Share via

Completely remove Windows Defender

Joe IT 21 Reputation points
2020-11-13T18:45:54.667+00:00

I've removed Windows Defender from Server 2016, since it is turned off by Symantec and it was causing extended patching restart times. Problem is, it is showing removed in Server Manager and with PowerShell, but there are still a lot of files in the file system and registry entries, which Rapid 7 is showing the system is vulnerable. When I try to manually delete the files and registry keys, they are currently locked by System. Which process is locking the ability to delete files that shouldn't even be present. And since the app is removed, as you can tell, the version left behind is not getting updated, and therefore shows lots of vulnerabilities.
C:\Program Files\Windows Defender\Platform\4.18.1904.1-0 (all files were removed from the root Defender folder here, just Platform remains)
C:\ProgramData\Microsoft\Windows Defender
HKLM\SOFTWARE\Microsoft\Windows Defender\ (all registry keys appear to be left after the removal. Rapid 7 is seeing InstallLocation REG_SZ key with the path to ProgramData)

I know the program is removed, and therefore, my systems are not susceptible to the vulnerabilities Rapid 7 are showing, but I'm concerned that I cannot completely remove these files and keys. Any pointers would be appreciated.

Thanks,
Joe

Windows for business | Windows Server | User experience | Other
Windows for business | Windows Server | Devices and deployment | Configure application groups

4 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Joe IT 21 Reputation points
    2020-11-18T23:54:39.977+00:00

    That doesn't answer my question. First off, this is Server 2016 1607. Second, Security / Windows Defender shows the app has been installed from the server, which is good. However, C:\ProgramData\Microsoft\Windows Defender\ exists, as well as HKLM\Software\Microsoft\Windows Defender and all of it's subkeys still exist. Under C:\ProgramData\Microsoft\Windows Defender\, Platform contains two old versions of Defender. These are detected as vulnerability.

    I guess the best I can do is, after removal of the "feature", I have to manually delete C:\ProgramData\Microsoft\Windows Defender\platform and HKLM\Softwware\Microsoft\Windows Defender\ InstallLocation & BackupLocation keys. Everything else cannot be deleted as they are locked by System.

    Was this answer helpful?

  2. Joe IT 21 Reputation points
    2020-11-17T16:52:00.957+00:00

    Thanks for the responses, but I'm not seeing any instruction???

    Thanks,
    Joe

    Was this answer helpful?

  3. Jenny Feng 14,291 Reputation points
    2020-11-16T03:02:03.463+00:00

    @Joe IT
    Hi,

    You can't uninstall the Windows Security app, you can just disable the interface with these instructions.

    Hope above information can help you.

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    Was this answer helpful?

    0 comments
  4. Anonymous
    2020-11-13T18:49:58.523+00:00

    Which process is locking the ability to delete files

    This tool may help to that end.

    --please don't forget to Accept as answer if the reply is helpful--

    Was this answer helpful?

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.