Tell us about your PDF experience.

Protect data and infrastructure

documentation
Protect both your infrastructure and your data from exposure or malicious attack using
Configuration Manager.

Manage BitLocker Drive Encryption (BDE)

ｂ GET STARTED

Plan for BitLocker management

｀ DEPLOY

Deploy BitLocker management

Set up BitLocker portals

ｃ HOW-TO GUIDE

View BitLocker reports

Use the BitLocker administration and monitoring website

Certificate profiles

ｅ OVERVIEW

Introduction to certificate profiles

ｂ GET STARTED

Planning for certificate template permissions for certificate profiles

Prerequisites for certificate profiles

｀ DEPLOY

Configure certificate infrastructure

Create certificate profiles

Deploy resource access profiles

Top tasks

ｃ HOW-TO GUIDE

Microsoft Defender for Endpoint onboarding

Troubleshoot Windows Defender or Endpoint Protection client

Manage antimalware policies and firewall settings

Windows Defender Application Control management

Create and deploy Windows Defender Application Guard

Windows Hello for Business settings

Endpoint Protection

ｅ OVERVIEW

Endpoint Protection overview

｀ DEPLOY

Create an Endpoint Protection point site system role

Configure alerts for Endpoint Protection

Configure definition updates for Endpoint Protection

ｃ HOW-TO GUIDE

Create and deploy antimalware policies for Endpoint Protection

Configure custom client settings for Endpoint Protection

Monitor Endpoint Protection status

Protect data and site infrastructure
Article • 02/22/2023

Applies to: Configuration Manager (current branch)

You want your users to securely access your organization's resources. Protect both your
infrastructure and your data from exposure or malicious attack. Use Configuration
Manager to enable access and help protect your organization's resources.

Endpoint Protection lets you manage the following Microsoft Defender policies for
client computers:
Microsoft Defender Antimalware
Microsoft Defender Firewall
Microsoft Defender for Endpoint
Microsoft Defender Exploit Guard
Microsoft Defender Application Guard
Microsoft Defender Application Control

 Tip

To manage endpoint protection on co-managed Windows 10 or later devices

using the Microsoft Intune cloud service, switch the Endpoint Protection
workload to Intune. For more information, see Endpoint protection for
Microsoft Intune.

Protect data stored on on-premises Windows clients with BitLocker Drive

Encryption (BDE). Configuration Manager provides full BitLocker lifecycle
management that can replace the use of Microsoft BitLocker Administration and
Monitoring (MBAM). For more information, see Plan for BitLocker management.

Use other components of Microsoft Intune to protect your devices. For more
information, see Protect devices with Microsoft Intune.

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Endpoint Protection
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Endpoint Protection manages antimalware policies and Windows Defender Firewall

security for client computers in your Configuration Manager hierarchy.

When you use Endpoint Protection with Configuration Manager, you have the following
benefits:

Configure antimalware policies, Windows Defender Firewall settings, and manage

Microsoft Defender for Endpoint to selected groups of computers.
Use Configuration Manager software updates to download the latest antimalware
definition files to keep client computers up to date.
Send email notifications, use in-console monitoring, and view reports. These
actions inform administrative users when malware is detected on client computers.

Beginning with Windows 10 and Windows Server 2016 computers, Microsoft Defender
Antivirus is already installed. For these operating systems, a management client for
Microsoft Defender Antivirus is installed when the Configuration Manager client installs.
On Windows 8.1 and earlier computers, the Endpoint Protection client is installed with
the Configuration Manager client. Microsoft Defender Antivirus and the Endpoint
Protection client have the following capabilities:

Malware and spyware detection and remediation

Rootkit detection and remediation
Critical vulnerability assessment and automatic definition and engine updates
Network vulnerability detection through Network Inspection System
Integration with Cloud Protection Service to report malware to Microsoft. When
you join this service, the Endpoint Protection client or Microsoft Defender Antivirus
downloads the latest definitions from the Malware Protection Center when
unidentified malware is detected on a computer.

７ Note

The Endpoint Protection client can be installed on a server that runs Hyper-V and
on guest virtual machines with supported operating systems. To prevent excessive
CPU usage, Endpoint Protection actions have a built-in randomized delay so that
protection services do not run simultaneously.
You can also manage Windows Defender Firewall settings with Endpoint Protection in
the Configuration Manager console.

Manage malware
Endpoint Protection in Configuration Manager allows you to create antimalware policies
that contain settings for Endpoint Protection client configurations. Deploy these
antimalware policies to client computers. Then monitor compliance in the Endpoint
Protection Status node under Security in the Monitoring workspace. Also use Endpoint
Protection reports in the Reporting node.

For more information, see the following articles:

How to create and deploy antimalware policies: Create, deploy, and monitor
antimalware policies with a list of the settings that you can configure.

How to monitor Endpoint Protection: Monitoring activity reports, infected client

computers, and more.

How to manage antimalware policies and firewall settings: Remediate malware

found on client computers.

Log files for Endpoint Protection

Manage Windows Defender Firewall

Endpoint Protection in Configuration Manager provides basic management of the
Windows Defender Firewall on client computers. For each network profile, you can
configure the following settings:

Enable or disable the Windows Defender Firewall.

Block incoming connections, including connections in the list of allowed programs.

Notify the user when Windows Defender Firewall blocks a new program.

７ Note

Endpoint Protection supports managing the Windows Defender Firewall only.

For more information, see How to create and deploy Windows Defender Firewall
policies.
Microsoft Defender for Endpoint
Configuration Manager manages and monitors Microsoft Defender for Endpoint,
formerly known as Windows Defender for Endpoint. The Microsoft Defender for
Endpoint service helps you detect, investigate, and respond to advanced attacks on your
network. For more information, see Microsoft Defender for Endpoints.

Endpoint Protection workflow

Use the following diagram to help you understand the workflow to implement Endpoint
Protection in your Configuration Manager hierarchy.
Recommendations
Use the following recommendations for Endpoint Protection in Configuration Manager.

Configure custom client settings

When you configure client settings for Endpoint Protection, don't use the default client
settings. The defaults apply settings to all computers in your hierarchy. Instead,
configure custom client settings and assign these settings to collections of computers in
your hierarchy.
When you configure custom client settings, you can do the following:

Customize antimalware and security settings for different parts of your

organization.
Test the effects of running Endpoint Protection on a small group of computers
before you deploy it to the entire hierarchy.
Add more clients to the collection over time to phase your deployment of the
Endpoint Protection settings.

Distributing definition updates by using software updates

If you use Configuration Manager software updates to distribute definition updates, put
definition updates in a package that doesn't include other software updates. This
practice keeps the size of the definition update package smaller which allows it to
replicate to distribution points more quickly.

