Share via

Windows Server: no integration for 3rd party "providers" in "security center"?

Anonymous
2023-07-05T21:59:00+00:00

We're seeing Windows Defender and Palo Alto Cortex XDR fighting for resources on a number of our Windows Server instances...

...and noticed that "Cortex XDR" is not listed as a "provider" in Windows Security Center despite having been installed.

Palo Alto docs saythis:

The Cortex XDR agent registers with the Windows Security Center as an official Antivirus (AV) software product. As a result, Windows shuts down Microsoft Defender on the endpoint automatically, except for endpoints that are running Windows Server versions. To avoid performance issues, Palo Alto Networks recommends that you disable or remove Windows Defender from endpoints that are running Windows Server versions and where the Cortex XDR agent is installed.

Would anyone know

  1. Why I can't access "providers" under "security providers" in Windows Server 2019?
  2. Why doesn't (or can't) Palo Alto shut down or disable Windows Defender on Windows Server versions after installing Cortex XDR?
  3. What is the best way to automate the process of disabling Windows Defender on Windows Server instances where Cortex XDR is actively protecting the system?

Thanks!

P.S. Non-server Windows editions are unaffected: managing security providers is an option in "security center", for Windows Defender and Cortex XDR, with Windows Defender disabled ("passive") after Cortex XDR installation.

Windows Server Devices and deployment Configure application groups

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question. To protect privacy, user profiles for migrated questions are anonymized.

0 comments

5 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Deleted

    This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

    Comments have been turned off. Learn more

  2. Deleted

    This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

    Comments have been turned off. Learn more

  3. Anonymous
    2023-07-06T00:50:56+00:00

    I'm sure you'll eventually get a clear answer at the Q&A Forums, but the thread where I found the same excerpt you did regarding why Windows Defender Antivirus on servers operates differently than the commercial Windows Defender for Endpoint Plans seems to describe the reason in the following section quite clearly.

    Microsoft Defender Antivirus compatibility with other security products | Microsoft Learn

    That same document describes how to uninstall Microsoft Defender Antivirus (or Windows Defender Antivirus for Windows 2016) using a PowerShell cmdlet in the dialog box immediately preceding that section referenced above.

    This sems confusing only because of the similar naming, while that document details the specific differences for the standalone Defender and Endpoint versions, as well as how they operate differently relating to passive mode, which is what you're trying to manage.

    Rob

    0 comments
  4. Anonymous
    2023-07-06T16:04:53+00:00

    Thanks Rob - I am now more confused than before (if that's possible) 🙂 - the article doesn't seem to offer any obvious solutions or workarounds for my case - which can't be too obscure:

    1. A 3rd party antimalware product installed across an org's server farm, and:
    2. No option to set Defender into appropriate mode automatically.
    3. No option to navigate to "security providers" in "Windows Security" applet
    4. No option to set Defender into appropriate mode from a central management point as the servers don't seem to be onboarded into any sort of a central management platform.

    ... where the question remains: how do server admins navigate this? What are the best practices?

    0 comments
  5. Anonymous
    2023-07-06T19:09:53+00:00

    Yes Alex. I found it confusing as well that you must apparently have one of the Windows Defender for Endpoint plans in place in order to be able to properly manage the server version of Windows Defender Antivirus, since that typically runs as a standalone product on Windows client operating systems and as you've already mentioned, can be disabled by a valid 3rd-party security product via the Security center.

    Someone on the Q&A forums may have a better grasp on the reasons behind this, but from what I can determine, it appears that only by manually uninstalling the standalone Microsoft/Windows Defender Antivirus completely using the PowerShell cmdlet mentioned is it possible to avoid the conflict you're experiencing.

    My guess would be that this is similar to another situation I saw recently where the use of Intune was required in order to allow full management of the local PIN authentication method, which meant that only an obscure registry setting or similar was available as a workaround when Intune was unavailable. In other words, Microsoft never considered the need for the remote management of multiple servers containing the standalone Windows Defender Antivirus product and only provided it as an optional AV product for individuals using Windows Server in standalone or small business environments where manual uninstall wouldn't be a significant issue. Of course, this is just speculation on my part, but seems to fit the scenario.

    Rob

    0 comments