Cortex XDR Pro - Server installations - still running Windows Defender (not Firewall)

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Cortex XDR Pro - Server installations - still running Windows Defender (not Firewall)

L4 Transporter

Hello dear community, 

 

what is your expirience with running MsMpEng.exe on Windows Server OS, while using Cortex XDR?

In my case the Windows Clients don't run MsMpEng.exe while Cortex XDR is running, but the server do so. 

What is the difference here and what should I do, to solve this "problem"? Is it a problem? Is this design?

 

BR

 

Rob

1 accepted solution

Accepted Solutions

L3 Networker

Hi @RFeyertag,

 

This is by design on Windows Server operating systems: https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Add-a-New-A...

 

See the relevant excerpt from the Agent Settings documentation below:

 

(Windows only) Configure Windows Security Center Integration.

The Windows Security Center is a reporting tool that monitors the system health and security state of Windows endpoints on Windows 7 and later releases:

  • Enabled—The Cortex XDR agent registers with the Windows Security Center as an official Antivirus (AV) software product. As a result, Windows shuts down Microsoft Defender on the endpoint automatically, except for endpoints that are running Windows Server versions. To avoid performance issues, Palo Alto Networks recommends that you disable or remove Windows Defender from endpoints that are running Windows Server versions and where the Cortex XDR agent is installed.

     

View solution in original post

6 REPLIES 6

L3 Networker

Hi @RFeyertag,

 

This is by design on Windows Server operating systems: https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Add-a-New-A...

 

See the relevant excerpt from the Agent Settings documentation below:

 

(Windows only) Configure Windows Security Center Integration.

The Windows Security Center is a reporting tool that monitors the system health and security state of Windows endpoints on Windows 7 and later releases:

  • Enabled—The Cortex XDR agent registers with the Windows Security Center as an official Antivirus (AV) software product. As a result, Windows shuts down Microsoft Defender on the endpoint automatically, except for endpoints that are running Windows Server versions. To avoid performance issues, Palo Alto Networks recommends that you disable or remove Windows Defender from endpoints that are running Windows Server versions and where the Cortex XDR agent is installed.

     

Thank you Timurphy!

I have forwarded it to internally to get a gpo running to deactivate the defender.

 

BR

 

Rob

Microsoft Defender Antivirus compatibility with other security products | Microsoft Learn

We have seen the same behavior; there are a lot of switches. 

L3 Networker

Has anyone here been able to get Cortex XDR to show up as the AV security provider on Windows servers?
Works fine on Windows workstations

 

PCTomS_0-1676589359722.png

 

L3 Networker

Doesn't work that way on Servers. That's a microsoft thing. 

Thanks for this!

Do they say or explain why (the integration is unavailable on Windows Servers)?

Is it a limitation of Windows Servers - or Cortex XDR - or of something in-between?

(Having this integration would save us a lot of time - else we'd have to figure out some sort of an automated process checking each and every Windows Server instance to see if XDR is running and if so, disable Defender.)

  • 1 accepted solution
  • 7782 Views
  • 6 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!