So you may or may not have heard that Defender is the default anti-virus client on Windows 10. In previous OS versions the anti-virus client was replaced by System Center Endpoint Protection (SCEP) software when it was managed by SCCM. Windows 10 takes a different approach and is now able to be directly managed by SCCM without replacing it. What does this mean? Even if you tell SCCM to install the SCEP client when you launch SCEP.exe, on a Windows 10 machine it will launch Defender.
I’ve finally got everything to play nicely in my lab so I’m sharing a few screenshots. The important thing is to make sure that you have the “allow installation and restarts” option set to Yes in order to see things happen right away. If your environment has maintenance windows established, leave it as is and wait for the maintenance windows to occur.
Both of my VMs were not previously managed and it took until a reboot for them to actually report into the console as managed. Looking at the figures below, first the machine was listed as “unmanaged,” then it was “managed” with Windows 8.1, followed by a failed push install on Windows 10, and finally the system was managed with Windows 10.
You will need to remove any group policies that may have been configured to disable Windows Defender on domain machines.
I created a separate Windows 10 SCEP policy and deployed it against my collection of Windows 10 machines, whereupon I applied a SCEP 2012 standard desktop policy, modified to include Outlook 2010/2013 exclusions. Help ->About will illustrate that the machine is managed.
If we compare a before and after we are able to see that it creates a Managed Defender folder on our target machine.
If we review our EndpointProtectionAgent.log on the target machine, we are able to see the policy has been applied.
When we look at this policy we are able to see that indeed it references our 1) SCEP2012 Standard Desktop (Outlook 2010/2013) named policy and 2) the exclusions.
If we check the settings on the Defender client and specifically look at the exclusions we see our policy has applied.
Lastly, you will need to update your ADR for Endpoint Definition updates to include Windows Defender as a product. Even if you recreate using the wizard it still only defaults to Forefront Endpoint Protection 2010 for the product choice. Remember to check your Software Update Point Component Properties -> Products tab if your SUG is missing defender updates.