cPanel's auto-ssl feature places a random file name with a .txt extension in the webroot of the domains it is validating. The prevent information disclosure tweak in Defender stops txt files from being viewed in the webroot.
The auto-ssl log entry looks like this:
WARN The domain “redacted” failed domain control validation: The system queried for a temporary file at “<a href="http://redacted/2ECBADE46934FE927D361915199E5FDC.txt">http://redacted/2ECBADE46934FE927D361915199E5FDC.txt</a>”, but the web server responded with the following error: 404 (Not Found). A <abbr title="Domain Name System">DNS</abbr> or web server misconfiguration may exist.
Removing this tweak allows the verification to complete.