Next steps
Example scenario: Using Endpoint Protection to protect computers from malware

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Plan for BitLocker management
Article • 12/04/2024

Applies to: Configuration Manager (current branch)

Use Configuration Manager to manage BitLocker Drive Encryption (BDE) for on-
premises Windows clients, which are joined to Active Directory. It provides full BitLocker
lifecycle management that can replace the use of Microsoft BitLocker Administration
and Monitoring (MBAM).

７ Note

Configuration Manager doesn't enable this optional feature by default. You must
enable this feature before using it. For more information, see Enable optional
features from updates.

For more general information about BitLocker, see BitLocker overview. For a comparison
of BitLocker deployments and requirements, see the BitLocker deployment comparison
chart.

 Tip

To manage encryption on co-managed Windows 10 or later devices using the

Microsoft Intune cloud service, switch the Endpoint Protection workload to Intune.
For more information on using Intune, see Windows Encryption.

Features
Configuration Manager provides the following management capabilities for BitLocker
Drive Encryption:

Client deployment
Deploy the BitLocker client to managed Windows devices running Windows 8.1,
Windows 10 or Windows 11.

Manage BitLocker policies and escrow recovery keys for on-premises and internet-
based clients
Manage encryption policies
For example: choose drive encryption and cipher strength, configure user
exemption policy, fixed data drive encryption settings.

Determine the algorithms with which to encrypt the device, and the disks that you
target for encryption.

Force users to get compliant with new security policies before using the device.

Customize your organization's security profile on a per device basis.

When a user unlocks the OS drive, specify whether to unlock only an OS drive or all
attached drives.

Compliance reports
Built-in reports for:

Encryption status per volume or per device

The primary user of the device
Compliance status
Reasons for non-compliance

Administration and monitoring website

Allow other personas in your organization outside of the Configuration Manager
console to help with key recovery, including key rotation and other BitLocker-related
support. For example, help desk administrators can help users with key recovery.

 Tip

Starting in version 2107, you can also get BitLocker recovery keys for a tenant-
attached device from the Microsoft Intune admin center. For more information, see
Tenant attach: BitLocker recovery keys.

User self-service portal

Let users help themselves with a single-use key for unlocking a BitLocker encrypted
device. Once this key is used, it generates a new key for the device.
Prerequisites

General prerequisites
To create a BitLocker management policy, you need the Full Administrator role in
Configuration Manager.

To use the BitLocker management reports, install the reporting services point site
system role. For more information, see Configure reporting.

７ Note

For the Recovery Audit Report to work from the administration and
monitoring website, only use a reporting services point at the primary site.

Prerequisites for clients

The device requires a TPM chip that's enabled in the BIOS and is resettable from
Windows.

Microsoft recommends devices with TPM version 2.0 or later. Devices with TPM
version 1.2 may not properly support all BitLocker functionality.

The computer's hard disk requires a BIOS that's compatible with TPM and that
supports USB devices during computer startup.

７ Note

Uploading of the TPM password hash mainly pertains to versions of Windows

before Windows 10. Windows 10 or later by default doesn't save the TPM password
hash, so these devices don't normally upload it. For more information, see About
the TPM owner password.

BitLocker management doesn't support all client types that are supported by
Configuration Manager. For more information, see Supported configurations.

Prerequisites for the recovery service

In version 2010 and earlier, the BitLocker recovery service requires HTTPS to
encrypt the recovery keys across the network from the Configuration Manager
 client to the management point. Use one of the following options:

HTTPS-enable the IIS website on the management point that hosts the recovery
service.

Configure the management point for HTTPS.

For more information, see Encrypt recovery data over the network.

７ Note

When both the site and clients are running Configuration Manager version
2103 or later, clients send their recovery keys to the management point over
the secure client notification channel. If any clients are on version 2010 or
earlier, they need an HTTPS-enabled recovery service on the management
point to escrow their keys.

Starting in version 2103, since clients use the secure client notification channel
to escrow keys, you can enable the Configuration Manager site for enhanced
HTTP. This configuration doesn't affect the functionality of BitLocker
management in Configuration Manager.

In version 2010 and earlier, to use the recovery service, you need at least one
management point not in a replica configuration. Although the BitLocker recovery
service installs on a management point that uses a database replica, clients can't
escrow recovery keys. Then BitLocker won't encrypt the drive. Disable the BitLocker
recovery service on any management point with a database replica.

Starting in version 2103, the recovery service supports management points that
use a database replica.

Prerequisites for BitLocker portals

To use the self-service portal or the administration and monitoring website, you
need a Windows server running IIS. You can reuse a Configuration Manager site
system, or use a standalone web server that has connectivity to the site database
server. Use a supported OS version for site system servers.

On the web server that will host the self-service portal, install Microsoft ASP.NET
MVC 4.0 and .NET Framework 3.5 feature before staring the install process. Other
required Windows server roles and features will be installed automatically during
the portal installation process.
  Tip

You don't need to install any version of Visual Studio with ASP.NET MVC.

The user account that runs the portal installer script needs SQL Server sysadmin
rights on the site database server. During the setup process, the script sets login,
user, and SQL Server role rights for the web server machine account. You can
remove this user account from the sysadmin role after you complete setup of the
self-service portal and the administration and monitoring website.

Supported configurations
BitLocker management isn't supported on virtual machines (VMs) or on server
editions. For example, BitLocker management won't start the encryption on fixed
drives of virtual machines. Additionally fixed drives in virtual machines may show
as compliant even though they aren't encrypted.

Starting in version 2409, Configuration Manager now supports BitLocker task

sequence steps for ARM devices. In BitLocker Management, policies that include
OS drive encryption with a TPM protector and Fixed drive encryption with the
Auto-Unlock option are now compatible with ARM devices.

In version 2010 and earlier, Microsoft Entra joined, workgroup clients, or clients in
untrusted domains aren't supported. In these earlier versions of Configuration
Manager, BitLocker management only supports devices that are joined to on-
premises Active Directory including Microsoft Entra hybrid joined devices. This
configuration is to authenticate with the recovery service to escrow keys.

Starting in version 2103, Configuration Manager supports all client join types for
BitLocker management. However, the client-side BitLocker user interface
component is still only supported on Active Directory-joined and Microsoft Entra
hybrid joined devices.

Starting in version 2010, you can now manage BitLocker policies and escrow
recovery keys over a cloud management gateway (CMG). This change also
provides support for BitLocker management via internet-based client management
(IBCM). There's no change to the setup process for BitLocker management. This
improvement supports domain-joined and hybrid domain-joined devices. For
more information, see Deploy management agent: Recovery service.
If you have BitLocker management policies that you created before you
updated to version 2010, to make them available to internet-based clients via
 CMG:

1. In the Configuration Manager console, open the properties of the existing

policy.
2. Switch to the Client Management tab.
3. Select OK or Apply to save the policy. This action revises the policy so that
it's available to clients over the CMG.

