Can you create "Exclusion zone" that SCCM ignores in Active Directory 2012 R2 RRS feed

  • Question

  • I am very unfamiliar with SCCM to start off.

    I just need to be able to recommend to a client how to do something. Long story short, we need to create a zone in Active Directory that SCCM does not try to manage as far as the SCEP or Defender anti-virus goes. The client needs to be able to run a different anti-virus in this OU zone only.  The rest of their domain is going to stick with the SCCM SCEP/Defender model.

    I just worry that if I uninstall the SCEP from the computers in this zone that SCCM will try to redeploy.

    So is this possible? It sounds like something you could do in SCCM, like select the OU, tell it to ignore or something similar...



    • Edited by josh451 Wednesday, December 6, 2017 2:24 PM
    Wednesday, December 6, 2017 2:22 PM


  • Absolutely, yes.

    You could create a OU based collection, then deploy a custom policy to disable the endpoint protection in this collection.

    If you have a custom policy applied to a collection, anything set in that policy overrides the default policy.  If it's deployed, it is the one and only policy applied.  If there are no custom client settings deployed to a collection, that's when the default is applied. 

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by josh451 Friday, December 8, 2017 1:50 PM
    Friday, December 8, 2017 2:22 AM