Intune Endpoint protection workload conflicts

Alfred 1 Reputation point
2022-08-04T07:12:35.487+00:00

We have co-managed approx 50 devices and have moved their endpoint protection workload. We are seeing some weird behavior on some clients where it seems to be getting both SCCM and Intune settings despite messages saying "Verified that Intune has set Defender policy, will not apply SCCM policy".

On SCCM, we have both some endpoint specific client settings and the default anti-malware policy configured which are being pushed to these devices. I can see 'Augrace' of 72 hours being set via this mechanism, but it is preferable not to have this set to allow clients to get more timely updates from alternative sources (such as MMPC). The weird thing is that only some of our devices have this setting (which we can verify by checking gpedit, as this is where SCCM configures these defender settings).

Are we supposed to push a new client setting which has "Manage endpoint protection client on client computers" to No on these intune workload managed devices in order to avoid getting this setting? I was under the impression that none of these settings should matter after the workload is moved.

Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
4,330 questions
Microsoft Configuration Manager
0 comments

4 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Crystal-MSFT 42,956 Reputation points Microsoft Vendor
    2022-08-05T07:34:31.243+00:00

    @Alfred , From your description, it seems some clients get both SCCM and Intune Endpoint protection settings when we transfer the workload in Intune. if there's any misunderstanding, feel free to let us know.

    Based as i know, when we switch the Endpoint Protection workload to Intune. the Configuration Manager policies stay on the device until the Intune policies overwrite them. This behavior makes sure that the device still has protection policies during the transition.
    https://learn.microsoft.com/en-us/mem/configmgr/comanage/workloads#endpoint-protection

    For our issue, please firstly check on affected device on Intune side to see if the "Endpoint Protection" is under "Intune managed workloads".
    228462-image.png
    Meanwhile, go to Intune endpoint security policies and verify if the policy has applied successfully to the affected device. Please get a screen shot.

    In addition, for the setting "Manage endpoint protection client on client computers", based on my understanding, when it is set as no. it will not managed by Configuration manager. So I think we can try it
    https://learn.microsoft.com/en-us/mem/configmgr/core/clients/deploy/about-client-settings#manage-endpoint-protection-client-on-client-computers

    If there's any update, feel free to let us know.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments
  2. Alfred 1 Reputation point
    2022-08-05T07:48:17.533+00:00

    I can confirm that the "intune managed workloads" are set to only endpoint protection. Additionally, the policy from Intune has been applied successfully.

    228482-image.png

    I have ensured that no endpoint client settings are being applied to my device from SCCM, the default anti-malware policy still applies. On my device we can see that there is no AuGracePeriod, but on another device it is set to the default found in the AntiMalware settings (of 3 days). Is there a chance that Tamper protection is preventing SCCM from changing this back to the 0 like it is on my device?

    I have a hunch in the case of the second device, endpoint settings were applied to the device prior to co-management which is why they are being kept. As this is not a setting available in Intune I assume there is no overwriting from intune? The question is how do I get rid of it now co-management is happened.

    228472-image.png

  3. Alfred 1 Reputation point
    2022-08-05T10:02:49.55+00:00

    Hmm, sounds like this setting 'tattooing' could be what's causing this behavior then (although it doesn't explain why it exists on some devices and not other). Assuming we leave device configuration on SCCM (because this is our preference currently), shouldn't we be able to push a new anti-malware policy to update this 'AuGracePeriod' ? What I have found is that a new policy doesn't update the original default one.

    228445-image.png

    You can see that neither have any information about it being applied, yet when I look at the registry I can see 'AuGracePeriod' of the default of 3 days (not 1 like I have set on the updated AM policy).

    228440-image.png

    Would removing the registry setting manually result in it coming back on these problematic devices?

  4. Vrindavan Patange 0 Reputation points
    2023-02-07T12:35:32.95+00:00

    I think 4320 value is inherited from Group Policy.