Hello! My name is Todd Linke, and I am a Premier Field Engineer at Microsoft where I specialize in System Center Configuration Manager.
For those of you that may not be aware, SCCM generates a lot of disk activity, on its site servers. It is not unusual for SCCM to write a file, perform a checksum analysis, and then move or delete the file after processing so quickly that you would not see the file at all if you were monitoring the folder with Windows Explorer. Due to this activity, it is necessary to configure file system and process exclusions for Antivirus Real-Time Scanning solutions. This must be done regardless of the chosen Antivirus solution whether it be Windows Defender or a 3rd party AV, as well as with other security products that actively monitor file system changes.
I was working with some customers who were seeing strange behavior on their SCCM Site Servers. In one case, an unusually high percentage of clients had corrupt hardware inventories. Looking at the log files, we could see that client inventories were being successfully sent to the Management Point, but when processed on the site server by SMS_INVENTORY_DATALOADER we were getting a "File in use" error. We used Process Monitor and were able to determine that MsMpEng.exe (Windows Defender) was the process that was locking the file. We turned off "Real-Time Protection" for Defender and the errors suddenly stopped.
What we thought was unusual though, is that they were using a 3 rd Party Antivirus solution, which they believed would disable Windows Defender when installed.
In the other case, Software Update Compliance status was missing in action. The MP_FILE_DISPATCH_MONITOR component on the Software Update Point Server was unable to copy client status messages to the proper inboxes on the Primary Site Server. This time the error being reported was "The network path does not exist". Once again, Process Monitor showed that the files were in use by MsMpEng.exe, and once again, turning off "Real-Time Protection" solved the issue immediately. In this case also, they were using a 3 rd party Antivirus solution. At both customers the proper exclusions for SCCM were configured for their 3 rd party Antivirus, which would normally prevent these types of issues.
What set these two servers apart from their other SCCM servers is that they were running Windows Server 2016.
As you may or may not know, Microsoft included Windows Defender in Server 2016, where it is enabled by default. Unlike in previous versions of Windows Server, installing a 3 rd party Antivirus will not automatically disable Windows Defender. The following page of the Server 2016 online documentation describes exactly how this works:
Configure the recommended SCCM Antivirus Scanning exclusions for Windows Defender using either Group Policy, or SCCM. A great list of SCCM scanning exclusions can be found in this blog post by Brandon McMillan, who is also an SCCM PFE at Microsoft:
One of the many great features in SCCM is the ability to use Baselines to monitor SCCM Client devices for specific issues or symptoms. If you would like to verify this in your environment, run the following script on your Site Server to create a Configuration Item and Baseline both named "Verify Windows Defender Real-Time Scanning Status".
Then deploy the baseline to a collection containing only Windows Server 2016 Devices. Any devices that show Non-Compliant have Real-Time Scanning enabled.