Share via

Completely remove Windows Defender

Joe IT 21 Reputation points
2020-11-13T18:45:54.667+00:00

I've removed Windows Defender from Server 2016, since it is turned off by Symantec and it was causing extended patching restart times. Problem is, it is showing removed in Server Manager and with PowerShell, but there are still a lot of files in the file system and registry entries, which Rapid 7 is showing the system is vulnerable. When I try to manually delete the files and registry keys, they are currently locked by System. Which process is locking the ability to delete files that shouldn't even be present. And since the app is removed, as you can tell, the version left behind is not getting updated, and therefore shows lots of vulnerabilities.
C:\Program Files\Windows Defender\Platform\4.18.1904.1-0 (all files were removed from the root Defender folder here, just Platform remains)
C:\ProgramData\Microsoft\Windows Defender
HKLM\SOFTWARE\Microsoft\Windows Defender\ (all registry keys appear to be left after the removal. Rapid 7 is seeing InstallLocation REG_SZ key with the path to ProgramData)

I know the program is removed, and therefore, my systems are not susceptible to the vulnerabilities Rapid 7 are showing, but I'm concerned that I cannot completely remove these files and keys. Any pointers would be appreciated.

Thanks,
Joe

Windows Server 2016
Windows Server 2016
A Microsoft server operating system that supports enterprise-level management updated to data storage.
2,513 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,842 questions

4 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2020-11-13T18:49:58.523+00:00

    Which process is locking the ability to delete files

    This tool may help to that end.

    --please don't forget to Accept as answer if the reply is helpful--

    0 comments
  2. Jenny Feng 14,066 Reputation points
    2020-11-16T03:02:03.463+00:00

    @Joe IT
    Hi,

    You can't uninstall the Windows Security app, you can just disable the interface with these instructions.

    Hope above information can help you.

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments
  3. Joe IT 21 Reputation points
    2020-11-17T16:52:00.957+00:00

    Thanks for the responses, but I'm not seeing any instruction???

    Thanks,
    Joe

  4. Joe IT 21 Reputation points
    2020-11-18T23:54:39.977+00:00

    That doesn't answer my question. First off, this is Server 2016 1607. Second, Security / Windows Defender shows the app has been installed from the server, which is good. However, C:\ProgramData\Microsoft\Windows Defender\ exists, as well as HKLM\Software\Microsoft\Windows Defender and all of it's subkeys still exist. Under C:\ProgramData\Microsoft\Windows Defender\, Platform contains two old versions of Defender. These are detected as vulnerability.

    I guess the best I can do is, after removal of the "feature", I have to manually delete C:\ProgramData\Microsoft\Windows Defender\platform and HKLM\Softwware\Microsoft\Windows Defender\ InstallLocation & BackupLocation keys. Everything else cannot be deleted as they are locked by System.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.