Citrix and Microsoft Windows Defender Disconcert

We all know that Microsoft Windows Defender virus definition Definition 1.321.1319.0 (KB2267602) detected HighAvailabilityService.exe and BrokerService.exe as Trojan and quarantined both processes. This Citrix and Microsoft Windows Defender amalgamation caused a lot of  trouble. Both Microsoft and Citrix acted swiftly. Citrix came up with workarounds and Microsoft released an updated Antivirus Definition 1.321.1341.0 to address this issue.

Update – Part 2 (Microsoft Defender for Citrix Virtual Apps and Desktops) is available at MyCUGC.

Citrix deployments where antivirus exclusions were added, as described here, had no impact.

CVAD Delivery Controllers Exclusions

Citrix environments that got impacted can be divided into three categories:

  1. Where antivirus exclusion for Citrix components were not applied in Microsoft Windows Defender.
  2. Where exclusions were applied in a third-party anti-virus solution but windows defender was not disabled.
  3. Where exclusions were applied in a third-party anti-virus solution, windows defender was left in Active or Passive mode and exclusions were not applied in windows defender.

Citrix and Microsoft Windows Defender

Chances are that on Citrix Servers (Windows Server 2016 and 2019), you are running Microsoft Windows Defender unknowingly. The best way to find that out is through Server Manager.

Citrix and Microsoft Windows Defender Disconcert

Or open Service.msc, scroll down and look for Window Defender services.

Windows Defender Services

Or open powershell and execute Get-MpComputerStatus.

Citrix and Microsoft Windows Defender Disconcert

Or Get-Service –Name Windefend.

Get-Service -Name WinDefend

Go to Settings > Update & Security > Windows Security and click on Virus & threat protection. That’s another proof that Microsoft Windows Defender is in use. Old Windows Defender GUI is gone. In Windows 10, version 1703 and later, the Windows Defender app is part of the Windows Security. See the comparison of the new and old Defender app at Microsoft Doc.

On Windows server 2016 and 2019, functionality, configuration, and management are largely the same for Microsoft Defender Antivirus on Windows 10.

Microsoft Defender can be managed through PowerShell that’s why Defender GUI (user interface) is not enabled by default on all SKUs of Server 2016 and 2019. According to MVP Prajwal Desai, “If you install the Server 2016 OS from updated ISO copy from MSDN or VLSC, the feature (GUI) is enabled by default”. In the same article, he further explains how to install Defender GUI using Server Manager and PowerShell.

To determine the version of Windows Defender, skip to How to check Windows Defender Antivirus version.

Citrix and Microsoft Windows Defender Disconcert

You may end up getting “You’ll need a new app to open this windowdefender” after clicking on Virus & threat protection. Skip to the resolution.

You'll need a new app to open this windowsdefender

So why Microsoft Windows Defender is enabled?

Either you using Windows Defender Antivirus as a standalone component or as a part of Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) or you forgot to disable it after installing non-Microsoft antivirus solution.

By default, Microsoft Defender Antivirus is installed and functional on Windows Server 2016 and Windows Server 2019. Even if you have installed a third party antivirus product on windows server 2016 and 2019, Microsoft Defender Antivirus will not be disabled automatically (it remains in Active Mode), which is totally opposite of windows 10.

  • Consider disabling it (Automatic Disabled Mode) if your virus, malware and spyware protection needs are fulfilled by third-party antivirus solution. See, how to manually disable Microsoft Defender on Windows server 2016 and 2019.
  • If your devices are enrolled in Microsoft Defender ATP then you can choose to keep using Microsoft Defender Antivirus (Active Mode). Alternatively, use it together with your third-party antivirus product (Passive Mode). For a better decision-making, visit Antivirus Compatibility page from Microsoft.

How to disable Microsoft Defender

You can disable Microsoft Windows Defender through either Server Manager or PowerShell.

Open Server Manager and unselect Windows Defender Features, you will be prompted to remove the interface option GUI for Windows Defender.

Alternatively, open PowerShell and execute Uninstall-WindowsFeature -Name Windows-Defender.

Reboot the server and you are done.

Uninstall-WindowsFeature -Name Windows-Defender Powershell

This is how Windows Security/Windows Defender Antivirus looks after uninstallation:

Windows Security with Windows Defender disabled

You’ll need a new app to open this windowdefender

Courtesy – Microsoft Technet thread.

Open PowerShell and execute below command:

Add-AppxPackage -Register -DisableDevelopmentMode "C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\AppXManifest.xml"
Add-AppxPackage Microsoft.Windows.SecHealthUI

How to check Windows Defender Antivirus version

  1. Go to Settings > Update & Security > Windows Security. Click on Settings gear icon in the lower left corner.
Windows Security Settings
  1. Click on About.
Windows Security Settings About
  1. That’s the Defender Antivirus version.
Windows Defender Antivirus version

Missing scan with Microsoft Defender option in Context Menu

Scan with Microsoft Defender not available in Context menu

On my server, I had no option to scan with Windows Defender.. in the context menu. I also did not see any extension for Microsoft Defender in ShellExview, however, Windows Defender Firewall was available.

Windows defender Firewall ShellExView

Then I googled and found the solution by MVP Kapil Arya. Even after doing the registry modifications suggested in that article, scan with windows defender did not show up in Context menu but at least a blank extension with correct icon showed up. That’s because shellext.dll was missing from C:\Program Files\Windows Defender\. Opening the properties of that blank extension in ShellExView confirms this. See Missing File parameter in below image

Scan with Microsoft Defender ShellExview

Then I copied over the Shellext.dll from a working server. Extension name shows up as well as other properties.

Scan with Microsoft Defender ShellExview 1

And finally, I have “scan with Microsoft Defender” in the context menu.

Scan with Microsoft Defender in Context menu

Microsoft Windows Defender and System Center Endpoint Protection (SCEP)

From Endpoint Protection OverviewBeginning with Windows 10 and Windows Server 2016 computers, Windows Defender is already installed. For these operating systems, a management client for Windows Defender is installed when the Configuration Manager client installs. On Windows 8.1 and earlier computers, the Endpoint Protection client is installed with the Configuration Manager client.

In short, you don’t have to install SCEP client if Windows Defender is enabled and if you have already installed System Center Endpoint Protection client then you don’t have to uninstall Windows Defender.

See this interesting thread on Reddit.

Here is an example of Windows Server 2019 where both SCEP and Windows Defender are functional:

Microsoft Defender and Endpoint Protection

With both SCEP client and Windows defender installed, a new folder, along with Windows Defender by the name Managed Defender is created at C:\Program Files. Source of information – Kevin Proctor

Managed Defender and Windows Defender folders
Managed Defender Folder

Recommended Reading

Be the first to reply

Leave a Reply