Jump to content


soetie

SCCM endpoint protection 2012 on windows 10

Recommended Posts

Hi All,

 

im having a few questions but cant find the answer to it:

 

1. is sccm endpoint protection official released for windows 10

2. Can i install and manage ssccm ep also without the complete sccm suite.

3. is endp. protec, in windows 10 the same as the default windows defender?

 

For now we have a policy that updates the client through windows updates.

I dont want to use sccm but i still want to use endpoint protec. and manage updates etc through gpo.

 

Is that possible?

 

regards

Share this post


Link to post
Share on other sites


SCCM is not needed. You can simply use the Windows Defender and configure it with group policies. That's basically the same what the SCEPInsatall.exe is doing when you are using Endpoint Protection with SCCM in Windows 10.

Share this post


Link to post
Share on other sites

So, what is the answer here?

We know SCEP is replaced in win 10 with defender. I have messed with group policy to try and get it to run with no success.I previously deployed SCEP with ccm client. Now no matter what I try, short of changing the regkey for defender locally (which gets turned off again when GPO is applied regardless of a change in group policy settings) I have found no way to get access to the GUI locally on the client or see that it is being managed by sccm SCEP policy. What the heck is going on here?

 

Thanks,

Share this post


Link to post
Share on other sites

I guess where you gain is on the reporting level. Windows Defender will do the job to secure your computer but on a management level, you'll need CM. But I never used it, but the reports are there and I assume that you might have more control to arrange different policies to different computer groups.

Share this post


Link to post
Share on other sites

I think that if I could some how magically get SCEP v. 4.8.10240.16384 into SMS_CCM\Client where my client install bits are it would maybe work. Right now I have v. 4.7.214.0 . Any idea which MS forest-gnome I have to genuflect to to get that upgrade? Is this even an accurate assumption?

Share this post


Link to post
Share on other sites

I imagine some of you sitting back and having a good chuckle at my little saga, but I think I've found out a few things that could come in handy. I'm still waiting to see if this is the real solution or not. So, bear with me.

 

1) It doesn't seem to matter what version of SCEP gets pushed with the ccm client install (the install will fail anyway - at least from what I've seen. Might be different with the GPO setting corrected?) as, when everything else is configured correctly it looks like win 10 just uses whichever version of defender it has on hand.

 

2) I had three GPOs on the OU I was testing. From what I've found all three have to have "Turn off Windows Defender" disabled. Although it looks like it should have worked with it Not configured as well, but that didn't seem to be the case for me. The key to watch on the client side is HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender - DisableAntiSpyware. If that is set to '1'. There will be problems.

 

3)Then, doing nothing else, I changed my Default Antimalware Policy in sccm, toggling the Real-time protection > Allow users on client computers to configure real-time protection settings: I would then update the machine policy VIA ccm client and I could see it being greyed on/off. So, I know my malware policy is still being respected VIA ccm settings. Though the settings now seem to be part of the OS and not in a tab on the defender/scep GUI.

 

4) I Ran gpupdate and rebooted several times and everything has stuck so far.

 

That's all I've got. Hope it helps someone. I wasn't able to find single source anywhere that mentioned all of this in one go. So, FWIW. :)

  • Like 1

Share this post


Link to post
Share on other sites

P.S. I also tested defender communication with SCCM with an EICAR file and it caught, removed and reported on the file in the SCCM console as expected.

Share this post


Link to post
Share on other sites

#Failure

 

Even with group policy set as above after letting it sit all day, rebooting, manually updating group policy as well as it being refreshed by the normal update cycle and it being fine ALL day, I just rebooted my test machine and get a pop up saying that "This app is turned off by group policy" which it isn't and nothing has changed.

 

Am I going to have to set a manually config on that damn key to make this work? Group policy doesn't seem to care much what the hell the setting is.

 

SOME how my test computer got moved into a different OU. All is well. As you were.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

×
×
  • Create New...