SCCM Client installed, Microsoft Defender showing as at risk

Question

We have recently installed and configured SCCM and Microsoft Defender on our servers. 16 of them have installed the SCCM client, applied the Microsoft Defender policies and are reporting back to the SCCM console. One of our servers has installed the client, applied the Microsoft Defender policies but has not reported back to SCCM and is showing at risk.

I have uninstalled the client, restarted the server, deleted the leftover SCCM folder in C:\Windows and reinstalled the client. This has reinstalled but I am still seeing the same issue where the server shows as at risk.

The Endpoint Protection Remediation Information information for this server in SCCM all shows as blank, which I suspect is why it shows as at risk. Any tips or suggestions as to where I should start looking here? Many thanks in advance.

Answer 1

Try checking the EndpointProtectionAgent.log.

Answer 2

Hi @CherryZhang-MSFT - thanks for your reply.

Looking at the ExternalEventAgent.log I see the following error:
Could not open the registry key SOFTWARE\Microsoft\CCM\ExternalEventAgent\Criterias\Differentiation\ComputerStatusStateMessage\SyncStatus with error 0x80070002​
​
I then found this article about this error:
https://learn.microsoft.com/en-us/troubleshoot/mem/configmgr/endpoint-protection/configmgr-console-shows-out-of-date-values

Completed the steps as suggested:
Register-CimProvider -ProviderName ProtectionManagement -Namespace root\Microsoft\protectionmanagement -Path "C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2209.7-0\ProtectionManagement.dll" -Impersonation True -HostingModel LocalServiceHost -SupportWQL -ForceUpdate

Am now waiting to see if this help - will update the post when it's had a change to update (or not)

Answer 3

Hi @James Dixon ,

1, What OS version are you using? Have you checked System Center Endpoint Protection or Windows Defender( This depends on your OS version) in client? Does it tell you why it is at risk? Typically, this message may indicate the program has not been updated. The screenshots for your reference:

2, Does your client have another security programs installed? Or there may be remnants of such a program you previously used that are still on the computer and are interfering with Windows Defender.

Looking forward to your feedback.

Best regards,
Cherry

---

If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 4

I've checked the EndpointProtectionAgent.log and a quick read through would suggest this is ok.

The server operating system in Server 2019. Looking at Window Security > Virus & threat protection would suggest all is ok

It is up to date and has ran it's scheduled scan:

The settings configured in the client setting are showing as managed by your administrator:

Answer 5

Hi @James Dixon ,

To narrow down the problem. Please try to check event log for any useful information.

1)Open Event Viewer.
2)n the console tree, expand Applications and Services Logs, then Microsoft, then Windows, then Windows Defender.
3)Double-click on Operational.
4)In the details pane, view the list of individual events to find your event.

The screenshot for your reference:

The article for your reference:
Microsoft Defender Antivirus event IDs and error codes | Microsoft Learn

Looking forward to your feedback.

Best regards,
Cherry