SCCM - Managing Defender questions

Question

Hi,

we are migrating from Symantec to Defender and i have some test computers to try migration and configure settings. SCCM/MECM 2010.

I created a new Antimalware Policy and deployed it to my test collection and deployment works. Configured this:

Enable real-time protection == yesAllow users on client computers to configure real-time protection settings == no

but if i check the security center in Windows 10 i can still switch off "real time protection" with admin rights. Only if i create a gpo with defender and combine it no one is able to disable real time protection (its greyed out "managed by your organization").

Is there any possibility to achieve the same only with SCCM? Most users have no admin rights and are not able to do it but on some devices we have users who have admin rights and really need them but i want to prevent them to be able to lower security.

Other point, may some problem, i also configured this:

Cloud protection service membership type == Do not join CPSallow users to modify cloud protection service settings == noEnable auto file submission to help Microsoft determinewhether certain detected items are Malicious == noAllow users to modify auto sample file submission settings == no

but i still see it as activated:

I read that a combination managing Defender with SCCM and GPO is not recommended. Anyone with some experience may can shed some light on it.

Answer 1

Hi @Saxe ，

I test it in my environment, and deploy this setting to windows 10 with with admin rights:
Enable real-time protection == yes
Allow users on client computers to configure real-time protection settings == no

It shows this settings is managed by your administrator, which means the policy is deployed to the client, and the aim of no one is able to disable real time protection is achieved.

So according to your description, it seems that the client may not receive the policy from MP.

The process is as follows, Point 1, the client gets the policy from MP, compiles it into this xml file,

0: It means a local user never can modify the settings.

Point 2, Endpoint protection agent writes the settings in this xml file to registry.pol.

---

If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 2

Hi Amanda,

sorry for late reply, spare time was hard to find.

I check it and i can see the epampolicy.xml and inside i see the correct settings but not in registry. The whole reg key "Microsoft Antimalware" seems to be missing:

Answer 3

so we used the SCCM lab package MS is providing for tests and we see the same behaviour as in production environment. I try to give you a complete overview with this screenshot, you see the CM with the antimalware policy and the client settings for endpoint protection. its deployed, i have the epampolicy.xml file but we have registry policies.

MECM 2103 and Clients are Win10 21H1

Would you show me your setup and are you sure that you have no Windows GPO for Defender set?

Answer 4

@Amandayou-MSFT any news?

Answer 5

the only red marked lines with cmtrace in ccmmessaging.log is this:

IsSslClientAuthEnabled - Determining provisioning mode state failed with 80070005. Defaulting to state of 63.

but i guess its not related

but if i have the same behaviour in our production and in the MS lab environment what are we doing wrong?