Issue:
I've installed Server Security or Email and Server Security or Elements Endpoint Protection on a Windows Server 2016/2019/2022 server, but Windows Defender real-time protection is still on. Should I deactivate it when I'm using the WithSecure product?
Resolution:
Yes, Windows Defender should be deactivated when using Email and Server Security or Elements Endpoint Protection. Multiple Anti-Virus products running at the same time may cause conflicts.
On Windows Server 2016/2019/2022, Windows Defender will not enter passive or disabled mode automatically if you install a third-party antivirus.
If you're using a non-Microsoft antivirus product as your primary antivirus solution on Windows Server, you must set Microsoft Defender Antivirus to passive mode or disabled mode manually. Please find more details here. Microsoft Defender Antivirus on Windows Server
Microsoft's general recommendation is to uninstall the Defender on the server installations.
Passive mode is something controlled by Windows, so it could be changed by Windows and we don't control it.
After installing a third-party antivirus you should uninstall Windows Defender AV on Windows Server 2016 to prevent problems caused by having multiple antivirus products installed on a machine.
If you are using Windows Server, version 1803 and Windows 2019, you can enable passive mode by setting this registry key:
Path: HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection
Name: ForceDefenderPassiveMode
Value: 1
In case of uninstalling Windows Defender, you can use this Powershell command:
Uninstall-WindowsFeature -Name Windows-Defender
It will require a restart and after that, Windows Security will not be visible with Antivirus at all but WithSecure still functions.
MsMpEng.exe will also not be running anymore
Article no: 000002236