locked
Windows Defender on Windows 10 RRS feed

  • Question

  • Will my EndPoint Protection policies apply to Windows Defender on Windows 10?

    Orange County District Attorney

    Tuesday, August 4, 2015 10:56 PM

Answers

  • Hi, If you are running ConfigMgr 2012 R2 sp1 or 2012 SP2 then Windows Defender is managed instead of installing the System Center Endpoint protection and yes then your policies are applied to Windows Defender instead, alerts are sent from Windows defender to your SCCM 2012 Sp2 / R2 Sp1 site server and works the same way as SCEP did.

    You have a stripped user interface with less features in Windows Defender but that is the only difference.

    Regards,
    Jörgen


    -- My System Center blog ccmexec.com -- Twitter @ccmexec

    Wednesday, August 5, 2015 7:29 AM

All replies

  • Hi, If you are running ConfigMgr 2012 R2 sp1 or 2012 SP2 then Windows Defender is managed instead of installing the System Center Endpoint protection and yes then your policies are applied to Windows Defender instead, alerts are sent from Windows defender to your SCCM 2012 Sp2 / R2 Sp1 site server and works the same way as SCEP did.

    You have a stripped user interface with less features in Windows Defender but that is the only difference.

    Regards,
    Jörgen


    -- My System Center blog ccmexec.com -- Twitter @ccmexec

    Wednesday, August 5, 2015 7:29 AM
  • Hello Jorgen,

    I am running SCCM 2012 R2 SP1 CU1. On my Win 10 test machine, it doesn't appear to have my polices applied. I don't have any exclusions and I'm able to turn off real time protection which we do lock down.

    I've looked for logs under C:\ProgramData\Microsoft\Windows Defender but there's nothing there that ties back to SCCM 2012.


    Orange County District Attorney

    Wednesday, August 5, 2015 2:31 PM
  • Interesting things happened after the previous post. Seems that my Windows 10 box was listening and as I watched the EndPointProtectionAgent.log, it proceeded to remove all the SCEP bits and then laid down a Managed Windows Defender client and my policies. Pretty slick. The Application log revealed what it was doing as well. I'm guessing this was the SCCM client's doings.

    Application Log

    ==========

    Product: Microsoft Endpoint Protection Management Components -- Removal completed successfully.

    Windows Installer removed the product. Product Name: Microsoft Endpoint Protection Management Components. Product Version: 4.7.0213.0. Product Language: 1033. Manufacturer: Microsoft Corporation. Removal success or error status: 0.

    Product: Microsoft Forefront Endpoint Protection 2010 Server Management -- Removal completed successfully.

    Windows Installer removed the product. Product Name: Microsoft Forefront Endpoint Protection 2010 Server Management. Product Version: 4.7.0213.0. Product Language: 1033. Manufacturer: Microsoft Corporation. Removal success or error status: 0.

    Windows Installer installed the product. Product Name: Managed Windows Defender. Product Version: 4.7.0214.0. Product Language: 1033. Manufacturer: Microsoft Corporation. Installation success or error status: 0.

    Beginning a Windows Installer transaction: c:\812808b87204b231e1ac\amd64\EppManagedDefender.msi. Client Process Id: 5872.

    Product: Managed Windows Defender -- Installation completed successfully.

    Windows Installer installed the product. Product Name: Managed Windows Defender. Product Version: 4.7.0214.0. Product Language: 1033. Manufacturer: Microsoft Corporation. Installation success or error status: 0.

    Windows Installer installed the product. Product Name: Microsoft Forefront Endpoint Protection 2010 Server Management. Product Version: 4.7.0214.0. Product Language: 1033. Manufacturer: Microsoft Corporation. Installation success or error status: 0.

    Beginning a Windows Installer transaction: c:\812808b87204b231e1ac\amd64\FEPClient.msi. Client Process Id: 5872.

    Product: Microsoft Forefront Endpoint Protection 2010 Server Management -- Installation completed successfully.

    Windows Installer installed the product. Product Name: Microsoft Forefront Endpoint Protection 2010 Server Management. Product Version: 4.7.0214.0. Product Language: 1033. Manufacturer: Microsoft Corporation. Installation success or error status: 0.

