question

DominiqueDUCHEMIN-4668 avatar image
0 Votes"
DominiqueDUCHEMIN-4668 asked DucheminDominique-7551 published

Windows Defender Installation with SCCM Environment in SOPHOS

Hello,

I have several groups using the same SCCM environment 2006.
I installed the Endpoint Protection Point role as some groups (Desktops) are moving from SOPHOS AV to Windows Defender AV. The other groups (Servers) are staying with SOPHOS.
I noticed an error on the two servers Primary Prod & Test having link to this new role... HRESULT:0x8004FF73Description:System Center Endpoint Protection requires Windows Defender to be installed. Your version of Windows requires that Windows Defender is installed in order to be managed by System Center Endpoint Protection. <a>For more information, see online Help</a>. Error code:0x8004FF73.
"

  1. Do I need windows defender on servers? at least the Primary servers hosting the role "Endpoint Protection Point"?

  2. Is there any impact keeping SOPHOS on the servers and having Windows Defender on the Desktops?

Thanks,
Dom



mem-cm-general
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AllenLiu-MSFT avatar image
1 Vote"
AllenLiu-MSFT answered AllenLiu-MSFT edited

@DominiqueDUCHEMIN-4668
Thank you for posting in Microsoft Q&A forum.
1)When you install Endpoint Protection manager role on your primary site server, if your server have not installed the windows defender, you may meet this Error code:0x8004FF73, the component " Endpoint Protection control manager” is critical, but the server is able to apply the endpoint settings without issues. It's recommended to add the windows defender feature and reboot the server, then re-deploy the Endpoint Protection role.

2)About the Microsoft Defender Antivirus compatibility, you may refer to:
https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility


If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DominiqueDUCHEMIN-4668 avatar image
0 Votes"
DominiqueDUCHEMIN-4668 answered

Hello,

From https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility
"
On Windows Server 2016 or 2019, Microsoft Defender Antivirus does not enter passive or disabled mode automatically when you install non-Microsoft antivirus product. In those cases, disable Microsoft Defender Antivirus, or set it to passive mode to prevent problems caused by having multiple antivirus products installed on a server.
"

The server environment is protected by Sophos, the Desktop Environment is protected by Windows Defender so with the Endpoint Protection role installed on a server we have a loop...

Any advices, Separate server? Which other role(s) will be necessary?

Thanks,
Dom

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DucheminDominique-7551 avatar image
0 Votes"
DucheminDominique-7551 answered DucheminDominique-7551 edited

Hello,

How do I detect the installation of "Windows Defender Feature" during this installation?
I have a Powershell with these commands but I need a detection rule (Registry, File System, Windows Installer)
I wouyld prefer registry if possible...


Get-WindowsOptionalFeature -Online -FeatureName "Windows-Defender*" | Where-Object -Property FeatureName -NotLike 'GUI' | Format-Table
Get-WindowsOptionalFeature -Online -FeatureName "Windows-Defender*" | Where-Object -Property FeatureName -NotLike 'GUI' | Enable-WindowsOptionalFeature -Online
Get-WindowsOptionalFeature -Online -FeatureName "Windows-Defender*" | Where-Object -Property FeatureName -NotLike 'GUI' | Format-Table



The "Where-Object -Property FeatureName -NotLike 'GUI'" works on the "Get ... Format-Table" but not on the "Enable-WindowsOptionalFeature" as both "Windows Defender" & "GUI for Windows Defender" got installed even with the command and the exclusion above!!!...

