![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(19.2, 72%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAR%3C/text%3E%3C/svg%3E)
Microsoft 365 and Office | Microsoft 365 Defender | Other | Windows
An integrated threat protection solution designed to detect, investigate, and respond to cyber threats across Microsoft 365 services.
To switch from Norton to Microsoft Defender, follow the same high-level migration pattern used when moving from a non-Microsoft antivirus to Microsoft Defender for Endpoint. The key steps are:
- Keep Norton active initially
- Start with Norton still installed and running in active protection mode so devices remain protected during the transition.
- Enable or reinstall Microsoft Defender Antivirus
- On Windows devices, ensure Microsoft Defender Antivirus is present and enabled.
- If it was disabled or removed when Norton was installed, follow the guidance in the Setup phase to reinstall/enable Microsoft Defender Antivirus so it can run alongside a non-Microsoft AV in passive mode.
- On client devices, confirm Defender is enabled via the Windows Security app:
- Open Windows Security from Start.
- Select Virus & threat protection.
- Select Virus & threat protection settings.
- Turn Real-time protection to On (Defender will automatically disable itself again if Norton is still the primary AV, but this confirms it is available and working).
- Configure Defender (if using Microsoft Defender for Endpoint)
- If using Defender for Endpoint Plan 1 or Plan 2, configure its capabilities and policies while Norton is still active, as described in the migration Setup phase (device groups, exclusions, etc.).
- Add mutual exclusions between Norton and Defender to avoid performance or conflict issues, following the guidance for adding Defender to the exclusion list of the existing solution and vice versa.
- Onboard devices (if using Defender for Endpoint)
- Onboard devices to Defender for Endpoint and verify:
- Detection tests succeed.
- Microsoft Defender Antivirus is running in passive mode while Norton is still installed.
- Defender AV is receiving security intelligence and product updates.
- Onboard devices to Defender for Endpoint and verify:
- Uninstall Norton
- Once Defender is installed, updated, and (if applicable) Defender for Endpoint onboarding is verified, uninstall Norton from the device.
- After Norton is removed, Microsoft Defender Antivirus automatically switches from passive mode to active mode in most cases and becomes the primary antivirus.
- If Defender appears stuck in passive mode after uninstalling Norton, use the troubleshooting guidance for “Microsoft Defender Antivirus seems to be stuck in passive mode.”
- Verify Defender is protecting the device
- On standalone Windows devices, confirm in Windows Security → Virus & threat protection that Microsoft Defender Antivirus is active and reporting no issues.
- If using Defender for Endpoint, verify protection status in the Microsoft Defender portal under Endpoints → Device inventory.
If Norton does not uninstall cleanly or blocks Defender from becoming active, contact Norton’s support for removal assistance, then re-check that Defender is enabled and up to date.
References:
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(268.8, 47%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERB%3C/text%3E%3C/svg%3E)