01-20-2023 11:56 AM
Hello dear community,
what is your expirience with running MsMpEng.exe on Windows Server OS, while using Cortex XDR?
In my case the Windows Clients don't run MsMpEng.exe while Cortex XDR is running, but the server do so.
What is the difference here and what should I do, to solve this "problem"? Is it a problem? Is this design?
BR
Rob
01-24-2023 08:32 AM
Hi @RFeyertag,
This is by design on Windows Server operating systems: https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Add-a-New-A...
See the relevant excerpt from the Agent Settings documentation below:
(Windows only) Configure Windows Security Center Integration.
The Windows Security Center is a reporting tool that monitors the system health and security state of Windows endpoints on Windows 7 and later releases:
Enabled—The Cortex XDR agent registers with the Windows Security Center as an official Antivirus (AV) software product. As a result, Windows shuts down Microsoft Defender on the endpoint automatically, except for endpoints that are running Windows Server versions. To avoid performance issues, Palo Alto Networks recommends that you disable or remove Windows Defender from endpoints that are running Windows Server versions and where the Cortex XDR agent is installed.
01-24-2023 08:32 AM
Hi @RFeyertag,
This is by design on Windows Server operating systems: https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Add-a-New-A...
See the relevant excerpt from the Agent Settings documentation below:
(Windows only) Configure Windows Security Center Integration.
The Windows Security Center is a reporting tool that monitors the system health and security state of Windows endpoints on Windows 7 and later releases:
Enabled—The Cortex XDR agent registers with the Windows Security Center as an official Antivirus (AV) software product. As a result, Windows shuts down Microsoft Defender on the endpoint automatically, except for endpoints that are running Windows Server versions. To avoid performance issues, Palo Alto Networks recommends that you disable or remove Windows Defender from endpoints that are running Windows Server versions and where the Cortex XDR agent is installed.
01-24-2023 11:43 AM
Thank you Timurphy!
I have forwarded it to internally to get a gpo running to deactivate the defender.
BR
Rob
01-25-2023 08:01 AM
Microsoft Defender Antivirus compatibility with other security products | Microsoft Learn
We have seen the same behavior; there are a lot of switches.
02-16-2023 04:27 PM
Has anyone here been able to get Cortex XDR to show up as the AV security provider on Windows servers?
Works fine on Windows workstations
02-22-2023 12:36 PM
Doesn't work that way on Servers. That's a microsoft thing.
07-05-2023 01:54 PM
Thanks for this!
Do they say or explain why (the integration is unavailable on Windows Servers)?
Is it a limitation of Windows Servers - or Cortex XDR - or of something in-between?
(Having this integration would save us a lot of time - else we'd have to figure out some sort of an automated process checking each and every Windows Server instance to see if XDR is running and if so, disable Defender.)
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