Thanks,
Dom

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DucheminDominique-7551 avatar image
0 Votes"
DucheminDominique-7551 answered

Hello,

I tried also:
Get-WindowsOptionalFeature -Online -FeatureName "Windows-Defender*" | Where-Object -Property FeatureName -NotLike 'GUI' | Format-Table

Enable-WindowsOptionalFeature -Online -FeatureName "Windows-Defender"

Get-WindowsOptionalFeature -Online -FeatureName "Windows-Defender*" | Where-Object -Property FeatureName -NotLike 'GUI' | Format-Table

shutdown.exe /r /c "Installing defender - installation Windows Defender"

But there are two stops...
Waiting for reboot on line 2!!!
Then the line 4 reboot but there is a stop at line 2... "Do you want to reboot" ? How to bypass this question not needed during a CM Push!!


and also the two features "Windows-Defender" & "GUI For Windows Defender" got enabled even the GUI!!!

Thanks,
Dom

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DucheminDominique-7551 avatar image
0 Votes"
DucheminDominique-7551 answered DucheminDominique-7551 edited

Hello,

The issue with the reboot is resolved... thanks to MotoX80


202076-2022-05-15-10-08-02-vipsccmdp01-windows-defender-f.png

Adding the -Norestart fixed the issue...
As it still add systematically the GUI I will live with it for now!!

201960-2022-05-15-10-03-55-vipsccmdp01-windows-defender-f.png
202101-2022-05-15-10-06-51-vipsccmdp01-windows-defender-f.png

Trying another push from the Configuration Manager Console...
Where should I add the "Run As Administrator" ? Any specific field in the deployment?

Thanks,
Dom


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DucheminDominique-7551 avatar image
0 Votes"
DucheminDominique-7551 answered DucheminDominique-7551 edited

Hello,

I am trying to deploy the Script:

Get-WindowsOptionalFeature -Online -FeatureName "Windows-Defender*" | Format-Table
Enable-WindowsOptionalFeature -Online -FeatureName "Windows-Defender-Features" -NoRestart
Enable-WindowsOptionalFeature -Online -FeatureName "Windows-Defender" -NoRestart
Get-WindowsOptionalFeature -Online -FeatureName "Windows-Defender*" | Format-Table

202554-2022-05-16-19-00-21-microsoft-defender-endpoint-wi.png

Through a Task Sequence:
202454-2022-05-16-19-02-07-microsoft-defender-endpoint-ta.png
But nothing reach the Client...

PolicyAgent.log

Requesting Machine policy assignments from authority 'SMS:UCP' 5/16/2022 3:52:50 PM 10816 (0x2A40)

AppDiscovery.log

Entering ExecQueryAsync for query "select * from CCM_AppDeliveryType where (AppDeliveryTypeId = "ScopeId_67BB9074-421B-4166-A053-A8090F9523EF/DeploymentType_b233b12d-6191-4372-bf7f-28a4970afeda" AND Revision = 7)" 5/16/2022 3:53:04 PM 7784 (0x1E68)
Performing detection of app deployment type ISS - Servers - Deployment Windows Defender Features(ScopeId_67BB9074-421B-4166-A053-A8090F9523EF/DeploymentType_b233b12d-6191-4372-bf7f-28a4970afeda, revision 7) for system. 5/16/2022 3:53:05 PM 7784 (0x1E68)
+++ Application not discovered. [AppDT Id: ScopeId_67BB9074-421B-4166-A053-A8090F9523EF/DeploymentType_b233b12d-6191-4372-bf7f-28a4970afeda, Revision: 7] 5/16/2022 3:53:05 PM 7784 (0x1E68)
+++ Did not detect app deployment type ISS - Servers - Deployment Windows Defender Features(ScopeId_67BB9074-421B-4166-A053-A8090F9523EF/DeploymentType_b233b12d-6191-4372-bf7f-28a4970afeda, revision 7) for system. 5/16/2022 3:53:05 PM 7784 (0x1E68)

