Windows Defender (SCEP) loosing settings after reboot RRS feed

  • Question

  • Hello,

    since a few weeks I'm facing the issue that after a reboot the settings for Windows Defender (managed via SCCM (1902) - SCEP Policies) are getting lost. Our clients are Windows 10 1803.

    What I have found out so far:
    - SCEP Policies are added via local policies by SCCM
    - after reboot the file "C:\Windows\System32\GroupPolicy\Machine\Registry.pol" is newly created by the local gpsvc-Service
    - this 'Registry.pol' basically should include the Windows Defender settings (on working clients it does)
    - this 'Registry.pol' file is getting applied after each reboot
    - on affected clients this 'Registry.pol' is nearly blank (only four Windows Update settings are included ?!)
    - the Windows Defender settings are deleted after each reboot - but are added in the same process again thru 'Registry.pol'

    Via gpsvc-debug-logging I can reproduce this behaviour above. 

    I cannot reproduce this issue on every client - newly installed computers seem not to be affected.
    UPDDATE (24.06.2019): newly installed clients ARE affected - at first testing my workaround ("C:\Program Files\Windows Defender\\ConfigSecurityPolicy.exe" "C:\WINDOWS\CCM\EPAMPolicy.xml") was also executed via SCCM Baseline on my testclients, after excluding them the testclient loose the Defender settings after each reboot

    What I don't know is from where does the gpsvc-Service know about the SCCM configuration and Windows Defender settings which need to be applied ? Because the 'Registry.pol' is newly created after each reboot so where does this information come from ? When disabling the ccmexec-Service on a working client the 'Registry.pol' is also be created in the right way and the Defender settings are applied - so it seems that the information does not come directly from the ccmexec-Service.

    Any help/suggestions are welcome ! :-)

    Monday, June 17, 2019 1:10 PM

All replies

  • Have you checked the GPO settings? Or have these clients installed third-party anti-virus software?
    Friday, June 21, 2019 10:00 AM
  • Yes, I checked the GPO settings and everything looks OK so far. And no, these clients haven't installed a third-party anti-virus software.

    Some further investigation showed me that the "C:\ProgramData\ntuser.pol" isn't created with the SCEP settings (on working clients it is), and I still don't know why...

    Monday, June 24, 2019 5:41 AM