SCCM Client Settings - Endpoint Protection

%3CLINGO-SUB%20id%3D%22lingo-sub-1621847%22%20slang%3D%22en-US%22%3ESCCM%20Client%20Settings%20-%20Endpoint%20Protection%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1621847%22%20slang%3D%22en-US%22%3E%3CP%3EHello.%20Over%2090%25%20of%20our%20sccm%20clients%20are%20failing%20client%20check%20however%2C%20Client%20activity%20looks%20great.%3C%2FP%3E%3CP%3EI%20think%20the%20issue%20is%20we%20use%20Crowdstrike%2C%20but%20in%20our%20SCCM%20Client%20settings%2C%20we%20have%20a%20Endpoint%20Protection%20policy%20that%20is%20set%20to%20%22Yes%22%20for%20%22Manage%20Endpoint%20Protection%20Client%20on%20Client%20computers%22.%3C%2FP%3E%3CP%3EFrom%20what%20I%20can%20tell%2C%20if%20using%20a%203rd%20party%20anti-virus%2C%20this%20setting%20should%20be%20set%20to%20No%3F%3C%2FP%3E%3CP%3EIs%20that%20correct%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1621847%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ESystem%20Center%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1635447%22%20slang%3D%22en-US%22%3ERe%3A%20SCCM%20Client%20Settings%20-%20Endpoint%20Protection%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1635447%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F776338%22%20target%3D%22_blank%22%3E%40DMobley_232%3C%2FA%3E%26nbsp%3BYou%20don't%20mention%20what%20client%20checks%20are%20failing%20exactly%2C%20but%20setting%20the%20%22Manage%20Endpoint%20Protection%20client%20on%20client%20computers%22%20to%20%22No%22%20when%20using%20a%20third-party%20anti-malware%20solution%20would%20probably%20be%20a%20good%20idea.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1637549%22%20slang%3D%22en-US%22%3ERe%3A%20SCCM%20Client%20Settings%20-%20Endpoint%20Protection%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1637549%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F241578%22%20target%3D%22_blank%22%3E%40Michiel%20Overweel%3C%2FA%3E%26nbsp%3BI%20am%20referencing%20when%20you%20go%20to%20Monitoring%26gt%3B%20Client%20Status%26gt%3B%20Client%20Check%3C%2FP%3E%3CP%3EUnfortunately%20without%20a%20Microsoft%20document%20the%20admin%20will%20not%20set%20Microsoft%20endpoint%20Protection%20on%20client%20computers%20to%20no.%3C%2FP%3E%3CP%3EWe%20us%20crowdstrike%20if%20that%20helps%20at%20all.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1641423%22%20slang%3D%22en-US%22%3ERe%3A%20SCCM%20Client%20Settings%20-%20Endpoint%20Protection%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1641423%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F776338%22%20target%3D%22_blank%22%3E%40DMobley_232%3C%2FA%3E%26nbsp%3BWhat%20I%20meant%20was%2C%20you%20didn't%20mention%26nbsp%3B%3CEM%3Ewhich%3C%2FEM%3E%20client%20checks%20fail.%20The%20Client%20Status%20dashboard%20(%5CMonitoring%5COverview%5CClient%20Status)%20contains%20a%20Most%20Frequent%20Client%20Check%20Errors%20bar%20graph%20that%20should%20give%20you%20an%20idea%20which%20checks%20are%20failing%20most%20frequently.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAs%20for%20the%20%22Manage%20Endpoint%20Protection%20client%20on%20client%20computers%22%20setting%3A%20this%20is%20set%20to%20%22No%22%20by%20default.%20Before%20you%20can%20even%20set%20this%20to%20%22Yes%22%2C%20you%20need%20to%20install%20the%20Endpoint%20Protection%20point%20role%20in%20the%20site.%20None%20of%20this%20is%20required%20if%20you%20don't%20want%20to%20manage%20the%20Windows%20Defender%20using%20ConfigMgr%2C%20and%20both%20of%20these%20require%20a%20conscious%20decision%20by%20and%20effort%20from%20an%20administrator%2C%20so%20this%20is%20something%20that%20someone%20enabled%20in%20your%20site%20at%20some%20point%20in%20time.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EMore%20information%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CA%20title%3D%22Planning%20for%20Endpoint%20Protection%20in%20Configuration%20Manager%22%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmem%2Fconfigmgr%2Fprotect%2Fplan-design%2Fplanning-for-endpoint-protection%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EPlanning%20for%20Endpoint%20Protection%20in%20Configuration%20Manager%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3E%3CA%20title%3D%22Endpoint%20Protection%20overview%22%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmem%2Fconfigmgr%2Fprotect%2Fdeploy-use%2Fendpoint-protection%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EEndpoint%20Protection%20overview%3C%2FA%3E%26nbsp%3B%3C%2FLI%3E%0A%3CLI%3E%3CA%20title%3D%22How%20to%20configure%20Endpoint%20Protection%22%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmem%2Fconfigmgr%2Fprotect%2Fdeploy-use%2Fendpoint-protection-configure%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EHow%20to%20configure%20Endpoint%20Protection%3C%2FA%3E%26nbsp%3B%3C%2FLI%3E%0A%3C%2FUL%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1641796%22%20slang%3D%22en-US%22%3ERe%3A%20SCCM%20Client%20Settings%20-%20Endpoint%20Protection%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1641796%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F241578%22%20target%3D%22_blank%22%3E%40Michiel%20Overweel%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20You.