By default, the Enable BitLocker task sequence step only encrypts used space on
the drive. BitLocker management uses full disk encryption. Configure this task
sequence step to enable the option to Use full disk encryption.

Starting in version 2203, you can configure this task sequence step to escrow the
BitLocker recovery information for the OS volume to Configuration Manager.

For more information, see Task sequence steps - Enable BitLocker.

） Important

The Invoke-MbamClientDeployment.ps1 PowerShell script is for stand-alone MBAM

only. It should not be used with Configuration Manager BitLocker Management.

Next steps
Encrypt recovery data over the network

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Prerequisites for certificate profiles in
Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Certificate profiles in Configuration Manager have external dependencies and

dependencies in the product.

） Important

Starting in version 2203, this company resource access feature is no longer

supported. For more information, see Frequently asked questions about resource
access deprecation.

Dependencies External to Configuration

Manager
ﾉ Expand table

Dependency More information

An enterprise issuing For more information about Active Directory Certificate Services, see
certification authority Active Directory Certificate Services Overview.
(CA) that is running
Active Directory
Certificate Services (AD
CS).

To revoke certificates
the computer account
of the site server at the
top of the hierarchy
requires Issue and
Manage Certificates
rights for each
certificate template
used by a certificate
profile in Configuration
Manager. Alternatively,
grant Certificate
Manager permissions
Dependency More information

to grant permissions on
all certificate templates
used by that CA

Manager approval for

certificate requests is
supported. However,
the certificate
templates that are used
to issue certificates
must be configured for
Supply in the request
for the certificate
subject so that
Configuration Manager
can automatically
supply this value.

Use the PowerShell The instruction file, readme_crp.txt, is located in

script to verify, and if ConfigMgrInstallDir\cd.latest\SMSSETUP\POLICYMODULE\X64.
needed, install the
prerequisites for the The PowerShell script, Test-NDES-CRP-Prereqs.ps1, is in the same
Network Device directory as the instructions.
Enrollment Service
(NDES) role service and The PowerShell script must be run locally on the NDES server.
the Configuration
Manager Certificate
Registration Point.

The Network Device Configuration Manager communicates with the Network Device
Enrollment Service Enrollment Service in Windows Server 2012 R2 to generate and verify
(NDES) role service for Simple Certificate Enrollment Protocol (SCEP) requests.
Active Directory
Certificate Services, If you will issue certificates to users or devices that connect from the
running on Windows Internet, such as mobile devices that are managed by Microsoft Intune,
Server 2012 R2. those devices must be able to access the server that runs the Network
Device Enrollment Service from the Internet. For example, install the
In addition: server in a perimeter network (also known as a DMZ, demilitarized
zone, and screened subnet).
Port numbers other
than TCP 443 (for If you have a firewall between the server that is running the Network
HTTPS) or TCP 80 (for Device Enrollment Service and the issuing CA, you must configure the
HTTP) are not firewall to allow the communication traffic (DCOM) between the two
supported for the servers. This firewall requirement also applies to the server running the
communication Configuration Manager site server and the issuing CA, so that
between the client and Configuration Manager can revoke certificates.
the Network Device
Dependency More information

Enrollment Service. If the Network Device Enrollment Service is configured to require SSL, a
security best practice is to make sure that connecting devices can
The server that is access the certificate revocation list (CRL) to validate the server
running the Network certificate.
Device Enrollment
Service must be on a For more information about the Network Device Enrollment Service,
different server from see Using a Policy Module with the Network Device Enrollment Service.
the issuing CA.

A PKI client This certificate authenticates the server that is running the Network
authentication Device Enrollment Service to Configuration Manager.
certificate and exported
root CA certificate. For more information, see PKI certificate requirements for
Configuration Manager.

Supported device You can deploy certificate profiles to devices that run Windows 8.1,
operating systems. Windows RT 8.1, and Windows 10.

Configuration Manager Dependencies

ﾉ Expand table

Dependency More information

Certificate registration point site system Before you can use certificate profiles, you must install
role the certificate registration point site system role. This
role communicates with the Configuration Manager
database, the Configuration Manager site server, and
the Configuration Manager Policy Module.

For more information about system requirements for

this site system role and where to install the role in the
hierarchy, see the Site System Requirements section in
the Supported configurations for Configuration
Manager article.

The certificate registration point must not be installed

on the same server that runs the Network Device
Enrollment Service.

Configuration Manager Policy Module To deploy certificate profiles, you must install the
that is installed on the server that is Configuration Manager Policy Module. You can find this
running the Network Device Enrollment policy module on the Configuration Manager
Service role service for Active Directory installation media.
Certificate Services
Dependency More information

Discovery data Values for the certificate subject and the subject
alternative name are supplied by Configuration
Manager and retrieved from information that is
collected from discovery:

For user certificates: Active Directory User Discovery

For computer certificates: Active Directory System

Discovery and Network Discovery

Specific security permissions to manage You must have the following security permissions to
certificate profiles manage company resource access settings, such as
certificate profiles, Wi-Fi profiles, and VPN profiles:

To view and manage alerts and reports for certificate

profiles: Create, Delete, Modify, Modify Report, Read,
and Run Report for the Alerts object.

To create and manage certificate profiles: Author

Policy, Modify Report, Read, and Run Report for the
Certificate Profile object.

To manage Wi-Fi, certificate and VPN profile

deployments: Deploy Configuration Policies, Modify
Client Status Alert, Read, and Read Resource for the
Collection object.

To manage all configuration policies: Create, Delete,

Modify, Read, and Set Security Scope for the
Configuration Policy object.

To run queries related to certificate profiles: Read

permission for the Query object.

To view certificate profiles information in the

Configuration Manager console: Read permission for
the Site object.

To view status messages for certificate profiles: Read

permission for the Status Messages object.

To create and modify the Trusted CA certificate profile:

Author Policy, Modify Report, Read, and Run Report
for the Trusted CA Certificate Profile object.

To create and manage VPN profiles: Author Policy,

Modify Report, Read, and Run Report for the VPN
 Dependency More information

Profile object.

To create and manage Wi-Fi profiles: Author Policy,

Modify Report, Read, and Run Report for the Wi-Fi
Profile object.

The Company Resource Access Manager security role

includes these permissions that are required to manage
certificate profiles in Configuration Manager. For more
information, see the Configure role-based
administration section in the Configure security article.

