Views:

By design, once Apex One is installed and registered in the Windows Security Center (WSC), WSC will disable Windows Defender to avoid possible conflicts. In certain circumstances, this mechanism may not work as expected.

When the Apex One agent detects this exception, it will try to disable Windows Defender by directly modifying registry keys and prompt system restart message.

However, if the Tamper Protection setting is on, you won't be able to turn off the Windows Defender Antivirus service by using the registry keys.

So the restart message shows up again after reboot.

To prevent the persistent reboot message, Trend Micro will perform following modifications:

  1. Remove the registry update and restart message flow.

  2. Add Windows Defender into exception list to minimize potential compatibility issues.

For both Apex One as a Service and Apex One On-premise

If for some reason Window Defender does not disable itself and is causing compatibility issues, please do the following:

  1. Collect WSC diagnostic logs, refer to the article: How to enable diagnostic logging for Windows Security Center.
  2. Reproduce the issue.
  3. Collect the trace file generated in "%SystemRoot%\System32\LogFiles\WMI\WscTrace.etl" (default location).

  4. Check the registry status:

    [SOFTWARE/TrendMicro/PC-cillinNTCorp/CurrentVersion/Volatile] > NeedRebootForWD = 1

  5. Submit a case to Trend Micro Technical Support.

For Apex One On-premise

Prior availability of On-premise fix, customer may also opt to disable Tamper Protection to disable Windows Defender to avoid compatibility issue and/or persistent reboot message.

Refer to the Microsoft knowledge base for detailed instructions:

Keywords: Configure TamperProtection,Restart your computer to finish installing an update,Windows 10 1903,error upgrading Apex One machine to Windows 10 1903,WSC,Windows Security Center,Window Defender not disabling,Tamper Protection,Apex One,OfficeScan XG,redemarr