AppIntentEval.log

No dependencies for DeploymentType ScopeId_67BB9074-421B-4166-A053-A8090F9523EF/DeploymentType_b233b12d-6191-4372-bf7f-28a4970afeda/7. 5/16/2022 3:53:05 PM 10816 (0x2A40)
* Evaluating Application policies for Machine 5/16/2022 3:53:05 PM 10816 (0x2A40)
DT id = ScopeId_67BB9074-421B-4166-A053-A8090F9523EF/RequiredApplication_3a515382-88c6-4987-b3df-2b5c12241f69/10, technology = Script 5/16/2022 3:53:05 PM 10816 (0x2A40)
ScopeId_67BB9074-421B-4166-A053-A8090F9523EF/DeploymentType_b233b12d-6191-4372-bf7f-28a4970afeda/7 :- Current State = NotInstalled, Applicability = Applicable, ResolvedState = Available, ConfigureState = NotNeeded, Title = ISS - Servers - Deployment Windows Defender Features 5/16/2022 3:53:05 PM 10816 (0x2A40)
ScopeId_67BB9074-421B-4166-A053-A8090F9523EF/Application_3a515382-88c6-4987-b3df-2b5c12241f69/10 :- Current State = NotInstalled, Applicability = Applicable, ResolvedState = Available, ConfigureState = NotNeeded, Title = ISS - Servers - Installation Windows features 5/16/2022 3:53:05 PM 10816 (0x2A40)

AppDiscovery.log

Nothing

CAS.log

Nothing

Any idea where to look?
Thanks,
Dom



5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DucheminDominique-7551 avatar image
0 Votes"
DucheminDominique-7551 answered DucheminDominique-7551 published

Hello,

After rebooting the server the features were installed successfully.... Now placing them in a Task Sequence to have all steps:
- Uninstall Sophos
- Add "Windows Defender"
- Install Microsoft Defender Endpoint

202862-2022-05-17-7-01-55-vrpsccmrs01-task-sequence.png

The task sequence is set but failed ...
202798-2022-05-17-6-59-43-vrpsccmrs01-smsts-log.png

I found one error:
'\\VRPSCCMPR01\Source\Application\Sophos' 5/17/2022 6:58:50 AM 4156 (0x103C)
CMD.EXE was started with the above path as the current directory. 5/17/2022 6:58:50 AM 4156 (0x103C)
UNC paths are not supported. Defaulting to Windows directory. 5/17/2022 6:58:50 AM 4156 (0x103C)
'"SOPHOS Uninstallation.bat"' is not recognized as an internal or external command, 5/17/2022 6:58:50 AM 4156 (0x103C)
operable program or batch file. 5/17/2022 6:58:50 AM 4156 (0x103C)
Command line is being logged ('OSDDoNotLogCommand' is not set to 'True') 5/17/2022 6:58:50 AM 4156 (0x103C)

Reviewing the location of the command line...
- Should I copy it from F:\Source\Application\Sophos on the Primary Server to a local folder on the client?
- Is it already copied somewhere? ccmcache (like for a regular deployment)?
- What is the next steps to have the .bat file available for this Task Sequence on all clients...?
. Add a package ?
202846-2022-05-17-11-02-04-sophos-deployment-package.png
. Deploy an application?
202916-2022-05-17-10-56-09-sophos-deployment-application.png
. Something else

I found one error:
'\\VRPSCCMPR01\Source\Application\Sophos' 5/17/2022 6:58:50 AM 4156 (0x103C)
CMD.EXE was started with the above path as the current directory. 5/17/2022 6:58:50 AM 4156 (0x103C)
UNC paths are not supported. Defaulting to Windows directory. 5/17/2022 6:58:50 AM 4156 (0x103C)
'"SOPHOS Uninstallation.bat"' is not recognized as an internal or external command, 5/17/2022 6:58:50 AM 4156 (0x103C)
operable program or batch file. 5/17/2022 6:58:50 AM 4156 (0x103C)
Command line is being logged ('OSDDoNotLogCommand' is not set to 'True') 5/17/2022 6:58:50 AM 4156 (0x103C)

Reviewing the location of the command line...
- Should I copy it from F:\Source\Application\Sophos on the Primary Server to a local folder on the client?
- Is it already copied somewhere? ccmcache (like for a regular deployment)?
- What is the next steps to have the .bat file available for this Task Sequence on all clients...?
. Add a package ?
202846-2022-05-17-11-02-04-sophos-deployment-package.png
. Deploy an application?
202916-2022-05-17-10-56-09-sophos-deployment-application.png
. Something else

which logs will be the ones to review for the progress of the Task Sequence?
on the client: F:\SMS_CCM\Logs\SMSTS.log
on the Site Server???