    EndPointProtectionAgent.log

    ==================

    Endpoint is triggered by WMI notification.
    File C:\WINDOWS\ccmsetup\SCEPInstall.exe version is 4.7.214.0.
    Unable to query registry key (SOFTWARE\Microsoft\Microsoft Security Client), return (0x80070002) means EP client is NOT installed.
    Handle EP AM policy.
    Endpoint is triggered by WMI notification.
    Firewall provider is installed.
    Installed firewall provider meet the requirements.
    File C:\WINDOWS\ccmsetup\SCEPInstall.exe version is 4.7.214.0.
    Unable to query registry key (SOFTWARE\Microsoft\Microsoft Security Client), return (0x80070002) means EP client is NOT installed.
    Sending ack to MTC for task {9BCF7827-E04F-4C3A-8D8C-B943316A2D7F}
    SCEP client is not present, SCEP client will be installed with the latest AM policy.
    Sending message to external event agent to disable notification
    Sending message to endpoint ExternalEventAgent
    Disable Startup Signature Update equals to false.
    Add the Disable Startup Signature Update settings to policy xml successfully.
    Create Process Command line: "C:\WINDOWS\ccmsetup\SCEPInstall.exe" /s /q /policy "C:\windows\CCM\EPAMPolicy.xml".
    Detail error message is : [EppSetupResult]
    HRESULT=0x00000000
    Description=The operation completed successfully.   

    Installed EP client successfully.
    start to send State Message with topic type = 2001, state id = 3, and error code = 0x00000000
    Start to send state message.
    Send state message successfully
    Sending message to external event agent to enable notification
    Sending message to endpoint ExternalEventAgent
    Sending message to external event agent to execute all on demand actions.
    Sending message to endpoint ExternalEventAgent
    Save new state 3, error code 0, detail message 'The operation completed successfully.' to registry SOFTWARE\Microsoft\CCM\EPAgent\State
    EP Policy Default Client Antimalware Policy
    IT Computer FEP Policy is already applied.
    Save new policy state 1 to registry SOFTWARE\Microsoft\CCM\EPAgent\PolicyApplicationState
    State 1 and ErrorCode 0 and ErrorMsg  and PolicyName Default Client Antimalware Policy
    IT Computer FEP Policy and GroupResolveResultHash E2EE73DF7477CA2D0A44C7F8B1E8B2725EFF54CC is NOT changed.
    Skip sending state message due to same state message already exists.
    SCEP WMI provider is available now.
    Sending EvaluateAssignments Trigger to Updates Deployment Agent
    Sending message to endpoint UpdatesDeploymentAgent
    Sending message to external event agent to enable notification
    Sending message to endpoint ExternalEventAgent
    Sending message to external event agent to execute all on demand actions.
    Sending message to endpoint ExternalEventAgent
    Register a timer here to check whether definition get updated in 30 minutes.
    Firewall provider is installed.
    Installed firewall provider meet the requirements.
    start to send State Message with topic type = 2001, state id = 3, and error code = 0x00000000
    Skip sending state message due to same state message already exists.
    Endpoint is triggered by WMI notification.
    Endpoint is triggered by WMI notification.
    File C:\WINDOWS\ccmsetup\SCEPInstall.exe version is 4.7.214.0.
    EP version 4.7.214.0 is already installed.
    Expected Version 4.7.214.0 is exactly same with installed version 4.7.214.0.
    File C:\WINDOWS\ccmsetup\SCEPInstall.exe version is 4.7.214.0.
    EP version 4.7.214.0 is already installed.
    Expected Version 4.7.214.0 is exactly same with installed version 4.7.214.0.


    Orange County District Attorney

    Wednesday, August 5, 2015 2:56 PM
  • Hi,

    I confirm that part of the policies are getting applied. I say "part" because I have no way from the UI or Update & Security Settings to see what exactly was applied other than the exclusion list.

    Is there a way to see locally on a machine: default actions, scheduled scan and everything else that was under the SETTINGS tab in SCEP?

    Also, Defender definitions updates have not been updated over 24h which confirms me that it does not receive them through SECP definitions in Software Updates.

    I know that in a lot of forums and even in the SCEP TechNet (https://technet.microsoft.com/en-us/library/hh508770.aspx) it is mention that we need to enable Defender in the list of SU products.

    My concern is that all these was written before the W10 RTM and even in the TechNet it says “W10 Technical Preview”.

    Is this the official solution to support Defender definition updates on W10 RTM? Is there any chance that Microsoft will combine both, SCEP & Defender, definitions updates so we don't have to double the work?

    Best regards,

    Jonathan

    • Edited by Jovechkin Thursday, August 6, 2015 1:47 PM
    Thursday, August 6, 2015 1:21 PM