Please refer to the ENS FAQ's:
Why does Endpoint Security reinstall Windows Defender during an upgrade?
To ensure continued protection, Endpoint Security reinstalls Windows Defender if it is not present on the system and if Endpoint Security is uninstalled. When you perform a major upgrade of Endpoint Security, for example, from 10.5.x to 10.6.x, Endpoint Security uninstalls 10.5.x and then installs 10.6.x. The uninstall of Endpoint Security triggers the action to reinstall Windows Defender if it is not present on the system. During the Endpoint Security install, Windows Defender is disabled, but not uninstalled. If you intentionally uninstalled Windows Defender and want it to remain uninstalled, you need to uninstall it after each major upgrade of Endpoint Security.
The additional challenge with Win Server 2016 is that we cannot disable Windows Defender on these machines. This is noted in the supported platforms KB - KB82761:
2 ENS does not disable Windows Defender on Windows Server 2016. This fact could lead to performance issues, but this possibility has not been confirmed. The best practice is to run a single real-time anti-virus solution. For updates to this issue and for instructions to manually disable Windows Defender using PowerShell, see known issue 1149046 in KB82450.
thx chealey for your quick reply
But I know this and had read this befor at the community & knowledgebase - it's a generic answer and doesn't help us further.
ENS should (in theory) deactivate Windows Defender during the install process.
And even during a major upgrade - as this is in fact an uninstall & install.
BUT in praxis it show up that Windows Defender is activated and running.
So something went wrong at the install - unfortunately the install process doesn't report back this "failure". So you might end up with a big surprise after the next server reboot. Running two malware engines ...
I need to repeat my question ...
Does someone can describe in detail what happen when a Windows 2016 server get an upgrade from 10.5.4 to 10.6.1 ?
What does McAfee upgrade (uninstall & install) process triggers ?
Which features get enabled on a Windows server 2016 ?
Is there a best practice from McAfee how deal with Windows Defender ?
Can be the success or failure of the ENS installation be seen in detail at some LOG files ?
looking forward to read more details
Yes, ENS should and does deactivate Windows Defender during the install process. Except on Windows 2016 Servers.
During a major update, what happens is the ENS installation of the older version is removed and the new version is freshly installed. This in turn causes the Windows Defender to be reactivated or reinstalled if removed and upon the installation sequence of the new version, it's disabled again (unless it's a 2016 Server). The feature which gets enabled is the Windows Defender Feature. The best practice on how to deal with the Windows Defender on a Windows 2016 Server is mentioned in my previous response (see the last part regarding the powershell script). The success/ failure of the ENS installation can be seen in the Windows Event Log or in the ENS Installation logs which can be found in C:\Windows\Temp\McAfeeLogs (if deployed via ePO) or %temp%/Mcafeelogs (if deployed locally). You may have also chosen to redirect those logs.
thx chealey for the additional info.
We will test on our Windows 2016 servers once more how it comes to this situation - runnign two scan engines at the same time. As I still don't fully understand what McAfee is doing during the uninstall process on a Windows 2016 servers we need to do further tests.
If I have a Windows 2016 server - Windows Defender Feature is NOT enabled - no Defender services are running or at least stopped and startup type is disabled. And if I install ENS 10.5.4 and later on uninstall this vesion - will this change anything on my Windows Defender settings ?
@User72219051 McAfee does not modify any Windows Defender settings nor are we the ones who actively disable Windows Defender once installed, as is agreed between us and Microsoft.
Beginning with Windows 10, version 1703, Microsoft introduced a new Windows Defender Security Center application that brings together common Windows security features in one application. With this release, Microsoft increased the scope of the application to also show information from third-party anti-virus and firewall applications.
So, the Windows Security Center is able to detect when another AV software, like McAfee, is running, and will auto-self-disable in deference to McAfee being present. This occurs automatically through Windows Action Center's integration with Microsoft WMI database service status information without the need for McAfee to send any signals to disable ENS. For additional information see KB89921.
If you need assistance confirming the status of Windows Defender as disabled after installing ENS, you can review KB88214.
Was my reply helpful?
If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?
Hello Jess Arman .. thx for the feedback.
In your feedback you mention only Windows 10 - is the whole topic also valid for Windows Server 2016 ? I'm talking only about Windows Server 2016. So I need a solution for Server 2016.
I setup a fresh Windows 2016 server and deaktivate any Defender Feature - no Defender Service running at all. And even no Defender Service with startup type "manual". After that I installed MA Agent 5.6.0. and ENS 10.5.4. Still nothign changed at Windows Defender. Later on I initiated a ENS 10.6.1 deployment from our ePO. End suprise suprise the Windows Feature Defender is now activated and running 😞
Can you explain WHY does this happen ? .. it defintiv look like that McAfee triggers/initate this change on a Windows Feature ...
Looking forward to hear from you.