Forum Discussion

DMobley_232's avatar
DMobley_232
Copper Contributor
Aug 31, 2020

SCCM Client Settings - Endpoint Protection

Hello. Over 90% of our sccm clients are failing client check however, Client activity looks great. I think the issue is we use Crowdstrike, but in our SCCM Client settings, we have a Endpoint Protec...
System Center
Michiel Overweel's avatar
Michiel Overweel
Former Employee
Sep 04, 2020

DMobley_232 You don't mention what client checks are failing exactly, but setting the "Manage Endpoint Protection client on client computers" to "No" when using a third-party anti-malware solution would probably be a good idea.

  • DMobley_232's avatar
    DMobley_232
    Copper Contributor
    Sep 04, 2020

    Michiel Overweel I am referencing when you go to Monitoring> Client Status> Client Check

    Unfortunately without a Microsoft document the admin will not set Microsoft endpoint Protection on client computers to no.

    We us crowdstrike if that helps at all.

    • Michiel Overweel's avatar
      Michiel Overweel
      Former Employee
      Sep 07, 2020

      DMobley_232 What I meant was, you didn't mention which client checks fail. The Client Status dashboard (\Monitoring\Overview\Client Status) contains a Most Frequent Client Check Errors bar graph that should give you an idea which checks are failing most frequently.

       

      As for the "Manage Endpoint Protection client on client computers" setting: this is set to "No" by default. Before you can even set this to "Yes", you need to install the Endpoint Protection point role in the site. None of this is required if you don't want to manage the Windows Defender using ConfigMgr, and both of these require a conscious decision by and effort from an administrator, so this is something that someone enabled in your site at some point in time.

       

      More information:

      • https://docs.microsoft.com/en-us/mem/configmgr/protect/plan-design/planning-for-endpoint-protection
      • https://docs.microsoft.com/en-us/mem/configmgr/protect/deploy-use/endpoint-protection 
      • https://docs.microsoft.com/en-us/mem/configmgr/protect/deploy-use/endpoint-protection-configure 
      • DMobley232's avatar
        DMobley232
        Copper Contributor
        Sep 07, 2020

        Michiel Overweel 

        Thank You. I see what you are saying now. It looks like it is failing the CcmEval task. 

        We currently use Crowdstrike as our primary endpoint protection, however they still want Windows Defender in the event crowdstrike fails and defender would be the backup.

         

        1. We do have "endpoint protection point" configured under Site system Roles.
        2. There is a Desktop Policy under Assets and Compliance>Endpoint Protection>Antimalware policies
        3. There is also a policy set for endpoint protection under Administration> Client Settings>

         

        As a test. I created a new collection of 15 computers. They were all Client Check=Failed in Client status> Client check.

        I created a new client setting policy under Administration> Client settings that was deployed to the 15 computers with "NO" to Manage Endpoint Protection Client on client Computers. Within 24 hours, 75% of the test computers successfully passed client check.

         

        I then changed the setting to "Yes" and 24 hours later, all the computers but 1 are back to "Failed Client Check". In the computers that failed, I did find this in the ccmeval

         

        Evaluating health check rule {B89B8B51-369F-42E6-80BC-FF46B8963B0F} : Verify/Remediate Antimalware service status for Windows 10 or up.      CcmEval               9/6/2020 10:56:03 AM  39032 (0x9878)

        Attempting to change service status for service 'WinDefend' to 'Running'.              CcmEval               9/6/2020 10:56:03 AM         39032 (0x9878)

        Failed to start the service 'WinDefend', hr=80004005        CcmEval               9/6/2020 10:56:03 AM  39032 (0x9878)

         

        Any ideas?

Resources