I recently upgraded a ConfigMgr instance on a single server, from Server
2012 R2 to 2019, along with SQL (from 2014 to 2017). They use Microsoft for
malware detection. As part of the in-place upgrade process, SCEP had to go,
since it is not compatible with 2016 and up, as they have Defender built-in.
Per this
article by Brandon, Microsoft recommends several files/folders be excluded
from on-access scanning for the various ConfigMgr roles.
As it was a single
system, it did not make sense to use GPO, so I chose to go about it
manually.
In the GUI you can navigate to: Start > Settings > Update & Security > Windows Security > Virus & threat protection. Then under Virus & threat protection settings, select Manage settings, and then under Exclusions, select Add or remove exclusions. Select Add an exclusion, and then select from files, folders, file types, or process. While I was not interested in adding them this way, they do show there once added via other methods.
Exclusions are kept in
the registry under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
Defender\Exclusions. However, there are anti-tamper measures in place so
you cannot write to this location even using psexec or other methods, as it is
owned by BUILTIN\SYSTEM and permissions are further locked
down.
Happily, you can do this
via Powershell using the add-mppreference cmdlet. In my case I
only had files and folders so just needed one switch – exclusionpath. There
are several other switches you can use based on other types of
exclusions. If I had many servers to do, I would have written a script but just
did it by hand this time:
add-mppreference -exclusionpath PATHORFILETOEXCLUDE
Additionally, Defender
will automatically exclude paths based on the installed role so paths for
WSUS were skipped. I only added the relevant ConfigMgr ones here per the
article. For the file types around SQL, I did use the GUI since I was already
there vs. using the ExclusionExtension switch. Some items of
note:
- A folder exclusion not only excludes the folder and its files but also all sub-folders.
- You can also substitute logical paths with environment variables. In the example above, %WINDIR% is an environment variable that maps to your Windows folder (for example C:\Windows).
- While Brandon suggests the content source be excluded I did not as that is used by IT staff for various tasks such as out of band installs so rather it be scanned and this is flagged for performance anyhow.
I did have to fix a few as the ConfigMgr agent is not in the default %WINDIR%\CCM location due to NO_SMS_ON_DRIVE.SMS is on the OS volume. In this case, it is on the ConfigMgr volume under the SMS_CCM folder.
With all this done, Defender in Windows Server 2019 will exclude all the relevant directories used by Configmgr and not hinder performance. I assume this would apply to Windows server 2016 as well.
No comments:
Post a Comment