We are using SCCM version 2010 and are moving to using Defender from another AV vendor. We will be managing Defender using the Endpoint Protection in SCCM. O have followed the Microsoft Learn on enabling Endpoint Protection, and it is mostly working. However, the AntiMalware Policy we have configures is not getting applied to machines unless they are on the LAN or connected via VPN. SCCM reports that the AntiMalware Policy has been applied to machines, and if I look in hte registry on these machines, they also show that they have applied the SCCM provided policy (under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CCM\EPAgent)
We have a Cloud Management Gateway in place, which is working as expected for everything else. According to Microsoft Learn, version 2006 and later of Configuration Manager allows applying Endpoint Protection policies via the CMG, without access to Active Directory. We are on Config Mgr 2010, so this should be working, however machines that apply the policy via the CMG do not apply our customized endpoint protection settings (scan schedule, exclusions, what to do in response to detections, etc.), even though SCCM does report on malware detections as it should.
I have tried to 'work around' this issue by exporting the AntiMalware Policy to an XML file, and then using this, in conjunctions with ConfigSecurityPolicy.exe to create a package that will import the policy settings. Even though SCCM is able to deploy the package to the machines via the CMG, and execmgr.log indicates that the command line ran successfully, the settings are still not imported, unless the computer is connected to LAN or VPN)
Please can someone assist in why this is happening, and how I could possibly resolve the issue ?