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Planning for certificate template permissions
for certificate profiles in Configuration
Manager
Article • 01/12/2024

Applies to: Configuration Manager (current branch)

） Important

Starting in version 2203, this company resource access feature is no longer supported. For more
information, see Frequently asked questions about resource access deprecation.

The following information can help you plan for how to configure permissions for the certificate templates
that Configuration Manager uses when you deploy certificate profiles.

Default Security Permissions and Considerations

The default security permissions that are required for the certificate templates that Configuration Manager will
use to request certificates for users and devices are as follows:

Read and Enroll for the account that the Network Device Enrollment Service application pool uses

Read for the account that runs the Configuration Manager console

For more information about these security permissions, see Configuring certificate infrastructure.

When you use this default configuration, users and devices can't directly request certificates from the
certificate templates and all requests must be initiated by the Network Device Enrollment Service. This is
an important restriction, because these certificate templates must be configured with Supply in the
request for the certificate Subject, which means that there is a risk of impersonation if a rogue user or a
compromised device requests a certificate. In the default configuration, the Network Device Enrollment
Service must initiate such a request. However, this risk of impersonation remains if the service that runs
the Network Device Enrollment Service is compromised. To help avoid this risk, follow all security best
practices for the Network Device Enrollment Service and the computer that runs this role service.

If the default security permissions don't fulfill your business requirements, you have another option for
configuring the security permissions on the certificate templates: You can add Read and Enroll
permissions for users and computers.

Adding Read and Enroll Permissions for Users and

Computers
Adding Read and Enroll permissions for users and computers might be appropriate if a separate team
manages your certification authority (CA) infrastructure team, and that separate team wants Configuration
Manager to verify that users have a valid Active Directory Domain Services account before sending them a
certificate profile to request a user certificate. For this configuration, you must specify one or more security
groups that contain the users, and then grant those groups Read and Enroll permissions on the certificate
templates. In this scenario, the CA administrator manages the security control.

You can similarly specify one or more security groups that contain computer accounts and grant these groups
Read and Enroll permissions on the certificate templates. If you deploy a computer certificate profile to a
computer that is a domain member, the computer account of that computer must be granted Read and Enroll
permissions. These permissions aren't required if the computer isn't a domain member. For example, if it's a
workgroup computer or personal mobile device.

Although this configuration uses another security control, we don't recommend it as a best practice. The
reason is that the specified users or owners of the devices might request certificates independently from
Configuration Manager and supply values for the certificate Subject that might be used to impersonate
another user or device.

In addition, if you specify accounts that can't be authenticated at the time that the certificate request occurs,
the certificate request will fail by default. For example, the certificate request will fail if the server that is
running the Network Device Enrollment Service is in an Active Directory forest that is untrusted by the forest
that contains the certificate registration point site system server. You can configure the certificate registration
point to continue if an account can't be authenticated because there's no response from a domain controller.
However, this isn't a security best practice.

If the certificate registration point is configured to check for account permissions and a domain controller is
available and rejects the authentication request (for example, the account is locked out or has been deleted),
the certificate enrollment request will fail.

To check for Read and Enroll permissions for users and domain-member
computers
1. On the site system server that hosts the certificate registration point, create the following DWORD
registry key to have a value of 0:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SCCM\CRP\SkipTemplateCheck

2. If an account can't be authenticated because there's no response from a domain controller, and you
want to bypass the permissions check:

On the site system server that hosts the certificate registration point, create the following DWORD
registry key to have a value of 1:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SCCM\CRP\SkipTemplateCheckOnlyIfAccountAccessDenied

3. On the issuing CA, on the Security tab in the properties for the certificate template, add one or more
security groups to grant the user or device accounts Read and Enroll permissions.

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Prerequisites for Wi-Fi and VPN profiles
in Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

） Important

Starting in version 2203, this company resource access feature is no longer

supported. For more information, see Frequently asked questions about resource
access deprecation.

Wi-Fi and VPN profiles in Configuration Manager have dependencies only within the
product.

You need the following security permissions to manage company resource access
settings, such as certificate profiles, Wi-Fi profiles, and VPN profiles:

To view and manage alerts and reports for Wi-Fi and profiles: Create, Delete,
Modify, Modify Report, Read, and Run Report for the Alerts object.

To create and manage certificate profiles: Author Policy, Modify Report, Read, and
Run Report for the Certificate Profile object.

To manage Wi-Fi, certificate, and VPN profile deployments: Deploy Configuration

Policies, Modify Client Status Alert, Read, and Read Resource for the Collection
object.

To manage all configuration policies: Create, Delete, Modify, Read, and Set
Security Scope for the Configuration Policy object.

To run queries that are related to Wi-Fi and VPN profiles: Read permission for the
Query object.

To view Wi-Fi and VPN profiles information in the Configuration Manager console:
Read permission for the Site object.

To view status messages for Wi-Fi and VPN profiles: Read permission for the Status
Messages object.

To create and modify the Trusted CA certificate profile: Author Policy, Modify
Report, Read, and Run Report for the Trusted CA Certificate Profile object.
 To create and manage VPN profiles: Author Policy, Modify Report, Read, and Run
Report for the VPN Profile object.

To create and manage Wi-Fi profiles: Author Policy, Modify Report, Read, and Run
Report for the Wi-Fi Profile object.

The Company Resource Access Manager built-in security role includes these
permissions that are required to manage Wi-Fi profiles in Configuration Manager. For
more information, see Configure security.

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Security and privacy for Wi-Fi and VPN
profiles in Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

） Important

Starting in version 2203, this company resource access feature is no longer

supported. For more information, see Frequently asked questions about resource
access deprecation.

Security recommendations
Use the following security best practices when you manage Wi-Fi and VPN profiles for
devices.

Choose the most secure options that your Wi-Fi and VPN
infrastructure and client operating systems can support
Wi-Fi and VPN profiles provide a convenient method to centrally distribute and manage
Wi-Fi and VPN settings that your devices already support. Configuration Manager
doesn't add Wi-Fi or VPN functionality. Identify, implement, and follow any security
recommendations for your devices and infrastructure.

Privacy information
You can use Wi-Fi and VPN profiles to configure client devices to connect to Wi-Fi and
VPN servers. Then use Configuration Manager to evaluate whether those devices
become compliant after the profiles are applied. The management point sends
compliance information to the site server, and the information is stored in the site
database. The information is encrypted when devices send it to the management point,
but it isn't stored in encrypted format in the site database. The database retains the
information until the site maintenance task Delete Aged Configuration Management
Data deletes it. The default deletion interval is 90 days, but you can change it.
Compliance information isn't sent to Microsoft.
By default, devices don't evaluate Wi-Fi and VPN profiles. In addition, you must
configure the profiles, and then deploy them to users.

Before you configure Wi-Fi or VPN profiles, consider your privacy requirements.

