Antivirus protection during Windows initial setup and S mode

Hello

1.
If Microsoft Defender Antivirus is the selected antivirus:
When running the Windows initial setup, selecting language, creating a profile etc.
Is the system protected by Microsoft Defender Antivirus and all its security features?

2.
If McAfee LiveSafe is the selected antivirus:
When running the Windows initial setup, selecting language, creating a profile etc.
Is the system protected by McAfee LiveSafe and all its security features?

3.
If Microsoft Defender Antivirus is the selected antivirus:
If Windows S mode is turned on.
Are all the security features Microsoft Defender Antivirus has still activated?
Or are some of its security features deactivated, and will be activated if Windows S mode is disabled?

4.
If McAfee LiveSafe is the selected antivirus:
If Windows S mode is turned on.
Are all the security features McAfee LiveSafe has still activated?
Or are some of its security features deactivated, and will be activated if Windows S mode is disabled?

Thank you

The operating system is install at this point, so which ever endpoint protection software is preloaded from the manufacturer or defender if none will be running on the system in it's default configuration.

I think programs aren't run until after Windows is installed followed by the programs getting installed and set up for the User.

S Mode is a feature and limits some things in Windows such as where one can get new programs from. I've had only one Notebook with S Mode [it was cheap and included a year of Microsoft 365] and I disabled it, no issues with Win11 on it.

Microsoft Security/Windows Defender sets up during the install of Windows then McAfee takes over when it installs.

EPP runs as system so it should already be functional

S mode has nothing to do with your security software. It's a limited execution mode designed to prevent all users from installing software apps which aren't available on the MS Store, and forbids running a number of commands or tools which can update your Windows environment.

A side effect of having S mode is you can't always switch to a different security product, after installation.

For example, Store doesn't have McAfee LiveSafe. If it wasn't pre-installed from the factory as a bundled app, you couldn't decide to install it in place of Defender. But otherwise, have McAfee pre-installed on a PC would behave the same whether it's running in S mode or not.

neemobeer said:

EPP runs as system so it should already be functional

Click to expand...

So 1. and 2.
Yes
?

Berton said:

I think programs aren't run until after Windows is installed followed by the programs getting installed and set up for the User.

Microsoft Security/Windows Defender sets up during the install of Windows then McAfee takes over when it installs.

Click to expand...

So 1.
Yes.

And then McAfee LiveSafe takes over and replaces Microsoft Dender, if McAfee LiveSafe installs - but when would McAfee LiveSafe install?

garlin said:

But otherwise, have McAfee pre-installed on a PC would behave the same whether it's running in S mode or not.

Click to expand...

4.
Yes

But what about:
3.
If Microsoft Defender Antivirus is the selected antivirus:
If Windows S mode is turned on.
Are all the security features Microsoft Defender Antivirus has still activated?
Or are some of its security features deactivated, and will be activated if Windows S mode is disabled?

S mode is a Windows policy restriction to prevent the user from running apps. It has no effect on your AV product's operation. Defender and any certified 3rd-party AV solution that co-exists with Defender aren't you, they run at the system-privilege level. They provide a trusted UI interface if you have to interact with them, to change settings or to disable the security service.

This is entirely separate and outside of the S mode policy.

Turning S mode on and off doesn't impact your AV.
Installing 3rd-party AV or disabling/removing it doesn't impact S mode.

MS has strict rules for PC manufacturers if they expect to get Windows licenses. They can decide whether to ship a entry-level PC with S activated or not, and whether to bundle a 3rd-party AV. But neither decision will negatively impact Windows security.

S isn't really designed to be a security feature, but has a side effect of limiting you to running apps from the MS Store. Since anyone can visit the Store and download the "app" to disable S mode, it's not a permanent policy. Therefore it makes no sense to link it with Defender.

garlin said:

S mode is a Windows policy restriction to prevent the user from running apps. It has no effect on your AV product's operation. Defender and any certified 3rd-party AV solution that co-exists with Defender aren't you, they run at the system-privilege level. They provide a trusted UI interface if you have to interact with them, to change settings

Click to expand...

