Endpoint Protection workload - co-management

Bojan Zivkovic 441 Reputation points

Hi, if I switch device configuration workload which also switches endpoint protection workload from CM to Intune what will happen with antimalware policies deployed to collections containing Windows 10 devices if I do not create them from scratch and deploy from Intune end? Basically would I be forced to create same antimalware policy on Intune end if the one on CM end would not be enforced on clients anymore?

Microsoft Configuration Manager
0 comments No comments
{count} votes

5 answers

Sort by: Most helpful
  1. Jason Sandys 31,191 Reputation points Microsoft Employee

    No. If the workload is switched for a device but there is no Intune enforced policy for Windows Defender, then the ConfigMgr agent will continue to enforce the assigned Defender policy from ConfigMgr. From memory, you'll be able to see evidence of this in the comanagementhandler.log.

    1 person found this answer helpful.
    0 comments No comments

  2. Amandayou-MSFT 11,056 Reputation points

    Hi @Bojan Zivkovic ,

    Haven't heard from you for some time, is Jason's answer helpful to you? If it is helpful, please accept answer. It will make someone who has the similar issue easily find the answer.

    If you have any other issues, please don't hesitate to let us know.

    Thanks and have a nice day.

    If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

  3. Bojan Zivkovic 441 Reputation points

    In case of conflict I guess Intune end will take precedence (if managing workload)? What about settings not conflicting with each other (for instance something defined in MECM but not in Intune - will they merge)?

    0 comments No comments

  4. Jason Sandys 31,191 Reputation points Microsoft Employee

    In case of conflict I guess Intune end will take precedence

    If the workload is set to Intune, yes, Intune will win -- that's the point of the workload slider.

    will they merge

    No, never, As noted, that's the entire point of an admin configurable workload using the sliders.

    0 comments No comments

  5. Bojan Zivkovic 441 Reputation points

    Since I am mostly concerned here about devices being outside the LAN most of the time, is implementing CMG waste of time and money for companies having Intune too? What I do not really like in Intune is handling 3rd party apps updates (we use Patch My PC Publishing Service internally and it works fine with MECM) but having CMG just for 3rd party apps updates looks like overkill. We have strong emphasis on security so having OS and apps up to date is top priority.

    0 comments No comments