Breaking News! Defender Settings Getting Removed for Comanaged SCCM 2309 and 2403 Clients. The Configuration Manager (SCCM) support team has confirmed a critical issue affecting co-managed clients in versions 2309 and 2403.
Users managing Defender settings from Intune are experiencing SCCM removing them. This issue arises due to conflicts between the policies enforced by SCCM and Intune regarding Defender settings.
When both SCCM and Intune attempt to apply their policies, SCCM’s policies take precedence, removing Defender settings configured by Intune. While the cause of the problem is known, the SCCM team is still working on fixing it. In the meantime, they’ve offered a temporary solution.
SCCM 2403 is the latest update for Microsoft’s Configuration Manager Current Branch. It brings in new features and improvements to make managing systems easier. This post helps you to show the details about the Defender Settings Getting Removed for Comanaged SCCM 2309 and 2403 Clients.
- List of Issues Fixed with SCCM 2403 KB26186448
- SCCM Life Cycle – End of Support Dates for SCCM CB Current Branch
- New Key Features of SCCM 2309 | Top Improvements
- SCCM 2403 New Key Features and Improvements
- Free SCCM Training 37 Hours of Latest Technical Content Lab Setup
Would this Issue Impact Co-managed Devices that Don’t have Endpoint Protection-Enabled Client Settings Pushed from SCCM?
No, it shouldn’t. Based on testing, this issue does not affect co-managed devices that don’t have endpoint protection-enabled client settings pushed from SCCM.
Defender Settings Getting Removed for Comanaged SCCM 2309 and 2403 Clients
Microsoft Intune can no longer manage Microsoft Defender security configurations after updating to Configuration Manager version 2403 or installing the Update Rollup for 2309. If you had set up Microsoft Intune to manage Defender settings on your devices, Intune could no longer control those settings after the update.
- Instead, Configuration Manager will take over the management of Defender settings.
- This change might affect how your security policies are applied to devices, so reviewing and adjusting your settings in Configuration Manager is essential.
- SCCM Versions Build Numbers Client Console Site
- End of Support Dates for SCCM CB Current Branch | ConfigMgr | SCCM End of Life
- SCCM Unsupported Deprecated or Removed Features
Drop in Microsoft Security Score Values in Intune
A drop may be observed when viewing Intune’s Microsoft Security Score values. This issue occurs because security policy configuration data is incorrectly removed from clients after upgrading Configuration Manager clients.
After meeting all these conditions, the security policy configuration data from Intune is mistakenly removed during Configuration Manager client upgrades, decreasing the Microsoft Security Score values in Intune. Addressing this issue is essential to ensure that devices maintain the appropriate security configurations and scores.
The drop in security scores for clients occurs under the following conditions.
- Co-management with Intune – The Configuration Manager clients are co-managed with Microsoft Intune.
- Active Management in Intune—Intune actively manages the “Device Configuration > Endpoint Protection workload, which means it manages the security settings for endpoint protection.
- Endpoint Protection Client Management Setting – The “Manage Endpoint Protection client on client computers” value is set to “Yes” in client settings. This setting indicates that Configuration Manager manages Endpoint Protection client settings.
Read more
Tenant Attach Guide for SCCM Logs Data Flow Troubleshooting Intune
How to Remotely Run Device Actions with Intune for SCCM Clients
- Add More Security CMG Web App in SCCM 2309 Update
- SCCM 2309 Hotfix KB26129847 Client Discovery Data Fix
- Microsoft ODBC driver 18 for SQL setup Issue with SCCM 2309 Upgrade
- SCCM Unsupported Features
- Download SCCM 2309 Early Ring Version Using PowerShell Script
- Top 50+ Latest SCCM Interview Questions and Answers
Important Notice for Customers Regarding Configuration Manager Updates
For customers with potentially affected environments, it’s advisable to hold off on deploying version 2403 or the 2309 Update Rollup until a fix is available. However, if your environment has already been updated but the new clients aren’t installed yet, there are steps you can take.
Following the steps below can help minimize the issue’s impact until a permanent fix is provided.
1. Disable Automatic Client Upgrades
If your setup automatically upgrades clients in the pre-production collection using the pre-production client, it’s recommended that you disable this feature for now. This prevents the potentially problematic clients from being rolled out automatically.
2. Avoid Promoting Pre-production Client
Avoid using the “Promote Pre-production Client” action. This action promotes new clients to production, potentially introducing the issue to more devices.
Solution for Already Updated Clients
Let’s discuss the solution for already updated clients. If your clients have already been updated, you can take the following steps to address the issue.
1. Set Manage Endpoint Protection Client to No
You can easily adjust the Client Settings by navigating to your SCCM console and setting the “Manage Endpoint Protection client on client computers” value to “No” in client settings. Also, you should ensure this adjustment is only for collections with co-managed clients.
By setting this value to “No,” you temporarily turn off Configuration Manager’s management of Endpoint Protection clients on the affected devices. This action allows Microsoft Intune policy to reapply, effectively managing the clients as expected.
Understanding the Issue with SCCM and Intune Managed Clients
In environments where both on-premises and Intune-managed clients coexist, handling Defender policies is peculiar.
- Intune-Managed Clients – Clients managed by Intune shouldn’t receive Defender policies from the Configuration Manager. However, the Configuration Manager still sends policies, which leads to issues.
- On-Premises Defender-Managed Clients – On-premises clients managed by Configuration Manager are expected to receive Defender policies from it.
- However, the problem arises when Configuration Manager mistakenly identifies Intune as the manager of Defender settings but still interferes with them. This results in the removal of antimalware registry keys and even the deletion of Defender keys.
The investigation is ongoing, but it’s clear that when Intune manages Defender, Configuration Manager shouldn’t interfere with its settings. This indicates a miscommunication or misinterpretation by the Configuration Manager agent regarding managing Defender settings.
We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.
Author
About the Author: Vidya is a computer enthusiast. She is here to share quick tips and tricks with Windows 11 or Windows 10 users. She loves writing about Windows 11 and related technologies. She is also keen to find solutions and write about day-to-day tech problems.