Citrix and Microsoft Windows Defender Disconcert

Last Updated on June 8, 2022

We all know that Microsoft Windows Defender virus definition Definition 1.321.1319.0 (KB2267602) detected HighAvailabilityService.exe and BrokerService.exe as Trojan and quarantined both processes. This Citrix and Microsoft Windows Defender amalgamation caused a lot of  trouble. Both Microsoft and Citrix acted swiftly. Citrix came up with workarounds and Microsoft released an updated Antivirus Definition 1.321.1341.0 to address this issue.

Update – Part 2 (Microsoft Defender for Citrix Virtual Apps and Desktops) is available at MyCUGC.

Citrix deployments where antivirus exclusions were added, as described here, had no impact.

Citrix environments that got impacted can be divided into three categories:

1. Where antivirus exclusion for Citrix components were not applied in Microsoft Windows Defender.
2. Where exclusions were applied in a third-party anti-virus solution but windows defender was not disabled.
3. Where exclusions were applied in a third-party anti-virus solution, windows defender was left in Active or Passive mode and exclusions were not applied in windows defender.

Citrix and Microsoft Windows Defender

Chances are that on Citrix Servers (Windows Server 2016 and 2019), you are running Microsoft Windows Defender unknowingly. The best way to find that out is through Server Manager.

Or open Service.msc, scroll down and look for Window Defender services.

Or open powershell and execute Get-MpComputerStatus.

Or Get-Service –Name Windefend.

Go to Settings > Update & Security > Windows Security and click on Virus & threat protection. That’s another proof that Microsoft Windows Defender is in use. Old Windows Defender GUI is gone. In Windows 10, version 1703 and later, the Windows Defender app is part of the Windows Security. See the comparison of the new and old Defender app at Microsoft Doc.

On Windows server 2016 and 2019, functionality, configuration, and management are largely the same for Microsoft Defender Antivirus on Windows 10.

Microsoft Defender can be managed through PowerShell that’s why Defender GUI (user interface) is not enabled by default on all SKUs of Server 2016 and 2019. According to MVP Prajwal Desai, “If you install the Server 2016 OS from updated ISO copy from MSDN or VLSC, the feature (GUI) is enabled by default”. In the same article, he further explains how to install Defender GUI using Server Manager and PowerShell.

To determine the version of Windows Defender, skip to How to check Windows Defender Antivirus version.

You may end up getting “You’ll need a new app to open this windowdefender” after clicking on Virus & threat protection. Skip to the resolution.

So why Microsoft Windows Defender is enabled?

Either you using Windows Defender Antivirus as a standalone component or as a part of Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) or you forgot to disable it after installing non-Microsoft antivirus solution.

By default, Microsoft Defender Antivirus is installed and functional on Windows Server 2016 and Windows Server 2019. Even if you have installed a third party antivirus product on windows server 2016 and 2019, Microsoft Defender Antivirus will not be disabled automatically (it remains in Active Mode), which is totally opposite of windows 10.

• Consider disabling it (Automatic Disabled Mode) if your virus, malware and spyware protection needs are fulfilled by third-party antivirus solution. See, how to manually disable Microsoft Defender on Windows server 2016 and 2019.
• If your devices are enrolled in Microsoft Defender ATP then you can choose to keep using Microsoft Defender Antivirus (Active Mode). Alternatively, use it together with your third-party antivirus product (Passive Mode). For a better decision-making, visit Antivirus Compatibility page from Microsoft.

How to disable Microsoft Defender

You can disable Microsoft Windows Defender through either Server Manager or PowerShell.

Open Server Manager and unselect Windows Defender Features, you will be prompted to remove the interface option GUI for Windows Defender.

Alternatively, open PowerShell and execute Uninstall-WindowsFeature -Name Windows-Defender.

Reboot the server and you are done.

This is how Windows Security/Windows Defender Antivirus looks after uninstallation:

You’ll need a new app to open this windowdefender

Courtesy – Microsoft Technet thread.

Open PowerShell and execute below command:

Add-AppxPackage -Register -DisableDevelopmentMode "C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\AppXManifest.xml"

How to check Windows Defender Antivirus version

1. Go to Settings > Update & Security > Windows Security. Click on Settings gear icon in the lower left corner.

2. Click on About.

3. That’s the Defender Antivirus version.

Missing scan with Microsoft Defender option in Context Menu

On my server, I had no option to scan with Windows Defender.. in the context menu. I also did not see any extension for Microsoft Defender in ShellExview, however, Windows Defender Firewall was available.

Then I googled and found the solution by MVP Kapil Arya. Even after doing the registry modifications suggested in that article, scan with windows defender did not show up in Context menu but at least a blank extension with correct icon showed up. That’s because shellext.dll was missing from C:\Program Files\Windows Defender\. Opening the properties of that blank extension in ShellExView confirms this. See Missing File parameter in below image

Then I copied over the Shellext.dll from a working server. Extension name shows up as well as other properties.

And finally, I have “scan with Microsoft Defender” in the context menu.

Microsoft Windows Defender and System Center Endpoint Protection (SCEP)

From Endpoint Protection Overview – Beginning with Windows 10 and Windows Server 2016 computers, Windows Defender is already installed. For these operating systems, a management client for Windows Defender is installed when the Configuration Manager client installs. On Windows 8.1 and earlier computers, the Endpoint Protection client is installed with the Configuration Manager client.

In short, you don’t have to install SCEP client if Windows Defender is enabled and if you have already installed System Center Endpoint Protection client then you don’t have to uninstall Windows Defender.

See this interesting thread on Reddit.

Here is an example of Windows Server 2019 where both SCEP and Windows Defender are functional:

With both SCEP client and Windows defender installed, a new folder, along with Windows Defender by the name Managed Defender is created at C:\Program Files. Source of information – Kevin Proctor

Recommended Reading

• Deployment guide for Microsoft Defender Antivirus in a virtual desktop infrastructure (VDI) environment
• Microsoft Defender Antivirus on Windows Server 2016 and 2019
• Windows Defender Automatic Exclusions
• Windows Defender exclusions for scheduled scans, on-demand scans, and real-time scan
• Windows Defender exclusions for on-access scan
• Windows Defender Feature Installation failed
• Citrix Endpoint Security and Antivirus Best Practices