Forum Discussion
Bob_Panick
Jul 19, 2022Brass Contributor
Shutdown Defender for Endpoint on Server Quickly
My customer just asked a really good question that I don't know the answer to. They have Defender for Endpoint managed by MECM (a.k.a. SCCM) on Windows Server 2012 R2, 2016 and 2019. They have just...
Bob_Panick
Brass Contributor
I'll admit checking the Defender console didn't even occur to me, thank you for that suggestion.
On Windows Server 2012 R2 you don't have the Defender event log entries since it's using SCEP. But that's a nice idea on 2016+.
DfE in this case is managed by MECM (a.k.a. SCCM), so excluding them in Azure AD isn't possible I don't believe. Removing them from the MECM collection didn't have any effect on turning off DfE.
On Windows Server 2012 R2 you don't have the Defender event log entries since it's using SCEP. But that's a nice idea on 2016+.
DfE in this case is managed by MECM (a.k.a. SCCM), so excluding them in Azure AD isn't possible I don't believe. Removing them from the MECM collection didn't have any effect on turning off DfE.
yongrheemsft
Jul 20, 2022Microsoft
Bob_Panick, if using MEMCM (SCCM), you could create a new group policy that sets the "Real-time protection" to disabled, which then you could add the 'device collection' where the Windows Servers are. Make sure to force a machine policy refresh, that would remove MDAV and SCEP out of the picture.