I see the task sequence in the Monitoring pane but I do not see anything on the client?
202888-2022-05-17-13-16-58-task-sequence-set-but-not-goin.png

On the site server I have...
202839-2022-05-17-13-21-56-site-server-logs.png


Thanks,
Dom



5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DucheminDominique-7551 avatar image
0 Votes"
DucheminDominique-7551 answered DucheminDominique-7551 edited

Hello,

The non starting for the deployment was that it reached the expiration date/time:



Severity Type Site code Date / Time System Component Message ID Description
Warning Milestone UCP 5/17/2022 1:29:21 PM VRPSCCMRS01 Software Distribution 10019 Deployment "UCP20828" from site "UCP" was rejected because the deployment has expired. Possible cause: The client received the deployment but rejected it because the deployment expiration date is past. Solution: If the client should accept the deployment, you can extend the life of the deployment by changing the expiration date and time or disabling expiration on the Schedule tab of the deployment's properties. Changes to the Deployment's Properties dialog box will not be detected until the client receives updated policy.



So now I see it in the software Center on the Client...


Severity Type Site code Date / Time System Component Message ID Description
Information Milestone UCP 5/17/2022 4:09:32 PM VRPSCCMRS01 Software Distribution 10002 Deployment "UCP20828" was received from site "UCP". The client passes any supported platform requirements and Configuration Manager will add the Deployment's program to the list that will be displayed to users and/or run via assignment. If a deployment is received but not displayed on a client, verify that the current time on the client is between the deployment start and expiration times, and that the program specified in the deployment is enabled.
Information Audit UCP 5/17/2022 4:08:36 PM VRPSCCMPR01.ad Microsoft.ConfigurationManagement.exe 30007 User "" modified the deployment properties of a deployment named "ISS-Servers-DeployMicrosoftDefenderEndpoint_UCP00C89_ISS-Servers-DeploymentMicrosoftDefenderEndpoint-TEST-Limitedto1server" (UCP20828) deploying program "*".



But still failing.
202859-2022-05-17-17-40-43-microsoft-defender-endpoint-de.png

I do not see anything any data in the F:\SMS_CCM\Logs\smts.log for the period of time after 4:08 pm...

-------------------------------------------------------------------------------------------------------------------------------The Certificate [Thumbprint 6C9FC6EFB7632286E235645683F7319DC80795FE] issued to 'VRPSCCMRS01.ad' doesn't have 'Client Authentication' capability. 5/17/2022 7:07:59 AM 8916 (0x22D4)
Completed validation of Certificate [Thumbprint 6C9FC6EFB7632286E235645683F7319DC80795FE] issued to 'VRPSCCMRS01.ad' 5/17/2022 7:07:59 AM 8916 (0x22D4)
The certificate [Thumbprint 6C9FC6EFB7632286E235645683F7319DC80795FE] found using 'VRPSCCMRS01.ad' as cert name is not valid for ConfigMgr usage. 5/17/2022 7:07:59 AM 8916 (0x22D4)
Client selected the PKI Certificate [Thumbprint 327D911DDFE65BD7E344E0861B7C3F3CA3334C87] issued to 'VRPSCCMRS01.ad' 5/17/2022 7:07:59 AM 8916 (0x22D4)
SSL, using authenticator in request. 5/17/2022 7:07:59 AM 8916 (0x22D4)
Successfully finalized logs to SMS client log directory from F:\SMS_CCM\Logs 5/17/2022 7:07:59 AM 8916 (0x22D4)



Any other logs to check?

