question

Saxe6769 avatar image
0 Votes"
Saxe6769 asked Saxe6769 answered

SCCM - Managing Defender questions

Hi,

we are migrating from Symantec to Defender and i have some test computers to try migration and configure settings. SCCM/MECM 2010.

I created a new Antimalware Policy and deployed it to my test collection and deployment works. Configured this:

Enable real-time protection == yesAllow users on client computers to configure real-time protection settings == no

but if i check the security center in Windows 10 i can still switch off "real time protection" with admin rights. Only if i create a gpo with defender and combine it no one is able to disable real time protection (its greyed out "managed by your organization").

Is there any possibility to achieve the same only with SCCM? Most users have no admin rights and are not able to do it but on some devices we have users who have admin rights and really need them but i want to prevent them to be able to lower security.


Other point, may some problem, i also configured this:


Cloud protection service membership type == Do not join CPSallow users to modify cloud protection service settings == noEnable auto file submission to help Microsoft determinewhether certain detected items are Malicious == noAllow users to modify auto sample file submission settings == no

but i still see it as activated:

f1afcyyg2ig71.png

I read that a combination managing Defender with SCCM and GPO is not recommended. Anyone with some experience may can shed some light on it.


mem-cm-general
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Amandayou-MSFT avatar image
0 Votes"
Amandayou-MSFT answered Amandayou-MSFT commented

Hi @Saxe6769

I test it in my environment, and deploy this setting to windows 10 with with admin rights:
Enable real-time protection == yes
Allow users on client computers to configure real-time protection settings == no

It shows this settings is managed by your administrator, which means the policy is deployed to the client, and the aim of no one is able to disable real time protection is achieved.

123008-813.png

So according to your description, it seems that the client may not receive the policy from MP.

The process is as follows, Point 1, the client gets the policy from MP, compiles it into this xml file,

123064-8132.png

0: It means a local user never can modify the settings.

Point 2, Endpoint protection agent writes the settings in this xml file to registry.pol.

123035-8133.png

123036-8135.png




If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.



813.png (33.0 KiB)
8132.png (286.4 KiB)
8133.png (84.4 KiB)
8135.png (179.8 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,

May we know the current status of the question? If there is any other assistance we can provide, please feel free to let us know, we will do our best to help you.

Thanks and regards,
Amanda

0 Votes 0 ·
Saxe6769 avatar image
0 Votes"
Saxe6769 answered

Hi Amanda,

sorry for late reply, spare time was hard to find.

I check it and i can see the epampolicy.xml and inside i see the correct settings but not in registry. The whole reg key "Microsoft Antimalware" seems to be missing:


125554-image.png



image.png (1.1 MiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Saxe6769 avatar image
0 Votes"
Saxe6769 answered

so we used the SCCM lab package MS is providing for tests and we see the same behaviour as in production environment. I try to give you a complete overview with this screenshot, you see the CM with the antimalware policy and the client settings for endpoint protection. its deployed, i have the epampolicy.xml file but we have registry policies.

MECM 2103 and Clients are Win10 21H1

126781-sccm-test-defender.png




Would you show me your setup and are you sure that you have no Windows GPO for Defender set?


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Saxe6769 avatar image
0 Votes"
Saxe6769 answered Amandayou-MSFT commented

@Amandayou-MSFT any news?

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,

Thanks for your update. Yes, I re-check it, and I have no Windows GPO for Defender setting.

I just configure this setting:
Enable real-time protection == yes
Allow users on client computers to configure real-time protection settings == no

If there is no setting in registry, there might something wrong between registry and MP. We could check CcmMessaging.log to see if there is any error in it.

Best regards,
Amanda

0 Votes 0 ·
Saxe6769 avatar image
0 Votes"
Saxe6769 answered

the only red marked lines with cmtrace in ccmmessaging.log is this:

IsSslClientAuthEnabled - Determining provisioning mode state failed with 80070005. Defaulting to state of 63.

but i guess its not related


but if i have the same behaviour in our production and in the MS lab environment what are we doing wrong?

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.