We are encountering issues at multiple clients where Microsoft Defender is detecting the Citrix Broker and Citrix High Availability services as malware and quarantining them, thus breaking Citrix. We believe these are false positives. As a best practice those processes should be excluded from malware scanning together with many others per this article.
Our recommendation at this time is to ensure that the recommended exclusions are in place, in particular those applicable to Delivery Controllers. Once the exclusions are in place, affected clients should release the Citrix Broker and High Availability services from quarantine, update the service configuration to log on as NETWORK SERVICE, and reboot the Delivery Controllers.
Defender exclusions can be applied centrally via SCCM or Group Policy, manually on each server, or via PowerShell. We’re working on a PowerShell script for this purpose. If you are interested in assistance, please reach out to our team.
Updated to include workarounds from Citrix.
