Windows Server 2016 Standard and Windows Defender

I am having problems with a new Windows Server 2016 VM.  This server is a print/internal web server.  I have webroot installed on this computer and I also noticed Windows Defender is also active as well.  I have noticed several things that are odd.  For instance, I have an hosted app on this machine that will launch but immediately closes after entering the username and password.  However, on the same machine I installed Firefox and it works fine.  The software provider for this app indicates a 405 error is occurring with IE.  I have the app defined as a trusted site too.  So for now I am using Firefox to logon to the app for now.

We also use Quorum OnQ to backup our hosts.  Since this server has 1.5 million files it took a little while for the initial backup which is normal.  However, performing following backups takes 5 to 6 hours because it has to scan each file to see if changes were made to back them up or not.  So, I enabled QFiltering for this server since this feature will build a database of all the files so that it does not need to scan all files.  Once I enabled QFilter, Windows will not allow the QFilter service to start (Event ID 7000, Service Control Manager with error:  Windows cannot verify the digital signature of this file...  Also, the Qfilter service uses SquirtCopy.

So in order to get a backup of this critical server, I disabled Qfilter and the backup ran last night.  It took about 6 hours to complete.  Early this morning around 5:40am I remotely checked to see if the backup completed.  It completed, but the server was responding sluggish.  While I was in the event viewer and using Windows Explorer to view a couple of other files, the server crashed.  It not responsive and displayed a black screen.  The event viewer did not have any errors for this bad shutdown.  I had to shutdown the VM and brought it back up again.  Its been running since then.  I disabled backups for now.

I am thinking Windows Defender is blocking apps, etc.  I want to disable it, but cannot seem to do it.  I tried to remove the role via the wizard, and the check boxes for Windows defender are all grayed out.  First, I just wanted to disable it, but it won't disable and automatically enables itself after disabling.  So now I am trying to remove it altogether but can't since I cannot uncheck it ti remove it.

This server is now in production, so I need to be real careful, etc.  Any ideas.
cmp119IT ManagerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

You can use GPOs to disable it: computer config - administrative templates - windows components - windows defender.
cmp119IT ManagerAuthor Commented:
Can I do this from the server itself using Local Security Policy?  The reason why I ask is because I do not see computer config, etc within Local Security Policy.
You do have computer configuration as one of the 2 top branches in local gpedit.msc - please look again.
Protecting & Securing Your Critical Data

Considering 93 percent of companies file for bankruptcy within 12 months of a disaster that blocked access to their data for 10 days or more, planning for the worst is just smart business. Learn how Acronis Backup integrates security at every stage

cmp119IT ManagerAuthor Commented:
I totally forgot about gpedit.msc.  So I see the branches now, and I notice within Computer Config\Windows Components\Windows Defender, I can see a setting "Turn Off Windows Defender".  Is this the only setting I need to enable to disable Windows Defender, or are there other settings that need to be changed as well?  Also, once disabled within Group Policy, I presume a server reboot will be necessary for the change to take affect won't it.  It probably does, just thought I'd ask to confirm so.  Thanks.
That's the only setting. A simple gpupdate afterwards will make it active, no reboot needed.
cmp119IT ManagerAuthor Commented:
I see a bunch of settings within Real-time Protection like "Turn off real-time protection", "Turn off behavior monitoring", etc.  I just want to know if the setting "Turn off Windows Defender" will also disable everything else or not.
As I said, that ("Turn Off Windows Defender") is the only setting you need.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
cmp119IT ManagerAuthor Commented:
Okay I did this.  I noticed the WinDefend service is stopped without the need of a server reboot.
Hello ThereSystem AdministratorCommented:
Here is a hint how to disable Defender using Powershell. You can enable or disable the interface by using the Add Roles and Features Wizard or PowerShellCmdlets, as described . The following cmdlet will disable the interface: Uninstall-WindowsFeature -Name Windows-Server-Antimalware

Also you might try this (MS Technet):
Open group policy editor by running gpedit.msc
Navigate to Computer Configuration > Administrative Templates > Windows Components > Windows Defender
In the right pane, enable the policy “Turn off Windows Defender”
Disable the policy “Allow antimalware service to remain running always”
Navigate to Computer Configuration > Administrative Templates > Windows Components > Windows Defender > Real-time Protection
Configure the policy “Turn off real-time protection” as Enabled
Disable the policy “Turn on scan after signature update”  under Computer Configuration > Administrative Templates > Windows Components > Windows Defender > Signature Updates
cmp119IT ManagerAuthor Commented:
I saw an article about enable/disable defending via powershell.  I felt that simply just took care of the interface itself and not completely disable it.  I went over the gpedit settings mentioned above, and I noticed it was recommended to disable "Allow antimalware service to remain running always".  It appears by default its set to "Not Configured".  The explanation for this policy states if its "Not Configured" or "Disabled" the antimalware service will be stopped when both antivirus and antispyware definitions are disabled...  I went ahead and disabled it anyway.  Just thought I'd mention it.
cmp119IT ManagerAuthor Commented:
I discovered the problem was not with Windows Defender or Webroot antivirus software and it was having "Secure Boot" enabled on the VM itself.  After disabling this option everything starting working as far as Quorum's QFilter process.  So now I wanted to re-enable Windows defender by resetting the above-mentioned group policy settings back to the way they were (not configured).  I even rebooted the server, and the "Windows Defender Service" is still not running.  The start type for this service is set to manual, and I cannot change it or start the service since "Startup Type" is grayed out, and if  I try and start the service I get:  

Windows could not start the Windows Defender Service on Local Computer.  Error 577:  Windows cannot verify the digital signature for this file.  A recent hardware or software change might have installed a file that is signed incorrectly or damaged,...
cmp119IT ManagerAuthor Commented:
Please disregard my previous post about not being able to set Windows Defender back to a running state.  After writing the above post I checked the status of Windows Defender and it was running.  It must have taken a bit for it start on its own, so it is runinng now.
cmp119IT ManagerAuthor Commented:
Thank you for your assistance.  Everything appears to be working fine now.
cmp119IT ManagerAuthor Commented:
I may have spoke too soon.  As you can see below, Windows Defender is still not running.  As mentioned above, when I try and start the service, I get a 577 error.  A server reboot made no difference.  Not sure why its not working.  I simply reset the modified GPO settings back to their defaults.

Did you try "start now"?
cmp119IT ManagerAuthor Commented:
That worked!!!  Thanks...
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.