SCCM Client installed, Microsoft Defender showing as at risk

James Dixon 26 Reputation points
2022-11-07T16:57:31.577+00:00

We have recently installed and configured SCCM and Microsoft Defender on our servers. 16 of them have installed the SCCM client, applied the Microsoft Defender policies and are reporting back to the SCCM console. One of our servers has installed the client, applied the Microsoft Defender policies but has not reported back to SCCM and is showing at risk.

I have uninstalled the client, restarted the server, deleted the leftover SCCM folder in C:\Windows and reinstalled the client. This has reinstalled but I am still seeing the same issue where the server shows as at risk.

The Endpoint Protection Remediation Information information for this server in SCCM all shows as blank, which I suspect is why it shows as at risk. Any tips or suggestions as to where I should start looking here? Many thanks in advance.

Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,837 questions
Microsoft Configuration Manager
0 comments No comments
{count} votes

5 additional answers

Sort by: Most helpful
  1. James Dixon 26 Reputation points
    2022-11-11T15:57:07.023+00:00

    Hi @CherryZhang-MSFT - thanks for your reply.

    Looking at the ExternalEventAgent.log I see the following error:
    Could not open the registry key SOFTWARE\Microsoft\CCM\ExternalEventAgent\Criterias\Differentiation\ComputerStatusStateMessage\SyncStatus with error 0x80070002​

    I then found this article about this error:
    https://learn.microsoft.com/en-us/troubleshoot/mem/configmgr/endpoint-protection/configmgr-console-shows-out-of-date-values

    Completed the steps as suggested:
    Register-CimProvider -ProviderName ProtectionManagement -Namespace root\Microsoft\protectionmanagement -Path "C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2209.7-0\ProtectionManagement.dll" -Impersonation True -HostingModel LocalServiceHost -SupportWQL -ForceUpdate

    Am now waiting to see if this help - will update the post when it's had a change to update (or not)

    1 person found this answer helpful.

  2. CherryZhang-MSFT 6,486 Reputation points
    2022-11-08T03:17:40.457+00:00

    Hi @James Dixon ,

    1, What OS version are you using? Have you checked System Center Endpoint Protection or Windows Defender( This depends on your OS version) in client? Does it tell you why it is at risk? Typically, this message may indicate the program has not been updated. The screenshots for your reference:
    258039-1.png

    258083-2.png

    2, Does your client have another security programs installed? Or there may be remnants of such a program you previously used that are still on the computer and are interfering with Windows Defender.

    Looking forward to your feedback.

    Best regards,
    Cherry


    If the response is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

  3. James Dixon 26 Reputation points
    2022-11-08T14:08:54.91+00:00

    I've checked the EndpointProtectionAgent.log and a quick read through would suggest this is ok.

    The server operating system in Server 2019. Looking at Window Security > Virus & threat protection would suggest all is ok

    It is up to date and has ran it's scheduled scan:
    258260-virusthreatprotection.png

    The settings configured in the client setting are showing as managed by your administrator:
    258278-virusthreatprotectionsettings.png

    0 comments No comments

  4. CherryZhang-MSFT 6,486 Reputation points
    2022-11-10T08:28:23.17+00:00

    Hi @James Dixon ,

    To narrow down the problem. Please try to check event log for any useful information.

    1)Open Event Viewer.
    2)n the console tree, expand Applications and Services Logs, then Microsoft, then Windows, then Windows Defender.
    3)Double-click on Operational.
    4)In the details pane, view the list of individual events to find your event.

    The screenshot for your reference:
    259007-1.png

    The article for your reference:
    Microsoft Defender Antivirus event IDs and error codes | Microsoft Learn

    Looking forward to your feedback.

    Best regards,
    Cherry

    0 comments No comments