%20I%20see%20what%20you%20are%20saying%20now.%20It%20looks%20like%20it%20is%20failing%20the%20CcmEval%20task.%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20currently%20use%20Crowdstrike%20as%20our%20primary%20endpoint%20protection%2C%20however%20they%20still%20want%20Windows%20Defender%20in%20the%20event%20crowdstrike%20fails%20and%20defender%20would%20be%20the%20backup.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3COL%3E%3CLI%3EWe%20do%20have%20%22endpoint%20protection%20point%22%20configured%20under%20Site%20system%20Roles.%3C%2FLI%3E%3CLI%3EThere%20is%20a%20Desktop%20Policy%20under%20Assets%20and%20Compliance%26gt%3BEndpoint%20Protection%26gt%3BAntimalware%20policies%3C%2FLI%3E%3CLI%3EThere%20is%20also%20a%20policy%20set%20for%20endpoint%20protection%20under%20Administration%26gt%3B%20Client%20Settings%26gt%3B%3C%2FLI%3E%3C%2FOL%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAs%20a%20test.%20I%20created%20a%20new%20collection%20of%2015%20computers.%20They%20were%20all%20Client%20Check%3DFailed%20in%20Client%20status%26gt%3B%20Client%20check.%3C%2FP%3E%3CP%3EI%20created%20a%20new%20client%20setting%20policy%20under%20Administration%26gt%3B%20Client%20settings%20that%20was%20deployed%20to%20the%2015%20computers%20with%20%22NO%22%20to%20Manage%20Endpoint%20Protection%20Client%20on%20client%20Computers.%20Within%2024%20hours%2C%2075%25%20of%20the%20test%20computers%20successfully%20passed%20client%20check.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20then%20changed%20the%20setting%20to%20%22Yes%22%20and%2024%20hours%20later%2C%20all%20the%20computers%20but%201%20are%20back%20to%20%22Failed%20Client%20Check%22.%20In%20the%20computers%20that%20failed%2C%20I%20did%20find%20this%20in%20the%20ccmeval%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EEvaluating%20health%20check%20rule%20%7BB89B8B51-369F-42E6-80BC-FF46B8963B0F%7D%20%3A%20Verify%2FRemediate%20Antimalware%20service%20status%20for%20Windows%2010%20or%20up.%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20CcmEval%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%209%2F6%2F2020%2010%3A56%3A03%20AM%26nbsp%3B%2039032%20(0x9878)%3C%2FP%3E%3CP%3EAttempting%20to%20change%20service%20status%20for%20service%20'WinDefend'%20to%20'Running'.%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20CcmEval%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%209%2F6%2F2020%2010%3A56%3A03%20AM%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%2039032%20(0x9878)%3C%2FP%3E%3CP%3EFailed%20to%20start%20the%20service%20'WinDefend'%2C%20hr%3D80004005%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20CcmEval%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%209%2F6%2F2020%2010%3A56%3A03%20AM%26nbsp%3B%2039032%20(0x9878)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20ideas%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1647457%22%20slang%3D%22en-US%22%3ERe%3A%20SCCM%20Client%20Settings%20-%20Endpoint%20Protection%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1647457%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F456065%22%20target%3D%22_blank%22%3E%40DMobley232%3C%2FA%3E%26nbsp%3BThis%20is%20exactly%20as%20expected.%20As%20documented%20in%26nbsp%3B%3CA%20title%3D%22Microsoft%20Defender%20Antivirus%20compatibility%22%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fmicrosoft-defender-antivirus%2Fmicrosoft-defender-antivirus-compatibility%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3EMicrosoft%20Defender%20Antivirus%20compatibility%3C%2FA%3E%26nbsp%3B%2C%20%3CEM%3E%22If%20your%20organization's%20endpoints%20and%20devices%20are%20protected%20with%20a%20non-Microsoft%20antivirus%2Fantimalware%20solution%2C%20and%20Microsoft%20Defender%20ATP%20is%20not%20used%2C%20then%20Microsoft%20Defender%20Antivirus%20automatically%20goes%20into%20disabled%20mode%22.%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHowever%2C%20in%20your%20client%20settings%20you've%20configured%20Defender%20to%20be%20enabled.%20As%20a%20result%2C%20the%20Configuration%20Manager%20Health%20Evaluation%20task%20(CcmEval)%20will%20check%20the%20status%20of%20the%20Defender%20service%20and%2C%20if%20it%20isn't%20enabled%20and%2For%20running%2C%20will%20try%20to%20enable%20and%2For%20start%20it.%20Obviously%20this%20fails%20because%20a%20third-party%20antivirus%20solution%20is%20installed.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20aforementioned%20document%20also%20states%20that%20%3CEM%3E%22When%20Microsoft%20Defender%20Antivirus%20is%20automatic%20disabled%2C%20it%20can%20automatically%20re-enable%20if%20the%20protection%20offered%20by%20a%20third-party%20antivirus%20product%20expires%20or%20otherwise%20stops%20providing%20real-time%20protection%20from%20viruses%2C%20malware%20or%20other%20threats.%20This%20is%20to%20ensure%20antivirus%20protection%20is%20maintained%20on%20the%20endpoint%22.%3C%2FEM%3E%20So%20for%20that%2C%20you%20don't%20need%20to%20enable%20the%20Defender%20management%20client%20settings%20in%20ConfigMgr%20at%20all.%20My%20recommendation%20would%20be%20to%20disable%20these%20settings%2C%20and%20to%20uninstall%20the%20Endpoint%20Protection%20point%20if%20no%20longer%20needed.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

