Microsoft Configuration Manager
An integrated solution for for managing large groups of personal computers and servers.
4,086 questions
@Amandayou-MSFT any news?
SCCM - Managing Defender questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(249.60000000000002, 92%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
Saxe
326
Reputation points
Hi,
we are migrating from Symantec to Defender and i have some test computers to try migration and configure settings. SCCM/MECM 2010.
I created a new Antimalware Policy and deployed it to my test collection and deployment works. Configured this:
Enable real-time protection == yesAllow users on client computers to configure real-time protection settings == no
but if i check the security center in Windows 10 i can still switch off "real time protection" with admin rights. Only if i create a gpo with defender and combine it no one is able to disable real time protection (its greyed out "managed by your organization").
Is there any possibility to achieve the same only with SCCM? Most users have no admin rights and are not able to do it but on some devices we have users who have admin rights and really need them but i want to prevent them to be able to lower security.
Other point, may some problem, i also configured this:
Cloud protection service membership type == Do not join CPSallow users to modify cloud protection service settings == noEnable auto file submission to help Microsoft determinewhether certain detected items are Malicious == noAllow users to modify auto sample file submission settings == no
but i still see it as activated:
I read that a combination managing Defender with SCCM and GPO is not recommended. Anyone with some experience may can shed some light on it.
10 answers
Sort by: Most helpful
-
Saxe 326 Reputation points
2021-09-29T08:42:08.357+00:00 -
Amandayou-MSFT 11,046 Reputation points2021-09-30T09:36:03.923+00:00 Hi,
Thanks for your reply and patience. As we mentioned, endpoint protection agent writes the settings in this xml file to registry.pol, the xml file is correct, but whole reg key "Microsoft Antimalware" seems to be missing. Please navigate to the tab of C:\Windows\System32\GroupPolicy\User\Registry.pol, and check if the file exists and the modification date is correct.
Best regards,
Amanda
Sign in to comment -
-
Saxe 326 Reputation points
2021-10-05T14:49:02.953+00:00 may you mean C:\Windows\System32\GroupPolicy\Machine\Registry.pol ? Yes its uptodate. As i said there is no GPO problem (in my eyes :)
-
Saxe 326 Reputation points
2021-11-02T21:29:23.927+00:00 added a compliance item and baseline to detect which clients received the registry settings under HKLM\SOFTWARE\Policies\Microsoft\Microsoft Antimalware\Quarantine and which not
all servers got it but only ~3% of the clients
-
Rahul Jindal [MVP] 9,151 Reputation points MVP2021-11-02T22:41:09.707+00:00 What you need to do is enable Tamper protection. If you have the option to tenant attach then you can enable this through Intune. prevent-changes-to-security-settings-with-tamper-protection
-
Saxe 326 Reputation points
2021-11-02T23:59:03.493+00:00 no Intune just on-prem SCCM
tamper protection is enabled in the settings for endpoint protection
Sign in to comment -
-
Saxe 326 Reputation points
2021-11-24T15:37:57.79+00:00 Problem is now known but solving is stupid
We disable local GPO processing via domain GPO. Enabled it, gupdate done, "C:\Program Files\Windows Defender\ConfigSecurityPolicy.exe" "C:\WINDOWS\CCM\EPAMPolicy.xml" done, Registry entries are there.
So what next? I cant enable local GPO processing, this is an absolute NO GO.
Any ideas?