as we have any further information.
@SteveWilkinsondid you find a good way to determine those who were experiencing the issue? I dont' fancy manually checking every client we've upgraded...
@chealey I've loaded up my SR 4-20292464771. MER has been submitted & arranging a remote session for support to collect more data. Have tried a full uninstall of ENS, reboot, re-install ENS (at this point it reports normally), then after a reboot its back to ENS being reported as off & defender is enabled. From that point on we can temporarily 'fix' it by using the 'turn on' button in Security Providers window (usually need to press it twice); but the problem returns after a reboot.
So far i've only done this testing on my laptop. 3 of the others around me i've checked aren't having the issue so far. 1 other has has the issue originally after the upgrade, however I feel like they may not have rebooted.