When you publish the image, C:\Windows\System32\drivers\mssecflt.sys and -C:\Windows\System32\drivers\mssecwfp.sys are missing from the published image.

Using the Compositing Engine (CE) means the packaging machine is booted into a native NTFS environment.  The layers are pulled and the Composited image is created there.  Using CE is far superior and is the recommended way to create\edit layers and publish images.  CE does not have this issue with Defender files.

Problem Cause

Building the Composited image on the ELM is using NTFS emulation.  This can cause a number of problems and is therefore not recommended.  This specific issue seems to be related to the way the Compositing process on the ELM handles Always On Boot (AOB) files.  What AOB files are is beyond the scope of this article.  This issue does not occur with using the Compositing Engine feature which is the recommended method.