question

BojanZivkovic-7448 avatar image
0 Votes"
BojanZivkovic-7448 asked BojanZivkovic-7448 edited

Endpoint Protection workload - co-management

Hi, if I switch device configuration workload which also switches endpoint protection workload from CM to Intune what will happen with antimalware policies deployed to collections containing Windows 10 devices if I do not create them from scratch and deploy from Intune end? Basically would I be forced to create same antimalware policy on Intune end if the one on CM end would not be enforced on clients anymore?

mem-cm-co-management
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Jason-MSFT avatar image
1 Vote"
Jason-MSFT answered

No. If the workload is switched for a device but there is no Intune enforced policy for Windows Defender, then the ConfigMgr agent will continue to enforce the assigned Defender policy from ConfigMgr. From memory, you'll be able to see evidence of this in the comanagementhandler.log.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Amandayou-MSFT avatar image
0 Votes"
Amandayou-MSFT answered

Hi @BojanZivkovic-7448,

Haven't heard from you for some time, is Jason's answer helpful to you? If it is helpful, please accept answer. It will make someone who has the similar issue easily find the answer.

If you have any other issues, please don't hesitate to let us know.

Thanks and have a nice day.


If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

BojanZivkovic-7448 avatar image
0 Votes"
BojanZivkovic-7448 answered

In case of conflict I guess Intune end will take precedence (if managing workload)? What about settings not conflicting with each other (for instance something defined in MECM but not in Intune - will they merge)?

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Jason-MSFT avatar image
0 Votes"
Jason-MSFT answered

In case of conflict I guess Intune end will take precedence

If the workload is set to Intune, yes, Intune will win -- that's the point of the workload slider.

will they merge

No, never, As noted, that's the entire point of an admin configurable workload using the sliders.



5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

BojanZivkovic-7448 avatar image
0 Votes"
BojanZivkovic-7448 answered BojanZivkovic-7448 edited

Since I am mostly concerned here about devices being outside the LAN most of the time, is implementing CMG waste of time and money for companies having Intune too? What I do not really like in Intune is handling 3rd party apps updates (we use Patch My PC Publishing Service internally and it works fine with MECM) but having CMG just for 3rd party apps updates looks like overkill. We have strong emphasis on security so having OS and apps up to date is top priority.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.