Disabling Windows Defender Tamper Protection is a temporary workaround. For the product solution, refer to the following for availability:
- Apex One as a Service: Deployed as part of the March 2020 Update
- Apex One: Hot Fix Build 2161 or higher
- OfficeScan XG SP1: Hot Fix Build 5509 or higher
- OfficeScan XG: Hot Fix Build 1994 or higher
Please contact Trend Micro Technical Support to get a copy of a hot fix.
All machines that have been upgraded to Windows 10 1903 (a.k.a. Windows 10 October 2019 Update) report the message "Restart your computer to finish installing an update". Even after multiple reboots, the message remains.
Before anything else, check the Tamper Protection setting on the problematic Windows 10 1903 machines. If it is enabled, then the issue could happen. For additional information, refer to the following article: Prevent changes to security settings with Tamper Protection.
By design, once Apex One is installed and registered in the Windows Security Center (WSC), WSC will disable Windows Defender to avoid possible conflicts. In certain circumstances, this mechanism may not work as expected.
When the Apex One agent detects this exception, it will try to disable Windows Defender by directly modifying registry keys and prompt system restart message.
However, if the Tamper Protection setting is on, you won't be able to turn off the Windows Defender Antivirus service by using the registry keys.
So the restart message shows up again after reboot.
To prevent the persistent reboot message, Trend Micro will perform following modifications:
- Remove the registry update and restart message flow.
Add Windows Defender into exception list to minimize potential compatibility issues.
For both Apex One as a Service and Apex One On-premise
If for some reason Window Defender does not disable itself and is causing compatibility issues, please do the following:
- Collect WSC diagnostic logs, refer to the article: How to enable diagnostic logging for Windows Security Center.
- Reproduce the issue.
- Collect the trace file generated in "%SystemRoot%\System32\LogFiles\WMI\WscTrace.etl" (default location).
Check the registry status:
[SOFTWARE/TrendMicro/PC-cillinNTCorp/CurrentVersion/Volatile] > NeedRebootForWD = 1
- Submit a case to Trend Micro Technical Support.
For Apex One On-premise
Prior availability of On-premise fix, customer may also opt to disable Tamper Protection to disable Windows Defender to avoid compatibility issue and/or persistent reboot message.
Refer to the Microsoft knowledge base for detailed instructions: