Cortex XDR Pro - Server installations - still running Windows Defender (not Firewall)

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Cortex XDR Pro - Server installations - still running Windows Defender (not Firewall)

L3 Networker

Hello dear community, 

 

what is your expirience with running MsMpEng.exe on Windows Server OS, while using Cortex XDR?

In my case the Windows Clients don't run MsMpEng.exe while Cortex XDR is running, but the server do so. 

What is the difference here and what should I do, to solve this "problem"? Is it a problem? Is this design?

 

BR

 

Rob

1 ACCEPTED SOLUTION

Accepted Solutions

L2 Linker

Hi @RFeyertag,

 

This is by design on Windows Server operating systems: https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Add-a-New-A...

 

See the relevant excerpt from the Agent Settings documentation below:

 

(Windows only) Configure Windows Security Center Integration.

The Windows Security Center is a reporting tool that monitors the system health and security state of Windows endpoints on Windows 7 and later releases:

  • Enabled—The Cortex XDR agent registers with the Windows Security Center as an official Antivirus (AV) software product. As a result, Windows shuts down Microsoft Defender on the endpoint automatically, except for endpoints that are running Windows Server versions. To avoid performance issues, Palo Alto Networks recommends that you disable or remove Windows Defender from endpoints that are running Windows Server versions and where the Cortex XDR agent is installed.

     

View solution in original post

3 REPLIES 3

L2 Linker

Hi @RFeyertag,

 

This is by design on Windows Server operating systems: https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Add-a-New-A...

 

See the relevant excerpt from the Agent Settings documentation below:

 

(Windows only) Configure Windows Security Center Integration.

The Windows Security Center is a reporting tool that monitors the system health and security state of Windows endpoints on Windows 7 and later releases:

  • Enabled—The Cortex XDR agent registers with the Windows Security Center as an official Antivirus (AV) software product. As a result, Windows shuts down Microsoft Defender on the endpoint automatically, except for endpoints that are running Windows Server versions. To avoid performance issues, Palo Alto Networks recommends that you disable or remove Windows Defender from endpoints that are running Windows Server versions and where the Cortex XDR agent is installed.

     

Thank you Timurphy!

I have forwarded it to internally to get a gpo running to deactivate the defender.

 

BR

 

Rob

Microsoft Defender Antivirus compatibility with other security products | Microsoft Learn

We have seen the same behavior; there are a lot of switches. 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!