Forum Discussion
DMobley_232
Aug 31, 2020Copper Contributor
SCCM Client Settings - Endpoint Protection
Hello. Over 90% of our sccm clients are failing client check however, Client activity looks great.
I think the issue is we use Crowdstrike, but in our SCCM Client settings, we have a Endpoint Protection policy that is set to "Yes" for "Manage Endpoint Protection Client on Client computers".
From what I can tell, if using a 3rd party anti-virus, this setting should be set to No?
Is that correct?
- saidu7059Copper Contributor
Your detective work seems spot on! When playing nice with a 3rd party like Crowdstrike, flipping the switch to "No" on "Manage Endpoint Protection Client on Client computers" often does the trick. It lets the external AV do its thing without unnecessary clashes.
For a deeper dive into this SCCM conundrum, you might want to explore the insights in the learn sccm community. They've got some real gems when it comes to navigating these tricky settings.
- saidu7059Copper ContributorAh, the quirks of SCCM and Endpoint Protection settings can make anyone do a double take, right?
- Michiel Overweel
Microsoft
DMobley_232 You don't mention what client checks are failing exactly, but setting the "Manage Endpoint Protection client on client computers" to "No" when using a third-party anti-malware solution would probably be a good idea.
- DMobley_232Copper Contributor
Michiel Overweel I am referencing when you go to Monitoring> Client Status> Client Check
Unfortunately without a Microsoft document the admin will not set Microsoft endpoint Protection on client computers to no.
We us crowdstrike if that helps at all.
- Michiel Overweel
Microsoft
DMobley_232 What I meant was, you didn't mention which client checks fail. The Client Status dashboard (\Monitoring\Overview\Client Status) contains a Most Frequent Client Check Errors bar graph that should give you an idea which checks are failing most frequently.
As for the "Manage Endpoint Protection client on client computers" setting: this is set to "No" by default. Before you can even set this to "Yes", you need to install the Endpoint Protection point role in the site. None of this is required if you don't want to manage the Windows Defender using ConfigMgr, and both of these require a conscious decision by and effort from an administrator, so this is something that someone enabled in your site at some point in time.
More information: