SCCM – Managing Defender – settings do not get applied

Hi,

i asked this question already on Microsoft Q&A and Reddit but did not succeed so i try it here…

We are migrating from Symantec to Defender and i have some test computers to try migration and configure settings. SCCM/MECM 2010 and Win10 1809 LTSC & 20H2.

I created a new Antimalware Policy and deployed it to my test collection and deployment works. Configured this:

Enable real-time protection == yesAllow users on client computers to configure real-time protection settings == no

but if i check the security center in Windows 10 i can still switch off “real time protection” with admin rights. Only if i create a gpo with defender and combine it with SCCM, no one is able to disable real time protection (its greyed out “managed by your organization”).

Is there any possibility to achieve the same only with SCCM? Most users have no admin rights and are not able to do it but on some devices we have users who have admin rights and really need them but i want to prevent them to be able to lower security.

Other point, may some problem, i also configured this:

Cloud protection service membership type == Do not join CPS

allow users to modify cloud protection service settings == no

Enable auto file submission to help Microsoft determinewhether certain detected items are Malicious == no

Allow users to modify auto sample file submission settings == no

but i still see it as activated

What we have done and checked so far:

EPAMPolicy.xml is in the CCM folder so policy was downloaded but its not getting into registry, if i check HKLMSOFTWAREPoliciesMicrosoftMicrosoft Antimalware… there is nothing

https://docs.microsoft.com/answers/storage/attachments/125554-image.png

so i took the SCCM lab package from MS with SCCM 2103 and Win10 21H1 but with same results…

https://docs.microsoft.com/answers/storage/attachments/126781-sccm-test-defender.png

Any ideas how to troubleshoot? I dont know how to dig further…