Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

MDE conflicting with Microsoft Endpoint Configuration Manager Distribution points

Copper Contributor

Hi All,

I have a strange issue with MDE and Configuration Manager, ever since I onboarded my Site server (Server 2012 R2) and Distribution points(Server 2016) I have been having very strange issues with distributing content especially driver and windows update packages, if I offboard these servers from MDE everything works fine (with Microsoft Defender AV still working) as soon as I onboard them again the issue begins again. Any ideas on this one?

8 Replies
What kind of issues? Can you share some details?
Very sorry I was in a rush and looks like I missed out detail!
When MDE is monitoring the servers and I try distribute content (mainly Driver packages and Software Update packages) the content constantly fails to distribute it's not unusual to have 5-8 retries, sometimes it wont even begin and I will need to restart the site server or the distribution points. If MDE is not monitoring the configuration manager servers then all is fine.
Not a problem and thank you for elaborating on the issue. It could be MDE related and will also depend on the kind of policies applied. Are you using additional features like ASR, Controlled Folder Access? You may have to look at excluding the DP content locations.
I am using ASR but the issue began before I applied ASR and I have been sure not to apply the ASR policy's that are not recommended to be used with MECM, not using Controlled Folder Access. I have applied the recommended exclusions to Microsoft Defender AV however this is not for MDE, it does not look like you can apply exclusions for MDE only Microsoft Defender AV.
Then AV exclusions should suffice. Did you try running advanced hunting queries? Maybe check against AV based action type. Have a look some of the blog posts I have published on this topic. It may just help you. https://rahuljindalmyit.blogspot.com/search?q=Hunting

Hi @rahuljindal-MVP 

I added AV exclusions about a month ago as per this Microsoft Doc "Recommended antivirus exclusions for Configuration Manager - Configuration Manager | Microsoft Docs" But yet I am still seeing the issue, if I offboard MDE but keep Microsoft Defender AV running the issue stops. I have ran a few queries in advanced hunting but I cannot see anything that is being blocked that could be causing this issue.

@David_Smith040, Microsoft support engineer should be able to investigate and check if it's related to SMB (CIFS) Opportunistic Lock (OpLocks). Thanks. Yong
I think you might have hit the nail on the head, the configuration manager logs on the DP say that it doesn't have access to the directory, like the security is wrong but once you retry it again then it works (or just writes a few extra files then fails again), I have created a case this morning.