Cortex XDR and Microsoft Defender Coexistence and Performance

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Cortex XDR and Microsoft Defender Coexistence and Performance

L0 Member

Hello Cortex XDR Community,


We recently  were asked to have official guidance regarding the coexistence of Cortex XDR Agent and Microsoft Defender on Windows endpoints.

My questions to the community and experts is:

- Is the coexistence of Cortex XDR and Microsoft Defender Antivirus officially supported?

- Is the coexistence of Cortex XDR and Microsoft Defender for Endpoint (MDE) supported?

-When Cortex XDR is installed, does it automatically disable Microsoft Defender Antivirus, or can both solutions remain active simultaneously?


- Are there any known limitations, performance impacts, or best practices when running both products on the same endpoint?


- Is there any official documentation or configuration guide describing the recommended deployment model for organizations using both Cortex XDR and Microsoft Defender technologies?

Thank you

1 REPLY 1

L4 Transporter

HI @omonroy502642 

 

Yes, Cortex XDR Agent can coexist with Microsoft security solutions, but the supported deployment depends on which Microsoft component you're referring to.

 

  • Cortex XDR + Microsoft Defender Antivirus (MDAV): Coexistence is supported. Organizations can run both products together, although it is recommended to properly configure mutual exclusions to avoid unnecessary performance impact or scanning conflicts. Whether Microsoft Defender Antivirus remains active also depends on Windows Security settings (for example, passive mode) and your organization's security policy.
  • Cortex XDR + Microsoft Defender for Endpoint (MDE): This is a common and supported deployment. Cortex XDR provides EDR/XDR capabilities while MDE can continue providing Microsoft's endpoint protection and telemetry. Many organizations use both platforms together for layered security or during migration projects.
  • Does Cortex XDR disable Microsoft Defender Antivirus?
    No. Installing the Cortex XDR Agent does not automatically disable Microsoft Defender Antivirus. Defender's operating mode (Active, Passive, or Disabled) is determined by Microsoft Windows policies, Microsoft Defender for Endpoint onboarding, and any third-party antivirus registration with Windows Security Center—not solely by the Cortex XDR installation.
  • Best practices:
    • Configure recommended AV and EDR exclusions on both products.
    • Ensure only one product is performing primary real-time AV scanning if your security policy requires it.
    • Keep both products on supported versions.
    • Validate performance and policy behavior in a pilot group before broad deployment.
  • Official documentation:
    Palo Alto Networks provides interoperability and deployment guidance in the Cortex XDR documentation, while Microsoft documents Microsoft Defender Antivirus passive mode, Windows Security Center registration, and Defender for Endpoint coexistence scenarios. It's recommended to follow guidance from both vendors when deploying the solutions together.

If you're planning to use Cortex XDR as the primary EDR while retaining Microsoft Defender technologies, reviewing the latest Cortex XDR Administrator's Guide and Microsoft's Defender Antivirus passive mode documentation is recommended, as deployment behavior can vary depending on the Windows version and security configuration.  https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Compatibility-Matrix/Cortex-XDR-age...

 

Best regards,
Vinothkumar.C.
  • 43 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!