SCCM on Windows Server 2016: The Defender Gotcha

Hello! My name is Todd Linke, and I am a Premier Field Engineer at Microsoft where I specialize in .

I was working with some customers who were seeing strange behavior on their SCCM Site Servers. In one case, an unusually high percentage of clients had corrupt hardware inventories. Looking at the log files, we could see that client inventories were being successfully sent to the Management Point, but when processed on the site server by SMS_INVENTORY_DATALOADER we were getting a “File in use” error. We used Process Monitor and were able to determine that MsMpEng.exe (Windows Defender) was the process that was locking the file. We turned off “Real-Time Protection” for Defender and the errors suddenly stopped.

What we thought was unusual though, is that they were using a 3rd Party solution, which they believed would disable Windows Defender when installed.

In the other case, Software Update Compliance status was missing in action. The MP_FILE_DISPATCH_MONITOR component on the Software Update Point Server was unable to copy client status messages to the proper inboxes on the Primary Site Server. This time the error being reported was “The path does not exist”. Once again, Process Monitor showed that the files were in use by MsMpEng.exe, and once again, turning off “Real-Time Protection” solved the issue immediately. In this case also, they were using a 3rd party solution. At both customers the proper exclusions for SCCM were configured for their 3rd party , which would normally prevent these types of issues.

What set these two servers apart from their other SCCM servers is that they were running 2016.

As you may or may not know, Microsoft included Windows Defender in Server 2016, where it is enabled by default. Unlike in previous versions of , installing a 3rd party Antivirus will not automatically disable Windows Defender. The following page of the Server 2016 online documentation describes exactly how this works:

https://docs.microsoft.com/en-us/windows-server/security/windows-defender/windows-defender-overview-windows-server

There are two solutions for this situation:

  1. Disable Windows Defender Real Time Protection via by setting the “Turn off Real-Time Protection” to “Enabled”. You can find more details at the following location:

    https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus

  2. Configure the recommended SCCM Antivirus Scanning exclusions for Windows Defender using either , or SCCM. A great list of SCCM scanning exclusions can be found in this blog post by Brandon McMillan, who is also an SCCM PFE at Microsoft:

    https://blogs.technet.microsoft.com/systemcenterpfe/2017/05/24/configuration-manager-current-branch-antivirus-update/

One of the many great features in SCCM is the ability to use Baselines to monitor SCCM Client devices for specific issues or symptoms. If you would like to verify this in your environment, run the following script on your Site Server to create a Configuration Item and Baseline both named “Verify Windows Defender Real-Time Scanning Status”.

Then deploy the baseline to a collection containing only 2016 Devices. Any devices that show Non-Compliant have Real-Time Scanning enabled.

Powershell Code:

#Load SCCM CmdLets

$CMConsolePath = Get-ItemPropertyValue -Path HKLM:SOFTWAREMicrosoftSMSSetup -Name “UI Installation Directory”

$CMModulePath = “$CMConsolePathbinConfigurationManager.psd1″

Import-Module $CMModulePath

#Get CM SiteCode

$ProviderInfo = Get-WMIObject -Class SMS_ProviderLocation -Namespace rootSMS -ComputerName $Env:ComputerName

$Sitecode = “$($ProviderInfo.SiteCode):”

#Change to CM PSDrive

Set-Location “$SiteCode“

#Set Discovery Script PS Code

$DiscoveryScript = @”

`$(Get-MPPreference).DisableRealtimeMonitoring

“@

#Create Configuration Item

$ConfigItem = New-CMConfigurationItem -Name “Verify Windows Defender Real-Time Scanning Status” -CreationType WindowsOS

#Add Compliance Rule to CI

$ConfigItem | Add-CMComplianceSettingScript -DataType String -DiscoveryScriptLanguage PowerShell -DiscoveryScriptText $DiscoveryScript -SettingName “Defender Real-Time Protection Setting” -NoRule -Is64Bit

$CompSetting = $ConfigItem | Get-CMComplianceSetting -SettingName “Defender Real-Time Protection Setting”

$CompRule = $CompSetting | New-CMComplianceRuleValue -RuleName “Is False” -ExpressionOperator IsEquals -ExpectedValue “True”

$FinishedCI = $ConfigItem | Add-CMComplianceSettingRule -Rule $CompRule

#Add CI to new Baseline

$CMBaseline = New-CMBaseline -Name $ConfigItem.LocalizedDisplayName

$FinishedBL = Set-CMBaseline -Name $ConfigItem.LocalizedDisplayName -AddOSConfigurationItem $ConfigItem.CI_ID

Thanks for reading!

 

This article was originally published by mountainss Cloud and Datacenter Management Blog. You can find the original article here.