Hello. Over 90% of our sccm clients are failing client check however, Client activity looks great.

I think the issue is we use Crowdstrike, but in our SCCM Client settings, we have a Endpoint Protection policy that is set to "Yes" for "Manage Endpoint Protection Client on Client computers".

From what I can tell, if using a 3rd party anti-virus, this setting should be set to No?

Is that correct?

5 Replies
Highlighted

@DMobley_232 You don't mention what client checks are failing exactly, but setting the "Manage Endpoint Protection client on client computers" to "No" when using a third-party anti-malware solution would probably be a good idea.

Highlighted

@Michiel Overweel I am referencing when you go to Monitoring> Client Status> Client Check

Unfortunately without a Microsoft document the admin will not set Microsoft endpoint Protection on client computers to no.

We us crowdstrike if that helps at all.

Highlighted

@DMobley_232 What I meant was, you didn't mention which client checks fail. The Client Status dashboard (\Monitoring\Overview\Client Status) contains a Most Frequent Client Check Errors bar graph that should give you an idea which checks are failing most frequently.

 

As for the "Manage Endpoint Protection client on client computers" setting: this is set to "No" by default. Before you can even set this to "Yes", you need to install the Endpoint Protection point role in the site. None of this is required if you don't want to manage the Windows Defender using ConfigMgr, and both of these require a conscious decision by and effort from an administrator, so this is something that someone enabled in your site at some point in time.

 

More information:

Highlighted

@Michiel Overweel 

Thank You. I see what you are saying now. It looks like it is failing the CcmEval task. 

We currently use Crowdstrike as our primary endpoint protection, however they still want Windows Defender in the event crowdstrike fails and defender would be the backup.

 

  1. We do have "endpoint protection point" configured under Site system Roles.
  2. There is a Desktop Policy under Assets and Compliance>Endpoint Protection>Antimalware policies
  3. There is also a policy set for endpoint protection under Administration> Client Settings>

 

As a test. I created a new collection of 15 computers. They were all Client Check=Failed in Client status> Client check.

I created a new client setting policy under Administration> Client settings that was deployed to the 15 computers with "NO" to Manage Endpoint Protection Client on client Computers. Within 24 hours, 75% of the test computers successfully passed client check.

 

I then changed the setting to "Yes" and 24 hours later, all the computers but 1 are back to "Failed Client Check". In the computers that failed, I did find this in the ccmeval

 

Evaluating health check rule {B89B8B51-369F-42E6-80BC-FF46B8963B0F} : Verify/Remediate Antimalware service status for Windows 10 or up.      CcmEval               9/6/2020 10:56:03 AM  39032 (0x9878)

Attempting to change service status for service 'WinDefend' to 'Running'.              CcmEval               9/6/2020 10:56:03 AM         39032 (0x9878)

Failed to start the service 'WinDefend', hr=80004005        CcmEval               9/6/2020 10:56:03 AM  39032 (0x9878)

 

Any ideas?

Highlighted

@DMobley232 This is exactly as expected. As documented in Microsoft Defender Antivirus compatibility , "If your organization's endpoints and devices are protected with a non-Microsoft antivirus/antimalware solution, and Microsoft Defender ATP is not used, then Microsoft Defender Antivirus automatically goes into disabled mode".

 

However, in your client settings you've configured Defender to be enabled. As a result, the Configuration Manager Health Evaluation task (CcmEval) will check the status of the Defender service and, if it isn't enabled and/or running, will try to enable and/or start it. Obviously this fails because a third-party antivirus solution is installed.

 

The aforementioned document also states that "When Microsoft Defender Antivirus is automatic disabled, it can automatically re-enable if the protection offered by a third-party antivirus product expires or otherwise stops providing real-time protection from viruses, malware or other threats. This is to ensure antivirus protection is maintained on the endpoint". So for that, you don't need to enable the Defender management client settings in ConfigMgr at all. My recommendation would be to disable these settings, and to uninstall the Endpoint Protection point if no longer needed.