SCCM – Managing Defender – settings do not get applied
Question
Hi,
i asked this question already on Microsoft Q&A and Reddit but did not succeed so i try it here…
We are migrating from Symantec to Defender and i have some test computers to try migration and configure settings. SCCM/MECM 2010 and Win10 1809 LTSC & 20H2.
I created a new Antimalware Policy and deployed it to my test collection and deployment works. Configured this:
Enable real-time protection == yesAllow users on client computers to configure real-time protection settings == no
but if i check the security center in Windows 10 i can still switch off “real time protection” with admin rights. Only if i create a gpo with defender and combine it with SCCM, no one is able to disable real time protection (its greyed out “managed by your organization”).
Is there any possibility to achieve the same only with SCCM? Most users have no admin rights and are not able to do it but on some devices we have users who have admin rights and really need them but i want to prevent them to be able to lower security.
Other point, may some problem, i also configured this:
Cloud protection service membership type == Do not join CPS
allow users to modify cloud protection service settings == no
Enable auto file submission to help Microsoft determinewhether certain detected items are Malicious == no
Allow users to modify auto sample file submission settings == no
but i still see it as activated
What we have done and checked so far:
EPAMPolicy.xml is in the CCM folder so policy was downloaded but its not getting into registry, if i check HKLMSOFTWAREPoliciesMicrosoftMicrosoft Antimalware… there is nothing
https://docs.microsoft.com/answers/storage/attachments/125554-image.png
so i took the SCCM lab package from MS with SCCM 2103 and Win10 21H1 but with same results…
https://docs.microsoft.com/answers/storage/attachments/126781-sccm-test-defender.png
Any ideas how to troubleshoot? I dont know how to dig further…
Answers ( 2 )
Hi,
I have same type of issue as well. in My case I can see the policy in the SCCM endpointprotection logs being applied to the server but the real-time protection setting never becomes available to be switched. It remains on and cannot be switched off.
Could you please share how you have resolved the issue from SCCM server.
Thanks
Hemachandra
I don’t know I have never tried this but there are some other registry key I normally check for Intune type of deployments
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager
It’s worth going through those registry entries ? https://www.anoopcnair.com/intune-security-microsoft-defender-policy-issue/