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Security and privacy for certificate
profiles in Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

） Important

Starting in version 2203, this company resource access feature is no longer

supported. For more information, see Frequently asked questions about resource
access deprecation.

Security guidance
Use the following guidance when you manage certificate profiles for users and devices.

Follow security guidance for the Network Device

Enrollment Service (NDES)
Identify and follow any security guidance for NDES. For example, configure the NDES
website in Internet Information Services (IIS) to require HTTPS and ignore client
certificates.

For more information, see Network Device Enrollment Service Guidance.

Choose the most secure options for certificate profiles

When you configure SCEP certificate profiles, choose the most secure options that
devices and your infrastructure can support. Identify, implement, and follow any security
guidance that's recommended for your devices and infrastructure.

Centrally specify user device affinity

Manually specify user device affinity instead of allowing users to identify their primary
device. Don't enable usage-based configuration.

If you use the option in a SCEP certificate profile to Allow certificate enrollment only on
the users primary device, don't consider the information that's collected from users or
from the device to be authoritative. If you deploy SCEP certificate profiles with this
configuration, and a trusted administrative user doesn't specify user device affinity,
unauthorized users might receive elevated privileges and be granted certificates for
authentication.

７ Note

If you do enable usage-based configuration, this information is collected by using

state messages. Configuration Manager doesn't secure state messages. To help
mitigate this threat, use SMB signing or IPsec between client computers and the
management point.

Manage certificate template permissions

Don't add Read and Enroll permissions for users to the certificate templates. Don't
configure the certificate registration point to skip the certificate template check.

Configuration Manager supports the extra check if you add the security permissions of
Read and Enroll for users. If authentication isn't possible, you can configure the
certificate registration point to skip this check. But neither configuration is
recommended.

For more information, see Planning for certificate template permissions for certificate
profiles.

Privacy information
You can use certificate profiles to deploy root certification authority (CA) and client
certificates, and then evaluate whether those devices become compliant after the client
applies the profiles. The management point sends compliance information to the site
server, and Configuration Manager stores that information in the site database.
Compliance information includes certificate properties such as subject name and
thumbprint. The client encrypts this information when sent to the management point,
but the site database doesn't store it in an encrypted format. Compliance information
isn't sent to Microsoft.

Certificate profiles use information that Configuration Manager collects using discovery.
For more information, see Privacy information for discovery.

By default, devices don't evaluate certificate profiles. You need to configure the
certificate profiles, and then deploy them to users or devices.
 ７ Note

Certificates that are issued to users or devices might allow access to confidential
information.

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Frequently asked questions about resource
access deprecation
Applies to: Configuration Manager (current branch)

Starting in Configuration Manager version 2103, the following company resource access
features are deprecated:

Certificate profiles, including the certificate registration point site system role
VPN profiles
Wi-Fi profiles
Windows Hello for Business settings
Email profiles
The co-management resource access workload

） Important

If above mentioned resource access profiles are configured in Intune, but the applicability
to co-managed devices are controlled through the co-management Resource Access
workload setting in Configuration Manager, post 2403 upgrade, the Resource Access
workload is moved to Intune and hence all resource access profiles configured in Intune
are now applicable and enforced to co-managed devices.

This article answers your frequently asked questions about these deprecated features.

What happens when you upgrade to CM

2403?
When you upgrade your Configuration Manager site to 2403, the prerequisite checker displays
an error. This blocks upgrade.

Action required by customer: Delete all Resource Access profiles and associated deployments
and move the co-management workload for Resource Access (if co-managed) to Intune.
Reevaluate the prerequisite rules, which allows you to proceed with upgrade.

After the upgrade completion, if the cloud attach wizard is configured, the Resource Access
workload (configured to Intune) remains greyed out in console. If the customer isn't previously
cloud attached and configures the cloud attach wizard, during or after upgrade, the Resource
Access workload is defaulted to Intune and remains greyed out in the console. Company
Resource Access node in Asset Management workspace will be removed.
When will these features removed from
Configuration Manager?
Starting in version 2203, these features will still be available in Configuration Manager, but no
longer tested or supported. When you upgrade to version 2203, the prerequisite checker
displays a warning.

In version 2207, the creation of new company resource access profiles including the certificate
registration point site system role is disabled. Set/New/Import type PowerShell cmdlets for
Resource Access features are deprecated as well.

These features will be removed in 2403.

If I'm still using these features, can I

upgrade to version 2207?
Yes. If the site has any of these policies, the 2207 prerequisite checker will display a warning.
Before you upgrade to version 2211, replace the functionality of these features, and remove
the policies from the site.

If the site has the certificate registration point site system role, you also need to remove it. For
more information, see Remove a site system role.

What functionality is available to replace

these features?
Use Microsoft Intune to deploy resource access profiles. For more information, see Apply
features and settings on your devices using device profiles in Microsoft Intune.

Use co-management to enroll Configuration Manager clients to Intune.

What do I do if I'm deploying wi-fi profiles

with Configuration Manager?
Before you upgrade to Configuration Manager version 2203, enable co-management, and
deploy the same wi-fi profiles with Intune. For more information, see Add and use Wi-Fi
settings on your devices in Microsoft Intune. If you don't take action, the existing wi-fi profiles
will persist on devices but are unmanaged.
What happens if I don't enable co-
management?
If you currently use these features, they're not tested or supported in version 2203. When you
upgrade to version 2207, they'll cause warning prerequisite checks. You can't create new wi-fi,
VPN, Windows Hello for Business, or certificate (SCEP, PFX, or root CA) profiles for
Configuration Manager clients. Any existing deployed profiles won't be removed from devices
and will continue to function. These existing profiles are unmanaged. For example, when a
certificate expires, Configuration Manager won't renew it.

What happens if I've enabled co-

management, but haven't switched the
resource access workload?
Starting in version 2211, the prerequisite checker will display a warning for co-managed clients
if the resource access workload is on Configuration Manager. If the resource access slider is
towards Configuration Manager, they aren't tested or supported in version 2203. Co-
management behavior is the same as if you used Configuration Manager 2111 or earlier to
switch the resource access workload to Intune. This Workload slider will be disabled, and you
can only use Microsoft Intune to deploy resource access profiles in upcoming Configuration
Manager versions.

What alternative options are available?

Configuration Manager version 2111 fully supports these features and is supported until June
2023. For more information, see Supported versions.
Configure Endpoint Protection
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Before you can use Endpoint Protection to manage security and malware on
Configuration Manager client computers, you must perform the configuration steps
detailed in this article.

How to Configure Endpoint Protection in

Configuration Manager
Endpoint Protection in Configuration Manager has external dependencies and
dependencies in the product.

