ThreatPrevention seems however to be in active state when I run EICAR tests. So I will not downgrade 10.7 workstations just yet but wont release it on another customer either.
Defender does not take over in our case and I confirmed that through services. Its WSC that is the issue.