• Insights

SCCM, SCEP and Defender – Making it All Work

Kevin Proctor

2 min read

All Insights

So you may or may not have heard that Defender is the default anti-virus client on Windows 10. In previous OS versions the anti-virus client was replaced by System Center Endpoint Protection (SCEP) software when it was managed by SCCM. Windows 10 takes a different approach and is now able to be directly managed by SCCM without replacing it. What does this mean?  Even if you tell SCCM to install the SCEP client when you launch SCEP.exe, on a Windows 10 machine it will launch Defender.

I’ve finally got everything to play nicely in my lab so I’m sharing a few screenshots.  The important thing is to make sure that you have the “allow installation and restarts” option set to Yes in order to see things happen right away. If your environment has maintenance windows established, leave it as is and wait for the maintenance windows to occur.

W10SCEP

Both of my VMs were not previously managed and it took until a reboot for them to actually report into the console as managed.  Looking at the figures below, first the machine was listed as “unmanaged,” then it was “managed” with Windows 8.1, followed by a failed push install on Windows 10, and finally the system was managed with Windows 10.

Unmanaged

ManagedW81

ErrorPushInstall

Managed-W10

You will need to remove any group policies that may have been configured to disable Windows Defender on domain machines.

I created a separate Windows 10 SCEP policy and deployed it against my collection of Windows 10 machines, whereupon I applied a SCEP 2012 standard desktop policy, modified to include Outlook 2010/2013 exclusions.  Help ->About will illustrate that the machine is managed.

ManagedDefender

If we compare a before and after we are able to see that it creates a Managed Defender folder on our target machine.

Before Management
Before Management
After Management
After Management

If we review our EndpointProtectionAgent.log on the target machine, we are able to see the policy has been applied.

PolicyApplying

When we look at this policy we are able to see that indeed it references our 1) SCEP2012 Standard Desktop (Outlook 2010/2013) named policy and 2) the exclusions.

Policy-Exclusions

If we check the settings on the Defender client and specifically look at the exclusions we see our policy has applied.

DefenderSettings-Exclusions

DefenderSettings-Exclusions2

 

Lastly,  you will need to update your ADR for Endpoint Definition updates to include Windows Defender as a product. Even if you recreate using the wizard it still only defaults to Forefront Endpoint Protection 2010 for the product choice. Remember to check your Software Update Point Component Properties -> Products tab if your SUG is missing defender updates.