Steps to Configure Endpoint Protection in Configuration

Manager
Use the following table for the steps, details, and more information about how to
configure Endpoint Protection.

） Important

If you manage endpoint protection for Windows 10 or later computers, then you
must configure Configuration Manager to update and distribute malware
definitions for Windows Defender. Windows Defender is included in Windows 10
and later but custom client settings for Endpoint Protection (Step 5 below) are still
required.

ﾉ Expand table

Steps Details

Step 1: Create an Endpoint The Endpoint Protection point site system role must be installed
Protection point site before you can use Endpoint Protection. It must be installed on one
system role site system server only, and it must be installed at the top of the
hierarchy on a central administration site or a stand-alone primary
site.
 Steps Details

Step 2: Configure alerts Alerts inform the administrator when specific events have occurred,
for Endpoint Protection such as a malware infection. Alerts are displayed in the Alerts node
of the Monitoring workspace, or optionally can be emailed to
specified users.

Step 3: Configure Endpoint Protection can be configured to use various sources to

definition update sources download definition updates.
for Endpoint Protection
clients

Step 4: Configure the The default antimalware policy is applied when the Endpoint
default antimalware policy Protection client is installed. Any custom policies you have deployed
and create custom are applied by default, within 60 minutes of deploying the client.
antimalware policies Ensure that you have configured antimalware policies before you
deploy the Endpoint Protection client.

Step 5: Configure custom Use custom client settings to configure Endpoint Protection settings
client settings for for collections of computers in your hierarchy.
Endpoint Protection
Note: Do not configure the default Endpoint Protection client
settings unless you are sure that you want these settings applied to
all computers in your hierarchy.

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Create an Endpoint Protection point site
system role
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

The Endpoint Protection point site system role must be installed before you can use
Endpoint Protection. It must be installed on one site system server only, and it must be
installed at the top of the hierarchy on a central administration site or a stand-alone
primary site.

Use one of the following procedures depending on whether you want to install a new
site system server for Endpoint Protection or use an existing site system server:

Install on a new site system server

Install on an existing site system server

） Important

When you install an Endpoint Protection point, an Endpoint Protection client is

installed on the server hosting the Endpoint Protection point. Services and scans
are disabled on this client to enable it to co-exist with any existing antimalware
solution that is installed on the server. If you later enable this server for
management by Endpoint Protection and select the option to remove any third-
party antimalware solution, the third-party product will not be removed. You must
uninstall this product manually.

Prerequisites
The endpoint protection point requires the following Windows Server features:

.NET Framework 3.5

Windows Defender feature (Windows Server 2016)

Windows Defender Antivirus feature (Windows Server 2019)

Microsoft Defender Antivirus feature (Windows Server 2022 or later)

For more information, see Site and site system prerequisites.

New site system server
1. In the Configuration Manager console, click Administration.

2. In the Administration workspace, expand Site Configuration, and then click

Servers and Site System Roles.

3. On the Home tab, in the Create group, click Create Site System Server.

4. On the General page, specify the general settings for the site system, and then
click Next.

5. On the System Role Selection page, select Endpoint Protection point in the list of
available roles, and then click Next.

6. On the Endpoint Protection page, select the I accept the Endpoint Protection
license terms check box, and then click Next.

） Important

You cannot use Endpoint Protection in Configuration Manager unless you

accept the license terms.

7. On the Cloud Protection Service page, select the level of information that you
want to send to Microsoft to help develop new definitions, and then click Next.

７ Note

This option configures the Cloud Protection Service (formerly known as

Microsoft Active Protection Service or MAPS) settings that are used by default.
You can then configure custom settings for each antimalware policy you
create. Join Cloud Protection Service, to help to keep your computers more
secure by supplying Microsoft with malware samples that can help Microsoft
to keep antimalware definitions more up-to-date. Additionally, when you join
Cloud Protection Service, the Endpoint Protection client can use the dynamic
signature service to download new definitions before they are published to
Windows Update. For more information, see How to create and deploy
antimalware policies for Endpoint Protection.

8. Complete the wizard.

Existing site system server
1. In the Configuration Manager console, click Administration.

2. In the Administration workspace, expand Site Configuration, click Servers and

Site System Roles, and then select the server that you want to use for Endpoint
Protection.

3. On the Home tab, in the Server group, click Add Site System Roles.

4. On the General page, specify the general settings for the site system, and then
click Next.

5. On the System Role Selection page, select Endpoint Protection point in the list of
available roles, and then click Next.

6. On the Endpoint Protection page, select the I accept the Endpoint Protection
license terms check box, and then click Next.

） Important

You cannot use Endpoint Protection in Configuration Manager unless you

accept the license terms.

7. On the Cloud Protection Service page, select the level of information that you
want to send to Microsoft to help develop new definitions, and then click Next.

７ Note

This option configures the Cloud Protection Service settings (formerly known
as MAPS) that are used by default. You can configure custom settings for each
antimalware policy you configure. For more information, see How to create
and deploy antimalware policies for Endpoint Protection.

8. Complete the wizard.

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Configure Alerts for Endpoint Protection
in Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

You can configure Endpoint Protection alerts in Microsoft Configuration Manager to

notify administrative users when specific events, such as a malware infection, occur in
your hierarchy. Notifications display in the Endpoint Protection dashboard in the
Configuration Manager console in the Alerts node of the Monitoring workspace, or can
be emailed to specified users.

Use the following steps and the supplemental procedures in this topic to configure
alerts for Endpoint Protection in Configuration Manager.

） Important

You must have the Enforce Security permission for collections to configure
Endpoint Protection alerts.

Steps to Configure Alerts for Endpoint

Protection in Configuration Manager
1. In the Configuration Manager console, click Assets and Compliance.

2. In the Assets and Compliance workspace, click Device Collections.

3. In the Device Collections list, select the collection for which you want to configure
alerts, and then on the Home tab, in the Properties group, click Properties.

７ Note

You cannot configure alerts for user collections.

4. On the Alerts tab of the <Collection Name> Properties dialog box, select View
this collection in the Endpoint Protection dashboard if you want to view details
about antimalware operations for this collection in the Monitoring workspace of
the Configuration Manager console.
 ７ Note

This option is unavailable for the All Systems collection.

5. On the Alerts tab of the <Collection Name> Properties dialog box, click Add.

6. In the Add New Collection Alerts dialog box, in the Generate an alert when these
conditions apply section, select the alerts that you want Configuration Manager to
generate when the specified Endpoint Protection events occur, and then click OK.

7. In the Conditions list of the Alerts tab, select each Endpoint Protection alert, and
then specify the following information:

Alert Name - Accept the default name or enter a new name for the alert.

Alert Severity - In the list, select the alert level to display in the Configuration
Manager console.

