Share via

Is the Windows Defender Firewall Service Always Necessary to Stay Running?

StudentAdmin 65 Reputation points
2024-10-26T22:15:38.8766667+00:00

Hello,

In my current collegiate studies, we are doing labs where Trellix is installed on Windows 10 as a third-party AV and Firewall provider. When Trellix is running, the Windows Defender Firewall shows disabled in Windows Security. However, the service is still running (Get-Service). Windows Defender Firewall with Advanced Security also displays that the Windows Defender Firewall is on. I tried to then stop the Defender Firewall Service (mpssvc) to see if the service is required, but I am unable to stop it even in an Administrative PowerShell session (Stop-Service -Name MpsSvc -Force) and there are no running dependent services.

I then installed McAfee AV on a personal machine and ran into the same problem of being unable to stop the service.

For additional context, the Defender Antivirus Service (WinDefend) is stopped. So, it appears only the Defender Firewall Service cannot be stopped when using a third-party AV/FW. Can anyone confirm this to be the case, preferably with a reference to Windows documentation? I cannot find anything that explicitly says this.

Windows 10
Windows 10
A Microsoft operating system that runs on personal computers and tablets.
11,776 questions
Windows 10 Network
Windows 10 Network
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Network: A group of devices that communicate either wirelessly or via a physical connection.
2,364 questions
Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,937 questions
0 comments
Accepted answer
  1. Marcin Policht 26,465 Reputation points MVP
    2024-10-27T00:13:53.22+00:00

    Your observations align with known behavior in Windows when third-party security software, like Trellix, takes over firewall management. When such software is installed, the Windows Defender Firewall interface in Windows Security may display as disabled, but the Windows Defender Firewall Service (mpssvc) remains active and cannot be stopped manually, even with administrative privileges.

    This design ensures the Windows Filtering Platform (WFP) continues to function. The WFP underpins not only the firewall but also networking and security policies in Windows. Even when third-party firewalls are in use, the WFP requires the mpssvc service to remain operational to manage network traffic filtering effectively.

    Microsoft documentation suggests that stopping the Defender Firewall service is not supported because it can lead to inconsistent or unsupported configurations. This behavior is not an oversight but an intentional design to maintain a secure networking environment, ensuring that essential traffic filtering functions remain intact regardless of whether a third-party firewall is active.

    For reference, similar limitations are noted regarding stealth mode and other features that rely on the Windows Firewall Service. Disabling the service or trying to override its behavior without using supported management tools is discouraged due to potential security risks and instability.

    More at https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/networking-mpssvc-svc

    https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/disable-stealth-mode

    If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

    hth

    Marcin

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.