none
Is there a setting in SCCM that control, when does Windows Defender Exploit Guard Policy get applied on Client Computers? RRS feed

  • Question

  • I am currently facing an issue where the changes in WD Exploit Guard policy in SCCM get applied to our machines only at 10 PM, which is the start of the SCCM Maintenance Window.

    Could there be a setting in SCCM which controls this behavior where WD Exploit Guard policy should only apply during Maintenance Window?


    Shirish Mistry

    Tuesday, October 15, 2019 11:24 AM

Answers

  • Hello,
     
    Thanks for posting in TechNet. 
     
    Could you tell us how you check the time when the WDEG policy is applied on the client?
     
    It would be applied after client retrieve the machine policy. Actually, we could check the following log to verify/troubleshoot it.
     
    We could get the policy ID here.
     

     
    After the policy retrieval on the client, we should see it downloaded in the policyagent.log and applied in the policyevaluator.log.
      

     

     
    You could check them in your environment and tell us what the results are.
     
    Hope my answer could help you and look forward to your feedback.
     
    Best Regards,
    Ray

    Please remembers to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by Shirish Mistry Tuesday, December 24, 2019 3:22 AM
    Wednesday, October 16, 2019 12:25 PM

All replies

  • No, there is no explicit setting for this.

    Have you tried a machine policy refresh on a test system after making an Exploit Guard configuration change in the console?


    Jason | https://home.configmgrftw.com | @jasonsandys

    Tuesday, October 15, 2019 2:03 PM
  • Thanks Jason,

    Yes, if I try to update the machine policy refresh manually on a test machine it does update Exploit Guard configuration change. However it still updates the Exploit Guard configuration at 10:00 PM and not during any other time frame if I do not refresh the machine policy manually and even though the Policy Polling Interval is set to 60 Mins.


    Shirish Mistry

    Wednesday, October 16, 2019 4:18 AM
  • Hello,
     
    Thanks for posting in TechNet. 
     
    Could you tell us how you check the time when the WDEG policy is applied on the client?
     
    It would be applied after client retrieve the machine policy. Actually, we could check the following log to verify/troubleshoot it.
     
    We could get the policy ID here.
     

     
    After the policy retrieval on the client, we should see it downloaded in the policyagent.log and applied in the policyevaluator.log.
      

     

     
    You could check them in your environment and tell us what the results are.
     
    Hope my answer could help you and look forward to your feedback.
     
    Best Regards,
    Ray

    Please remembers to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by Shirish Mistry Tuesday, December 24, 2019 3:22 AM
    Wednesday, October 16, 2019 12:25 PM
  • Hello Shirish Mistry,
     
    I noticed that you have not updated for several days. May I know that if your issue is solved or if there is any update? Feel free to feedback. 
     
    Best Regards,
    Ray

    Please remembers to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, October 21, 2019 2:33 AM
  • Hi Ray,

    Sorry for the late response, I have verified this by manually performing a change to one of the Exploit Guard Policy and then running the Machine Cycle manually and it showed up the Policy ID in the PolicyAgent.log and PolicyEvaluator.log file. There after I did another change and allowed the machine to undergo next Machine Policy refresh automatically and it again showed up the Policy ID (as per the second change) in the PolicyAgent.log and PolicyEvaluator.log file.

    I think I might have confused this with some other policy.

    Thank you so much for your help, Ray!


    Shirish Mistry

    Tuesday, December 24, 2019 3:34 AM