8. Depending on the alert that you select, specify the following additional
information:

Malware detection - This alert is generated if malware is detected on any

computer in the collection that you monitor. The Malware detection
threshold specifies the malware detection levels at which this alert is
generated:

High - All detections - The alert is generated when there are one or more
computers in the specified collection on which any malware is detected,
regardless of what action the Endpoint Protection client takes.

Medium - Detected, pending action - The alert is generated when there is

one or more computers in the specified collection on which malware is
detected, and you must manually remove the malware.

Low - Detected, still active - The alert is generated when there are one or
more computers in the specified collection on which malware is detected
and is still active.

Malware outbreak - This alert is generated if specified malware is detected

on a specified percentage of computers in the collection that you monitor.

Percentage of computers with malware detected - The alert is generated

when the percentage of computers with malware that is detected in the
 collection exceeds the percentage that you specify. Specify a percentage
from 1 through 99.

７ Note

The percentage value is based on the number of computers in the

collection, but excludes computers that do not have a Configuration
Manager client installed. It includes computers that do not yet have
the Endpoint Protection client installed.

Repeated malware detection - This alert is generated if specific malware is

detected more than a specified number of times over a specified number of
hours on the computers in the collection that you monitor. Specify the
following information to configure this alert:

Number of times malware has been detected: - The alert is generated

when the same malware is detected on computers in the collection more
than the specified number of times. Specify a number from 2 through 32.

Interval for detection (hours): Specify the detection interval (in hours) in
which the number of malware detections must occur. Specify a number
from 1 through 168.

Multiple malware detection - This alert is generated if more than a specified

number of malware types are detected over a specified number of hours on
computers in the collection that you monitor. Specify the following
information to configure this alert:

Number of malware types detected: The alert is generated when the

specified number of different malware types are detected on computers in
the collection. Specify a number from 2 through 32.

Interval for detection (hours): Specify the detection interval, in hours, in

which the number of malware detections must occur. Specify a number
from 1 through 168.

9. Click OK to close the <Collection Name> Properties dialog box.

Alert for outdated malware client

Beginning with Configuration Manager version 1702, you can configure an alert to
ensure Endpoint Protection clients are not outdated. From any device collection, you can
now add columns to the list for the following attributes Antimalware Client Version and
Endpoint Protection Deployment State. For example, in the console navigate to Assets
and Compliance > Overview > Device Collections > All Desktops and Server Clients.
Right-click the column header and select those columns to add. To check for an alert,
view Alerts in the Monitoring workspace. If more than 20% of managed clients are
running an expired version of antimalware software, the Antimalware client version is
outdated alert is displayed. This alert doesn't appear on the Monitoring > Overview tab.
To update expired antimalware clients, enable software updates for antimalware clients.

To configure the percentage at which the alert is generated, expand Monitoring >
Alerts > All Alerts, double-click Antimalware clients out of date and modify the Raise
alert if percentage of managed clients with an outdated version of the antimalware
client is more than option.

Next step >

Back >

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Configure definition updates for
Endpoint Protection
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

With Endpoint Protection in Configuration Manager, you can use any of several available
methods to keep antimalware definitions up to date on client computers in your
hierarchy. The information in this topic can help you to select and configure these
methods.

To update antimalware definitions, you can use one or more of the following methods:

Updates distributed from Configuration Manager - This method uses

Configuration Manager software updates to deliver definition and engine updates
to computers in your hierarchy.

Updates distributed from Windows Server Update Services (WSUS) - This method
uses your WSUS infrastructure to deliver definition and engine updates to
computers.

Updates distributed from Microsoft Update - This method allows computers to

connect directly to Microsoft Update in order to download definition and engine
updates. This method can be useful for computers that are not often connected to
the business network.

Updates distributed from Microsoft Malware Protection Center - This method will
download definition updates from the Microsoft Malware Protection Center.

Updates from UNC file shares - With this method, you can save the latest definition
and engine updates to a share on the network. Clients can then access the network
to install the updates.

You can configure multiple definition update sources and control the order in
which they are assessed and applied. This is done in the Configure Definition
Update Sources dialog box when you create an antimalware policy.

） Important

For Windows 10 or later PCs, you must configure Endpoint Protection to update
malware definitions for Windows Defender.
How to Configure Definition Update Sources
Use the following procedure to configure the definition update sources to use for each
antimalware policy.

1. In the Configuration Manager console, click Assets and Compliance.

2. In the Assets and Compliance workspace, expand Endpoint Protection, and then
click Antimalware Policies.

3. Open the properties page of the Default Antimalware Policy or create a new
antimalware policy. For more information about how to create antimalware
policies, see How to create and deploy antimalware policies for Endpoint
Protection.

4. In the Security Intelligence updates section of the antimalware properties dialog

box, click Set Source.

The Definition updates section was renamed to Security Intelligence

updates starting in Configuration Manager version 1902.

5. In the Configure Definition Update Sources dialog box, select the sources to use
for definition updates. You can click Up or Down to modify the order in which
these sources are used.

6. Click OK to close the Configure Definition Update Sources dialog box.

Configure Endpoint Protection definitions

Updates distributed from Configuration Manager - This method uses
Configuration Manager software updates to deliver definition and engine updates
to computers in your hierarchy.

Updates distributed from Windows Server Update Services (WSUS) - This method
uses your WSUS infrastructure to deliver definition and engine updates to
computers.

Updates distributed from Microsoft Update - This method allows computers to

connect directly to Microsoft Update in order to download definition and engine
updates. This method can be useful for computers that are not often connected to
the business network.

Updates distributed from Microsoft Malware Protection Center - This method will
download definition updates from the Microsoft Malware Protection Center.
 Updates from UNC file shares - With this method, you can save the latest definition
and engine updates to a share on the network. Clients can then access the network
to install the updates.

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Use Configuration Manager to deliver
definition updates
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

You can configure Configuration Manager software updates to automatically deliver

definition updates to client computers. Before you begin to create automatic
deployment rules, make sure to configure Configuration Manager software updates. For
more information, see Introduction to software updates.

７ Note

This procedure is specific to Endpoint Protection. For more general information

about automatic deployment rules, see Automatically deploy software updates.

1. In the Configuration Manager console, go to the Software Library workspace.

Expand Software Updates, and then select Automatic Deployment Rules.

2. On the Home tab of the ribbon, in the Create group, select Create Automatic
Deployment Rule.

3. On the General page of the Create Automatic Deployment Rule Wizard, specify
the following information:

Name: Enter a unique name for the automatic deployment rule.

Collection: Select the device collection to which you want to deploy

definition updates.

７ Note

You can't deploy definition updates to a user collection.