Thank you for your great reply.

You answered 3. and 4. perfectly.

Can you try and answer 1. and 2. aswell?

Users will encounter a new Windows install in one of two scenarios: They installed Windows by themselves, or powered up a pre-made system purchased from a PC manufacturer or systems integrator.

1. When you perform a clean install, Defender cannot be applied (or enabled) until Windows is ready. A normal install takes several stages, including multiple reboots. Sometime after the first reboot, Defender is being configured to run.

There is no explicit AV protection before this step, but that's fine. The only processes running are Windows installing itself, and you're not allowed to run anything until the Out of Box Experience appears for first time. Windows Firewall is already blocking incoming network requests.

By the time you're asking to create a new user, Defender is fully active but running an outdated engine (platform) and signature definitions. After a short time, Windows Update will download and refresh Defender. If you want to maintain the highest level of security, DON'T DO ANYTHING on a new system until after you run Windows Update.

Allow WU to update Defender, and then start customizing your PC by installing other software.

2. When you purchase a pre-made system, the OEM has shortened the install process so everything's already installed. All you need to do is power on the system, and be greeted by the Out of Box Experience. Third-party AV products may be pre-installed as part of the OEM's prep process.

The advice is similar, DON'T DO ANYTHING until you run the 3rd-party AV and confirm it's finished updating itself.


By far the biggest threat to system security is you, the end-user. When you allow Defender or the 3rd-party product enough time to self-update before installing new software, you will get the maximum benefit that security product can provide.

garlin said:

2. When you purchase a pre-made system, the OEM has shortened the install process so everything's already installed. All you need to do is power on the system, and be greeted by the Out of Box Experience.

Click to expand...

I did not install Windows myself and was greeted by the OOBE - selecting language etc.

During the OOBE, when are Defender turned on?
Because at one step during the OOBE setup, i connected to my phone wifi network - to get internet connection

garlin said:

Third-party AV products may be pre-installed as part of the OEM's prep process.

Click to expand...

Does this conflict with Windows S?
The laptop has Windows S function turned on from the start

And if for example McAfee LiveSafe was pre-installed as part of the OEM's prep process - During the OOBE, when are McAfee LiveSafe turned on?

garlin said:

The advice is similar, DON'T DO ANYTHING until you run the 3rd-party AV and confirm it's finished updating itself.

Click to expand...

What about MS Defender? Is that not the selected AV / main AV?

Thank you

Re-read my responses. When you boot and the first screen is OOBE, someone has already finished installing Windows for you. Defender is running since Windows is fully installed. The version on your PC may have outdated security signatures, but that doesn't mean it's not protecting you.

The first instance you connect to a network that has Internet access, Windows Update will try to download the most current Defender.

Same applies to 3rd-party AV that comes pre-bundled on a PC.

Every question I read from you sounds like you constantly doubt things. I can't help you with that. Either accept what a knowledgeable person tells you, or re-install Windows yourself from a clean ISO so you know what's going with the PC.

garlin said:

Same applies to 3rd-party AV that comes pre-bundled on a PC.

Click to expand...

So if McAfee LiveSafe was installed as part of the pre-bundle:
It would have the most recent security signatures from when it was installed?
It would be active during OOBE?

Would Windows S hinder McAfee LiveSafe from working completely correct?
Or only hinder its installation?

garlin said:

DON'T DO ANYTHING until you run the 3rd-party AV and confirm it's finished updating itself.

Click to expand...

"DON'T DO ANYTHING" - as in what?

I had internet connection for a couple of minutes before MS Defender or McAfee LiveSafe could get the latest signature security update.
But I assume they came with recent security signatures - so I assume its safe / okay?

garlin said:

Every question I read from you sounds like you constantly doubt things. I can't help you with that. Either accept what a knowledgeable person

Click to expand...

I just wants to make sure, that I completely understand it.

I appreciate your help, thank you.