@Amandayou-MSFT any news?
SCCM - Managing Defender questions
Hi,
we are migrating from Symantec to Defender and i have some test computers to try migration and configure settings. SCCM/MECM 2010.
I created a new Antimalware Policy and deployed it to my test collection and deployment works. Configured this:
Enable real-time protection == yesAllow users on client computers to configure real-time protection settings == no
but if i check the security center in Windows 10 i can still switch off "real time protection" with admin rights. Only if i create a gpo with defender and combine it no one is able to disable real time protection (its greyed out "managed by your organization").
Is there any possibility to achieve the same only with SCCM? Most users have no admin rights and are not able to do it but on some devices we have users who have admin rights and really need them but i want to prevent them to be able to lower security.
Other point, may some problem, i also configured this:
Cloud protection service membership type == Do not join CPSallow users to modify cloud protection service settings == noEnable auto file submission to help Microsoft determinewhether certain detected items are Malicious == noAllow users to modify auto sample file submission settings == no
but i still see it as activated:
I read that a combination managing Defender with SCCM and GPO is not recommended. Anyone with some experience may can shed some light on it.
10 answers
Sort by: Most helpful
-
-
Saxe 326 Reputation points
2021-10-05T14:49:02.953+00:00 may you mean C:\Windows\System32\GroupPolicy\Machine\Registry.pol ? Yes its uptodate. As i said there is no GPO problem (in my eyes :)
-
Saxe 326 Reputation points
2021-11-02T21:29:23.927+00:00 added a compliance item and baseline to detect which clients received the registry settings under HKLM\SOFTWARE\Policies\Microsoft\Microsoft Antimalware\Quarantine and which not
all servers got it but only ~3% of the clients
-
Rahul Jindal [MVP] 9,151 Reputation points MVP
2021-11-02T22:41:09.707+00:00 What you need to do is enable Tamper protection. If you have the option to tenant attach then you can enable this through Intune. prevent-changes-to-security-settings-with-tamper-protection
-
Saxe 326 Reputation points
2021-11-24T15:37:57.79+00:00 Problem is now known but solving is stupid
We disable local GPO processing via domain GPO. Enabled it, gupdate done, "C:\Program Files\Windows Defender\ConfigSecurityPolicy.exe" "C:\WINDOWS\CCM\EPAMPolicy.xml" done, Registry entries are there.
So what next? I cant enable local GPO processing, this is an absolute NO GO.
Any ideas?