@jmcg, please run task manager, then in the services tab, take a screenshot of the "Windows Defender Antivirus Service" indicating if it's running or not and post it, here's what mine looks like:

Also, please run "Windows Security Center" by left clicking the Windows "shield" from your system tray.  When you see this screen:

Please click the tile circled in red.  Don't click "dismiss" or "Turn on" / "Turn off" if you happen to see those buttons or links, just the white space of the tile.  Then post a screenshot similar to the following (here's mine):

Finally, click the "Manage providers" link in the right margin and post a screenshot similar to the following:

As you can see, in my examples, Windows Security Center (WSC) and Windows Defender Antivirus (WDA) do not properly detect McAfee ENS as running and therefore, WDA is also running.

However, you indicated that your WSC does properly detect McAfee ENS, so these screenshots could be helpful.

@billmoller your screenshots matches my environment however the EICAR test download was trapped by ENS and not Defender.

@billmoller 

Ok, this is really strange, I have rebooted and now, this is fixed.
But here the screen of event to show you the weird behavior.

16h08 - Booting PC.

16h08 - McShield, running with AMCORE 3868...

16h10 - McAfee Endpoint Security is running.

16h11 - Windows Defender is running.

16h21 - testing AV with EICAR test file, detected by Windows Defender.

16h21 - Testing Memory exploit to test McAfee Exploit Prevention, to confirm McAfee is still running.

17h45 - Rebooted device, Windows Defender has been turned off.

Showing correctly managed by McAfee Endpoint Security.

@jmcg, is your AMCORE version still the same and/or if you check your agent logs, did your ENS perform an update?

AMCore version has changed to 3869.

He had perform an update, I will investigate more later to see if this issue has been related to the update

I have a sneaking suspicion that the update to AMCORE 3869 "fixed" your issue (set the right productState)... 

A good test would be checking 5 minutes after a reboot (within ~3 minutes is when mine notoriously gets the incorrect productState).

This whole this is so annoying.

I have 2 laptops on my desk right now, both have the October Update,  both have the current AMCore 3869, only the one with Debug Logging enabled reports properly and shows the correct state.

On the laptop that is NOT reporting properly all the McAfee service show as running except the Firewall Core Service and all of the Windows Defender services show as running except the Advanced Threat Protection Service.

On the laptop that IS report properly the McAfee services are as above, but all of the Defender services are stopped EXCEPT the firewall

Mine just updated to 3869 too and the Security Provider is showing McAfee running correctly. I don't know what it said before the update ran however. I'll be checking later today to see if it has switched back to "Off".