Replacement of Trellix (McAfee) Endpoint Security with Microsoft Defender for Endpoint
Beginning on Wednesday 9 October 2024, Information Services will start to replace the legacy Trellix (formerly McAfee) Endpoint Security and Agent products on managed staff devices with Microsoft Defender for Endpoint.
It is anticipated that this work will be fully complete by 19 December 2024, though we may proceed more slowly if any problems are encountered.
The replacement will be done in several stages, with increasing numbers of managed staff devices having the Trellix software removed automatically by Information Services at each stage until all managed staff devices are exclusively using Microsoft Defender for Endpoint.
As members of staff are not required to do anything in order to enable this replacement to happen, this information is being provided mainly to explain some of the differences that may be noticeable during and after the replacement.
What will happen on my managed device during the replacement?
During the replacement all Trellix products will be uninstalled automatically in the background. As soon as this happens, the Microsoft Defender for Endpoint software already present on your managed device will become active and take over protecting your device. It is possible that you may see a temporary warning from Trellix as it is being uninstalled:
If this warning appears, no action is required and you do not need to report it to Information Services.
Can I continue using my managed device as normal during the replacement?
Yes, you can continue using your managed device normally while the Trellix products are being removed, though you may notice that it runs more slowly while this is happening. Once the replacement is complete, your device should return to running at normal speed.
Can I schedule the replacement for a specific time or ask for it to be postponed?
No, due to the low impact of the replacement on normal use of managed devices Information Services is not going to be offering this capability.
Will I notice anything different on my managed device following the replacement?
After the replacement you will no longer see any Trellix or McAfee items in the Start Menu and the Trellix Agent icon previously visible next to the date and time will disappear:
Will Microsoft Defender for Endpoint operate differently to Trellix Endpoint Security?
Microsoft Defender for Endpoint is a more capable and effective endpoint security solution than Trellix Endpoint Security, therefore Information Services will be taking full advantage of its advanced capabilities over time.
At its introduction, Defender will be configured according to best practices and you may therefore notice that certain actions e.g. downloading certain files from the internet or running certain applications may trigger a warning or be blocked outright. Since staff use of managed devices is very diverse across our Schools and Services we are unable to advise on exactly what differences you may notice or the impact they may cause on your work, but if anything does affect your work you should contact Information Services so that we can investigate.
Additionally, many of Defender’s advanced detection capabilities are being introduced initially in audit-only mode, so that Information Services can assess their likely impact before fully activating them. While this should mean that many of these features will be enabled with no user-visible impact, please look out for further messages from Information Services about this work in case any particular changes are known to have user-visible impact.
What happens if Microsoft Defender for Endpoint detects suspicious or malicious activity on my managed device?
If suspicious or malicious activity is detected on your managed device at any point in the future, you may receive a notification of this from Microsoft Defender or Windows Security, rather than from Trellix Endpoint Security as would have been the case prior to the replacement.
You may also be contacted by a member of Information Services staff, who will be monitoring the activity of Defender across the University’s managed device estate and will be taking action as necessary to ensure that systems are protected from threats. Your cooperation with their guidance and requests is appreciated.
Who should I contact if I have any questions or concerns about this work?