Defender Settings Getting Removed for Comanaged SCCM 2309 and 2403 Clients

Breaking News! Defender Settings Getting Removed for Comanaged SCCM 2309 and 2403 Clients. The Configuration Manager (SCCM) support team has confirmed a critical issue affecting co-managed clients in versions 2309 and 2403.

Users managing Defender settings from Intune are experiencing SCCM removing them. This issue arises due to conflicts between the policies enforced by SCCM and Intune regarding Defender settings.

When both SCCM and Intune attempt to apply their policies, SCCM’s policies take precedence, removing Defender settings configured by Intune. While the cause of the problem is known, the SCCM team is still working on fixing it. In the meantime, they’ve offered a temporary solution.

SCCM 2403 is the latest update for Microsoft’s Configuration Manager Current Branch. It brings in new features and improvements to make managing systems easier. This post helps you to show the details about the Defender Settings Getting Removed for Comanaged SCCM 2309 and 2403 Clients.

Patch My PC
Defender Settings Getting Removed for Comanaged SCCM 2309 and 2403 Clients
Defender Settings Getting Removed for Comanaged SCCM 2309 and 2403 Clients

Would this Issue Impact Co-managed Devices that Don’t have Endpoint Protection-Enabled Client Settings Pushed from SCCM?

No, it shouldn’t. Based on testing, this issue does not affect co-managed devices that don’t have endpoint protection-enabled client settings pushed from SCCM.

Defender Settings Getting Removed for Comanaged SCCM 2309 and 2403 Clients

Microsoft Intune can no longer manage Microsoft Defender security configurations after updating to Configuration Manager version 2403 or installing the Update Rollup for 2309. If you had set up Microsoft Intune to manage Defender settings on your devices, Intune could no longer control those settings after the update.

  • Instead, Configuration Manager will take over the management of Defender settings.
  • This change might affect how your security policies are applied to devices, so reviewing and adjusting your settings in Configuration Manager is essential.
Defender Settings Getting Removed for Comanaged SCCM 2309 and 2403 Clients - Fig.1
Defender Settings Getting Removed for Comanaged SCCM 2309 and 2403 Clients – Fig.1

Drop in Microsoft Security Score Values in Intune

A drop may be observed when viewing Intune’s Microsoft Security Score values. This issue occurs because security policy configuration data is incorrectly removed from clients after upgrading Configuration Manager clients.

After meeting all these conditions, the security policy configuration data from Intune is mistakenly removed during Configuration Manager client upgrades, decreasing the Microsoft Security Score values in Intune. Addressing this issue is essential to ensure that devices maintain the appropriate security configurations and scores.

Adaptiva

The drop in security scores for clients occurs under the following conditions.

  • Co-management with Intune – The Configuration Manager clients are co-managed with Microsoft Intune.
  • Active Management in Intune—Intune actively manages the “Device Configuration > Endpoint Protection workload, which means it manages the security settings for endpoint protection.
  • Endpoint Protection Client Management Setting – The “Manage Endpoint Protection client on client computers” value is set to “Yes” in client settings. This setting indicates that Configuration Manager manages Endpoint Protection client settings.

Read more
Tenant Attach Guide for SCCM Logs Data Flow Troubleshooting Intune
How to Remotely Run Device Actions with Intune for SCCM Clients

Defender Settings Getting Removed for Comanaged SCCM 2309 and 2403 Clients - Fig.2 - Creds to MS
Defender Settings Getting Removed for Comanaged SCCM 2309 and 2403 Clients – Fig.2 – Creds to MS

Important Notice for Customers Regarding Configuration Manager Updates

For customers with potentially affected environments, it’s advisable to hold off on deploying version 2403 or the 2309 Update Rollup until a fix is available. However, if your environment has already been updated but the new clients aren’t installed yet, there are steps you can take.

Following the steps below can help minimize the issue’s impact until a permanent fix is provided.

1. Disable Automatic Client Upgrades

If your setup automatically upgrades clients in the pre-production collection using the pre-production client, it’s recommended that you disable this feature for now. This prevents the potentially problematic clients from being rolled out automatically.

Defender Settings Getting Removed for Comanaged SCCM 2309 and 2403 Clients - Fig.3 - Creds to MS
Defender Settings Getting Removed for Comanaged SCCM 2309 and 2403 Clients – Fig.3 – Creds to MS

2. Avoid Promoting Pre-production Client

Avoid using the “Promote Pre-production Client” action. This action promotes new clients to production, potentially introducing the issue to more devices.

Solution for Already Updated Clients

Let’s discuss the solution for already updated clients. If your clients have already been updated, you can take the following steps to address the issue.

1. Set Manage Endpoint Protection Client to No

You can easily adjust the Client Settings by navigating to your SCCM console and setting the “Manage Endpoint Protection client on client computers” value to “No” in client settings. Also, you should ensure this adjustment is only for collections with co-managed clients.

By setting this value to “No,” you temporarily turn off Configuration Manager’s management of Endpoint Protection clients on the affected devices. This action allows Microsoft Intune policy to reapply, effectively managing the clients as expected.

Understanding the Issue with SCCM and Intune Managed Clients

In environments where both on-premises and Intune-managed clients coexist, handling Defender policies is peculiar.

  • Intune-Managed Clients – Clients managed by Intune shouldn’t receive Defender policies from the Configuration Manager. However, the Configuration Manager still sends policies, which leads to issues.
  • On-Premises Defender-Managed ClientsOn-premises clients managed by Configuration Manager are expected to receive Defender policies from it.
  • However, the problem arises when Configuration Manager mistakenly identifies Intune as the manager of Defender settings but still interferes with them. This results in the removal of antimalware registry keys and even the deletion of Defender keys.

The investigation is ongoing, but it’s clear that when Intune manages Defender, Configuration Manager shouldn’t interfere with its settings. This indicates a miscommunication or misinterpretation by the Configuration Manager agent regarding managing Defender settings.

We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.

Author

About the Author: Vidya is a computer enthusiast. She is here to share quick tips and tricks with Windows 11 or Windows 10 users. She loves writing about Windows 11 and related technologies. She is also keen to find solutions and write about day-to-day tech problems.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.