Jul 19 2022 07:15 AM
Jul 19 2022 07:15 AM
My customer just asked a really good question that I don't know the answer to. They have Defender for Endpoint managed by MECM (a.k.a. SCCM) on Windows Server 2012 R2, 2016 and 2019. They have just asked me, if we think there is an issue with DfE blocking a server application, how do we stop DfE quickly to determine if it is the issue.
First thought use the security interface to stop DfE
Second idea, stop the service
The customer used a local group policy to block Defender, but there should be a better way to do this. The only other thing I've thought of is to remove the computer from the collection that DfE is targeted to in MECM and then update the policy. But I'm not sure how quickly this would work and what the side effects would be.
Does anyone else have any ideas?
Jul 19 2022 08:42 AM
I ran a few tests:
So I have a partial solution for 2016 and 2019, and nothing for 2012 R2. I considered the PowerShell command, but my understand is that it doesn't work on 2012 Rw.
Jul 19 2022 01:17 PM
Jul 19 2022 01:28 PM
Jul 19 2022 08:50 PM
Jul 20 2022 12:47 AM
This is a question I get from time to time when changes have been made to Dfe and afterward there seem to be problems with a software application. Most times, these problems are related to the ASR rules Controlled Folder Access and/or Block executable files from running unless they meet a prevalence, age, or trusted list criteria.
What I can share with you is the way I work with such questions:
If nothing of the above steps is giving me something, then most likely your problem is not related to Dfe. Because, if Dfe is actively blocking an application or action, it has a reason for that and it will likely be logged in the event viewer logs.
If a customer wants to make sure that Windows Defender is disabled for testing purposes, then I place the specified device in a separate group in the Azure AD and exclude this group from the specified policies (In MEM). After 2 hours of testing, you should know if Dfe is the problem or not.
In your case, if you are managing the policies through GPO. Exclude your server from those policies and add the server to a temporary GPO with Windows Defender disabled policy in it. After a gpupdate /force you can confirm by running rsop.msc to confirm if the right GPO is applied and Windows Defender is disabled. After 2 hours of testing, you should know if Dfe is the problem or not.
I hope this will help you in your troubleshooting process.
Martien van Dijk
Jul 20 2022 06:56 AM
Jul 20 2022 04:02 PM