Microsoft Secure Tech Accelerator
Apr 13 2023, 07:00 AM - 12:00 PM (PDT)
Microsoft Tech Community

Defender for Endpoint - ConfigMgr

New Contributor

We are a strictly on-prem shop who uses ConfigMgr.  We've onboarded our devices via the Onboarding script that was generated directly from Settings -> Endpoints -> Onboarding in 365 Defender and now see them inside 365 Defender under Devices.  However, under the "Managed By" column in 365 Defender, most now say "MDE" while a few say "ConfigMgr".  

 

For reference, we're strictly on-prem and have nothing in Intune and are all running the latest Windows 10 version.  Our ConfigMgr server is version 2207 running Server 2022.  Did we do something wrong?

7 Replies

Hello @lloydz,

 

Did you onboard your devices using this: Onboarding using Microsoft Endpoint Configuration Manager | Microsoft Learn ? 

@mikhailf Yes, we used the "on-premise architecture" instructions from that link.  We had an existing Antimalware Policy in ConfigMgr - and we used the onboarding file generated from 365 Defender and imported it into ConfigMgr and applied it to our device collection.

@lloydz, please check that MDE security configuration management is not enabled in the Defender portal under Settings, Endpoints and Enforcement Scope since you are planning to use only SCCM.

https://learn.microsoft.com/en-us/mem/intune/protect/mde-security-integration

That might be the issue then. That option was enabled. I've turned it off - should the devices update themselves or would we need to offboard them and onboard them again?

@lloydz, everything should update the next time devices synced with the M365 Defender portal.

 

Check locally that the SCCM Antimalware policy has been applied correctly. You can try with the Powershell command Get-MpPreference, checking SCCM logs, RSOP.msc, etc.

 

Turning off that setting has steadily decreased the number of "Managed by MDE", however, those that were managed by MDE now say "Unknown". What am I looking for exactly when I run "Get-MpPreference" that can tell whether it's managed by ConfigMgr?

@lloydz, you should see devices to change to be managed by ConfigMgr.

 

When you use Get-MpPreference, you want to check settings defined by your SCCM Antimalware policy that apply correctly.