Thanks,
Dom












5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DucheminDominique-7551 avatar image
0 Votes"
DucheminDominique-7551 answered DucheminDominique-7551 edited

Hello,

Uninstallation of SOPHOS:

REM Uninstallation of Sophos

REM Stop the AutoUpdate Service
net stop "Sophos AutoUpdate Service"

REM Sophos Remote Management System
REM HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall{FED1005D-CBC8-45D5-A288-FFC7BB304121}
MsiExec.exe /X{FED1005D-CBC8-45D5-A288-FFC7BB304121} /qn /L*v %windir%\Temp\Uninstall_SRMS_Log.txt

REM Sophos Anti-Virus
REM HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall{723D5504-CE98-4785-AF5F-E91E250086B3}
MsiExec.exe /X{723D5504-CE98-4785-AF5F-E91E250086B3} /qn /L*v %windir%\Temp\Uninstall_SAV_Log.txt

REM Sophos AutoUpdate
REM HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall{644ADF05-0B2E-452C-B720-3CF1580A9368}
MsiExec.exe /X{644ADF05-0B2E-452C-B720-3CF1580A9368} /qn /L*v %windir%\Temp\Uninstall_SAU_Log.txt

REM Sophos Endpoint Defense
REM HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Sophos Endpoint Defense
"C:\Program Files\Sophos\Endpoint Defense\SEDuninstall.exe" /qn /L*v %windir%\Temp\Uninstall_SDE_Log.txt

RESTART

It never got uninstalled

Then Add Windows Defender Feature

Get-WindowsOptionalFeature -Online -FeatureName "Windows-Defender*" | Format-Table

Enable-WindowsOptionalFeature -Online -FeatureName "Windows-Defender-Features" -NoRestart
Enable-WindowsOptionalFeature -Online -FeatureName "Windows-Defender" -NoRestart
Get-WindowsOptionalFeature -Online -FeatureName "Windows-Defender*" | Format-Table

When the Task Sequence is seen on the Software Center on the client...
![202988-2022-05-17-20-24-16-microsoft-endpoint-defender-01.png][1]

Then I click install...
![203036-2022-05-17-20-27-13-microsoft-defender-endpoint-02.png][2]


Any logs to check the smsts.log is empty
Not sure which step(s) failed!!!???

F:_SMSTaskSequence folder is empty

Thanks,
Dom


[1]: /answers/storage/attachments/202988-2022-05-17-20-24-16-microsoft-endpoint-defender-01.png
[2]: /answers/storage/attachments/203036-2022-05-17-20-27-13-microsoft-defender-endpoint-02.png

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DucheminDominique-7551 avatar image
0 Votes"
DucheminDominique-7551 answered DucheminDominique-7551 edited

Hello,

Find out that even the Task Sequence contains the bat file as a Run Command line I need to distribute the content of the same file through a package and attached to the Task Sequence.
203266-2022-05-18-8-37-05-sophos-uninstallation.png
203304-2022-05-18-8-35-14-sophos-uninstallation.png

Then the "Windows Defender" got added ...
203254-2022-05-18-8-56-25-features-added.png

One more step...
Now failing on another step !!!

SMSTS.log

Severity Type Site code Date / Time System Component Message ID Description
Error Milestone UCP 5/18/2022 7:36:20 AM VRPSCCMRS01 Task Sequence Manager 11170 The task sequence manager could not successfully complete execution of the task sequence. A failure exit code of 16389 was returned.

Severity Type Site code Date / Time System Component Message ID Description
Error Milestone UCP 5/18/2022 7:35:50 AM VRPSCCMRS01 Task Sequence Engine 11141 The task sequence execution engine failed execution of a task sequence. The operating system reported error 2147500037: Unspecified error


Thanks,
Dom



5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.