SCCM on Windows Server 2016: The Defender Gotcha

Hello! My name is Todd Linke, and I am a Premier Field Engineer at Microsoft where I specialize in System Center Configuration Manager.

For those of you that may not be aware, SCCM generates a lot of disk activity, on its site servers.  It is not unusual for SCCM to write a file, perform a checksum analysis, and then move or delete the file after processing so quickly that you would not see the file at all if you were monitoring the folder with Windows Explorer.  Due to this activity, it is necessary to configure file system and process exclusions for Antivirus Real-Time Scanning solutions.  This must be done regardless of the chosen Antivirus solution whether it be Windows Defender or a 3rd party AV, as well as with other security products that actively monitor file system changes.

I was working with some customers who were seeing strange behavior on their SCCM Site Servers. In one case, an unusually high percentage of clients had corrupt hardware inventories. Looking at the log files, we could see that client inventories were being successfully sent to the Management Point, but when processed on the site server by SMS_INVENTORY_DATALOADER we were getting a “File in use” error. We used Process Monitor and were able to determine that MsMpEng.exe (Windows Defender) was the process that was locking the file. We turned off “Real-Time Protection” for Defender and the errors suddenly stopped.

What we thought was unusual though, is that they were using a 3rd Party Antivirus solution, which they believed would disable Windows Defender when installed.

In the other case, Software Update Compliance status was missing in action. The MP_FILE_DISPATCH_MONITOR component on the Software Update Point Server was unable to copy client status messages to the proper inboxes on the Primary Site Server. This time the error being reported was “The network path does not exist”. Once again, Process Monitor showed that the files were in use by MsMpEng.exe, and once again, turning off “Real-Time Protection” solved the issue immediately. In this case also, they were using a 3rd party Antivirus solution. At both customers the proper exclusions for SCCM were configured for their 3rd party Antivirus, which would normally prevent these types of issues.

What set these two servers apart from their other SCCM servers is that they were running Windows Server 2016.

As you may or may not know, Microsoft included Windows Defender in Server 2016, where it is enabled by default. Unlike in previous versions of Windows Server, installing a 3rd party Antivirus will not automatically disable Windows Defender. The following page of the Server 2016 online documentation describes exactly how this works:

https://docs.microsoft.com/en-us/windows-server/security/windows-defender/windows-defender-overview-windows-server

There are two solutions for this situation:

  1. Disable Windows Defender Real Time Protection via Group Policy by setting the “Turn off Real-Time Protection” to “Enabled”. You can find more details at the following location:

    https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus

  2. Configure the recommended SCCM Antivirus Scanning exclusions for Windows Defender using either Group Policy, or SCCM. A great list of SCCM scanning exclusions can be found in this blog post by Brandon McMillan, who is also an SCCM PFE at Microsoft:

    https://blogs.technet.microsoft.com/systemcenterpfe/2017/05/24/configuration-manager-current-branch-antivirus-update/

One of the many great features in SCCM is the ability to use Baselines to monitor SCCM Client devices for specific issues or symptoms. If you would like to verify this in your environment, run the following script on your Site Server to create a Configuration Item and Baseline both named “Verify Windows Defender Real-Time Scanning Status”.

Then deploy the baseline to a collection containing only Windows Server 2016 Devices. Any devices that show Non-Compliant have Real-Time Scanning enabled.

Powershell Code:

#Load SCCM CmdLets

$CMConsolePath = Get-ItemPropertyValue -Path HKLM:\SOFTWARE\Microsoft\SMS\Setup -Name “UI Installation Directory”

$CMModulePath = $CMConsolePath\bin\ConfigurationManager.psd1″

Import-Module $CMModulePath


#Get CM SiteCode

$ProviderInfo = Get-WMIObject -Class SMS_ProviderLocation -Namespace root\SMS -ComputerName $Env:ComputerName

$Sitecode = $($ProviderInfo.SiteCode):”


#Change to CM PSDrive

Set-Location $SiteCode


#Set Discovery Script PS Code

$DiscoveryScript = @”

`$(Get-MPPreference).DisableRealtimeMonitoring

“@


#Create Configuration Item

$ConfigItem = New-CMConfigurationItem -Name “Verify Windows Defender Real-Time Scanning Status” -CreationType WindowsOS


#Add Compliance Rule to CI

$ConfigItem | Add-CMComplianceSettingScript -DataType String -DiscoveryScriptLanguage PowerShell -DiscoveryScriptText $DiscoveryScript -SettingName “Defender Real-Time Protection Setting” -NoRule -Is64Bit

$CompSetting = $ConfigItem | Get-CMComplianceSetting -SettingName “Defender Real-Time Protection Setting”

$CompRule = $CompSetting | New-CMComplianceRuleValue -RuleName “Is False” -ExpressionOperator IsEquals -ExpectedValue “True”

$FinishedCI = $ConfigItem | Add-CMComplianceSettingRule -Rule $CompRule


#Add CI to new Baseline

$CMBaseline = New-CMBaseline -Name $ConfigItem.LocalizedDisplayName

$FinishedBL = Set-CMBaseline -Name $ConfigItem.LocalizedDisplayName -AddOSConfigurationItem $ConfigItem.CI_ID

Thanks for reading!