Share via

System Center Endpoint Protection: Real-Time Protection

Duchemin, Dominique 2,006 Reputation points
2023-10-06T01:22:32.6+00:00

Hello,

I have a collection of machines that I need to know if the Real-Time protection is checked or uncheched (Real-Time Protection will be done by Trellix not SCEP):

2023-10-05_18-16-22 Real-Time Protection checked.jpg

2023-10-05_18-16-22 Real-Time Protection Unchecked.jpg 

I tried a CMPivot on the collection:

Registry('HKLM:\SOFTWARE\Policies\Microsoft\Microsoft Antimalware\Real-Time Protection') | where Property == 'LocalSettingOverrideDisableRealTimeMonitoring'

But apparently it is not what I am looking for as two machine with Real-Time Protection Set are showing different results 0 & 1.

2023-10-05_18-09-44 RTP 01.jpg

2023-10-05_18-10-26 RTP Client ON 02.jpg

2023-10-05_18-10-26 RTP Client ON 01.jpg

Also CMPivot is showing 208 clients offline, what does it mean as these machines are servers so all of them are on 24/7.

2023-10-05_18-47-39 CMPivot Client offline.jpg

I saw also "Enable real-time Protection":

2023-10-05_18-15-17 RTP Client NO 01.jpg

2023-10-05_18-28-08 RTP Client YES.jpg

What is the difference between the "Unchecked"/Checked" from the top and the "No/Yes" just above?

Any idea?

Thanks,
Dom

Microsoft Security | Intune | Configuration Manager | Other
Microsoft System Center | Other
0 comments

4 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. AllenLiu-MSFT 49,316 Reputation points Microsoft External Staff
    2023-10-06T06:22:14.6033333+00:00

    Hi, @Duchemin, Dominique

    Thank you for posting in Microsoft Q&A forum.

    What is the difference between the "Unchecked"/Checked" from the top and the "No/Yes" just above?

    If we "Unchecked" from the top, the users can configure the "Real-time protection" by themselves.

    If we "Checked" from the top and set "No" to "Enable real-time protection" and "No" to "Allow users on client computers to configure real-time protection settings", the real-time protection will be disabled by default and the user cannot modify it.

    If we "Checked" from the top and set "No" to "Enable real-time protection" and "Yes" to "Allow users on client computers to configure real-time protection settings", the real-time protection will be disabled by default and the user can modify it.

    We can use the powershell to get the RealTimeProtection status:

    Get-MpComputerStatus | select RealTimeProtectionEnabled

    If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Add comment".

    1 person found this answer helpful.
    0 comments
  2. Duchemin, Dominique 2,006 Reputation points
    2023-10-06T14:32:40.0066667+00:00

    Hi @AllenLiu-MSFT

    Thanks for this answer.

    What about the other questions:

    I have a collection of machines that I need to know if the Real-Time protection is checked or uncheched (Real-Time Protection will be done by Trellix not SCEP):

    2023-10-05_18-16-22 Real-Time Protection checked.jpg

    2023-10-05_18-16-22 Real-Time Protection Unchecked.jpg 

    I tried a CMPivot on the collection:

    Registry('HKLM:\SOFTWARE\Policies\Microsoft\Microsoft Antimalware\Real-Time Protection') | where Property == 'LocalSettingOverrideDisableRealTimeMonitoring'

    But apparently it is not what I am looking for as two machine with Real-Time Protection Set are showing different results 0 & 1.

    2023-10-05_18-09-44 RTP 01.jpg

    2023-10-05_18-10-26 RTP Client ON 02.jpg

    2023-10-05_18-10-26 RTP Client ON 01.jpg

    Also CMPivot is showing 208 clients offline, what does it mean as these machines are servers so all of them are on 24/7.

    2023-10-05_18-47-39 CMPivot Client offline.jpg

    Thanks,

    Dom

    0 comments
  3. Duchemin, Dominique 2,006 Reputation points
    2023-10-07T00:45:35.98+00:00

    Hello @AllenLiu-MSFT

    So this means that only the option:

    "If we "Checked" from the top and set "No" to "Enable real-time protection" and "No" to "Allow users on client computers to configure real-time protection settings", the real-time protection will be disabled by default and the user cannot modify it."

    Will allow the Administrators to control and have the Realtime Protection Disabled, isn't it?

    So the Uncheck/Check is just a User access nothing with the RealTimeProtection status.

    What are the associated value for checked or unchecked?

    What are the associated keys and values in the registries of :

    • "No" to "Enable real-time protection"
    • "Yes" to "Enable real-time protection"
    • "No" to "Allow users on client
    • "Yes" to "Allow users on client

    What are the associated tables and values in the SQL Views/tables of

    • "No" to "Enable real-time protection"
    • "Yes" to "Enable real-time protection"
    • "No" to "Allow users on client
    • "Yes" to "Allow users on client
    • Thanks,
      Dom
    0 comments
  4. AllenLiu-MSFT 49,316 Reputation points Microsoft External Staff
    2023-10-13T06:32:53.76+00:00
    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.