This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(3.2, 73%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERH%3C/text%3E%3C/svg%3E)
We are busy migrating from a third party antimalware product to using Defender. Our plan is to use System Center Endpoint Configuration Manger (or as I still like to refer to it, SCCM) to manage the application of policies as well as reporting on malware detections.
So far, in the labs, everything has been working perfectly, and we successfully followed Microsoft Learn on enabling SCCM infrastructure to deploy AntiMalware policies and monitor clients. Everything was working in the lab, and policies were correctly applied and testing with safe virus samples resulted in detection and reporting as desired. We then proceeded to test this in live environment, and it worked just as well.
When we started rollout, we experienced an issue where Defender would not 'activate' the AntiMalware policy that was deployed to the machines, unless the machines was on the office network or connected via VPN. As most of our machines are currently working remotely, and only come on VPN rarely, this is a big problem. We are using SCCM 2010, with a properly functioning Cloud Management Gateway to manage all of our machines. We confirmed that the machines all have the latest SCCM client.
The way I understand Defender to work is that when applying the policy, the policy added to the Registry, and then Defender will notice a chance to the registry and activate the changes it detects in the registry. It is the part of Defender activating the policy changes that is not working.
Troubleshooting showed that the SCCM client HAS applied the AntiMalware policy to the machine. This is shown by entries in the log file C:\Windows\CCM\Logs\EndpointProtectionAgent.log, as well as entries in the registry under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CCM\EPAgent, as well as HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Antimalware.
Defender behaves the same way, no matter whether we deploy the AntiMalware policy to the machine before switching off the third party Antimalware (which auto enables Defender) or after. As long as the machine remains off the office network or VPN, Defender does not activate the policy settings at all.
If we apply the policy to the machine before removing third party antimalware, when it is on office network or on VPN, then as soon as Defender is enabled (even if this happens when computer is not in office or VPN), then Defender activates the custom settings from the AntiMalware Policy
I also found that the issue is not to do with SCCM deploying the policy, because Defender behaves in the same way if I export the AntiMalware Policy from SCCM to an XML file, and then manually import it using the command line "C:\Program Files\Windows Defender\ConfigSecurityPolicy.exe" "C:\WINDOWS\CCM\EPAMPolicy.xml". Plus, as mentioned before, the policy itself IS getting applied, but Defender seems to ignore this until it has access to office network / VPN
I started looking at the Event Viewer and in the Windows Defender log, I tracked down the entries for Event Id 5007 (Windows Defender Antivirus Configuration has changed), and checked when it showed that it was activating the custom settings from the AntiMalware Policy. I then checked other logs in Event Viewer and noticed that when this happened, the machine was doing a Group Policy update. I repeated tests and found that Defender would only activate the AntiMalware policy settings if I was on office network / VPN and a group policy update happened.
This now makes sense as to why Defender will only activate the policy settings when it is on the office network or VPN.
I checked my GPOs in AD as well as GPRestult on the machines, and there is nothing that indicates blocking of Defender policies, or blocking of local computer policies.
Please can some assist me in getting this resolved, as our license for the third party antimalware is due to expire soon and this issue is the only thing holding us back from switching everyone to Defender. We cannot use Defender with its default settings due to a lot of custom exclusions we need to implement, and also wanting to lock down the settings in Windows and also stop users from being prompted what to do in the event of detection.
I did post a similar question (stupidly under another account) on this, but this was when I thought that the issue was the Cloud Management Gateway. I think my troubleshooting described above shows that it's something to do with Defender itself not activating the settings in the policy and not the application of the policy itself.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(19.2, 66%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EN%3C/text%3E%3C/svg%3E)
Microsoft has confirmed in an email response that the fix is included in the 2010 HFRU. However, please note that this is not listed in the "Issues that are Fixed". I suggest that you independently confirm this with Microsoft.
Thank you for replying. I have actually just applied this hotfix, due to it resolving the issue with machines showing as non compliant for BitLocker.
I've just retested in our lab, as well as live setups, and can confirm that the updated SCCM client does indeed seem to resolve the issue.
Thanks you !!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(89.60000000000001, 81%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERA%3C/text%3E%3C/svg%3E)
In case of Configuration Manage devices need to be within the company network, they have to be inside the network or connect through VPN.
In case you want to manage them over the internet, it would be best to consider using Intune.
You may consider deploying BranchCache too:
https://learn.microsoft.com/en-us/windows-server/networking/branchcache/branchcache
So when they connect to internet, they would authenticate with company's network and it is like they are inside company. However deploying BranchCache is complex.
As per my post, we have a Cloud Management Gateway, which we use for internet based machines
As per this post (https://learn.microsoft.com/en-us/mem/configmgr/core/plan-design/changes/whats-new-in-version-2006#cmg-support-for-endpoint-protection-policies), SCCM 2006 is supposed to allow endpoint protection policies without access to AD -
CMG support for endpoint protection policies
While the cloud management gateway (CMG) has supported endpoint protection policies, devices required access to on-premises domain controllers. Starting in this release, clients that communicate via a CMG can immediately apply endpoint protection policies without an active connection to Active Directory.
“Defender would not 'activate' the AntiMalware policy that was deployed to the machines, unless the machines was on the office network”
Yes, it is a basic requirement. If we want to use Microsoft Endpoint Configuration Manager, most of the managed computers and servers are physically on the same internal network as the site system servers that perform management functions.
But, Configuration Manager provides two ways to manage internet-connected clients:
Cloud management gateway
Internet-based client management
Source:
https://learn.microsoft.com/en-us/mem/configmgr/core/clients/manage/manage-clients-internet
-------------------------------------------------------------------------------------
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
As per my original post, we already have a Cloud Management Gate way in place. Also, as per this post (https://learn.microsoft.com/en-us/mem/configmgr/core/plan-design/changes/whats-new-in-version-2006#cmg-support-for-endpoint-protection-policies), SCCM 2006 with a CMG is supposed to allow endpoint protection policies without access to AD (we are on SCCM 2010)
Would you mind letting me know the update of the problem? If you need further assistance, feel free to let me know.
As no solution has been provided, and I have not found one elsewhere, there is no update on the problem unfortunately. The problem still exists. Your suggestion was to use a Cloud Management Gateway, and as I said in my original post, we already have a Cloud Management Gateway in place. As explained, the policy IS being supplied to the endpoint via the Cloud Management Gateway, and the registry, as well as the SCCM log file, as well as policy status in SCCM all indicate that the policy HAS been applied. However, Defender is not activating the settings in the policy, if it does not have access to AD
Sorry but i don't have other suggestion, you could open a support ticket with Microsoft here for deep research:
https://support.serviceshub.microsoft.com/supportforbusiness