4. Select Add to an existing Software Update Group.

5. Select Enable the deployment after this rule is run.

6. On the Deployment Settings page of the wizard, for the Detail level, select Only
error messages.
 ７ Note

When you select Only error messages, it reduces the number of state
messages that the definition deployment sends. This configuration helps
reduce the CPU processing on the Configuration Manager servers.

7. On the Software Updates page:

a. Select the Update Classification property filter. In the Search criteria list, select
<items to find>.

In the Search Criteria window, select Definition Updates, then select OK.

b. Select the Product property filter. In the Search criteria list, select <items to
find>.

In the Search Criteria window, select System Center Endpoint Protection for
Windows 8.1 and earlier or Windows Defender for Windows 10 and later, then
select OK.

７ Note

Optionally, you can filter out superseded updates. Select the Superseded
property filter. In the Search criteria list, select <items to find>. In the Search
Criteria window, select No, then select OK.

8. On the Evaluation Schedule page of the wizard, select Run the rule after any
software update point synchronization.

9. On the Deployment Schedule page of the wizard, configure the following settings:

Time based on: If you want all clients to install the latest definitions at the
same time, select UTC. The actual installation time will vary within two hours.

Software available time: Specify the available time for the deployment that
this rule creates. The specified time must be at least one hour after the
automatic deployment rule runs. This configuration makes sure that the
content has sufficient time to replicate to the distribution points. Some
definition updates might also include antimalware engine updates, which
might take longer to reach distribution points.

Installation deadline: Select As soon as possible.

 ７ Note

Software update deadlines vary over a two-hour period. This behavior

prevents all clients from requesting an update at the same time.

10. On the User Experience page of the wizard, for User notifications, select Hide in
Software Center and all notifications. With this configuration, the definition
updates install silently.

11. On the Deployment Package page of the wizard, select an existing deployment
package or create a new one.

７ Note

Consider placing definition updates in a package that doesn't contain other

software updates. This strategy keeps the size of the definition update
package smaller, which allows it to replicate to distribution points more
quickly.

12. If you create a new deployment package, on the Distribution Points page of the
wizard, select one or more distribution points. The site copies the content for this
package to these distribution points.

13. On the Download Location page, select Download software updates from the
Internet.

14. On the Language Selection page, select each language version of the updates to
download.

15. On the Download Settings page, select the necessary software updates download
behavior.

16. Complete the wizard.

Verify that the Automatic Deployment Rules node of the Configuration Manager
console displays the new rule.

Create and deploy antimalware policies

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Enable Endpoint Protection malware
definitions to download from WSUS for
Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

If you use WSUS to keep your antimalware definitions up to date, you can configure it to
auto-approve definition updates. Although using Configuration Manager software
updates is the recommended method to keep definitions up to date, you can also
configure WSUS as a method to allow users to manually update definitions. Use the
following procedures to configure WSUS as a definition update source.

Synchronize definition updates for

Configuration Manager
1. In the Configuration Manager console, go to the Administration workspace,
expand Site Configuration, and then select Sites.

2. Select the site that contains your software update point. In the Settings group of
the ribbon, select Configure Site Components, and then select Software Update
Point.

3. In the Software Update Point Component Properties window, switch to the

Classifications tab. Select Definition Updates.

4. To specify the Products updated with WSUS, switch to the Products tab.

For Windows 10 and later: Under Microsoft > Windows, select Microsoft
Defender Antivirus.

For Windows 8.1 and earlier: Under Microsoft > Forefront, select System
Center Endpoint Protection.

5. Select OK to close the Software Update Point Component Properties window.

Approve definition updates

Endpoint Protection definition updates must be approved and downloaded to the
WSUS server before they're offered to clients that request the list of available updates.
Clients connect to the WSUS server to check for applicable updates and then request
the latest approved definition updates.

Approve definitions and updates in WSUS

1. In the WSUS administration console, select Updates. Then select All Updates or
the classification of updates that you want to approve.

2. In the list of updates, right-click the update or updates you want to approve for
installation, and then select Approve.

3. In the Approve Updates window, select the computer group for which you want to
approve the updates, and then select Approved for Install.

Configure an automatic approval rule

You can also set an automatic approval rule for definition updates and Endpoint
Protection updates. This action configures WSUS to automatically approve Endpoint
Protection definition updates downloaded by WSUS.

1. In the WSUS administration console, select Options, and then select Automatic
Approvals.

2. On the Update Rules tab, select New Rule.

3. In the Add Rule window, under Step 1: Select properties, select the option: When
an update is in a specific classification.

a. Under Step 2: Edit the properties, select any classification.

b. Clear all options except Definition Updates, and then select OK.

4. In the Add Rule window, under Step 1: Select properties, select the option: When
an update is in a specific product.

a. Under Step 2: Edit the properties, select any product.

b. Clear all options except System Center Endpoint Protection for Windows 8.1
and earlier or Windows Defender for Windows 10 and later. Then select OK.

5. Under Step 3: Specify a name, enter a name for the rule, and then select OK.

6. In the Automatic Approvals dialog box, select the newly created rule, and then
select Run rule.
 ７ Note

To maximize performance on your WSUS server and client computers, decline old
definition updates. To accomplish this task, you can configure automatic approval
for revisions and automatic declining of expired updates. For more information, see
Microsoft Support article 938947 .

Create and deploy antimalware policies

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Enable Endpoint Protection malware
definitions to download from Microsoft
Updates
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

When you select to download definition updates from Microsoft Update, clients will
check the Microsoft Update site at the interval defined in the Security Intelligence
updates section of the antimalware policy dialog box.

This method can be useful when the client does not have connectivity to the
Configuration Manager site or when you want users to be able to initiate definition
updates.

） Important

Clients must have access to Microsoft Update on the Internet to be able to

use this method to download definition updates.
The Definition updates section was renamed to Security Intelligence updates
starting in Configuration Manager version 1902.

Using the Microsoft Malware Protection Center

to Download Definitions
You can configure clients to download definition updates from the Microsoft Malware
Protection Center. This option is used by Endpoint Protection clients to download
definition updates if they have not been able to download updates from another source.
This update method can be useful if there is a problem with your Configuration
Manager infrastructure that prevents the delivery of updates.

） Important

Clients must have access to Microsoft Update on the Internet to be able use this
method to download definition updates.
 Next step >

Back >

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Use the Microsoft Malware Protection
Center to download definitions
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

You can configure clients to download definition updates from the Microsoft Malware
Protection Center. This option is used by Endpoint Protection clients to download
definition updates if they have not been able to download updates from another source.
This update method can be useful if there is a problem with your Configuration
Manager infrastructure that prevents the delivery of updates.

） Important

Clients must have access to Microsoft Update on the Internet to be able use this
method to download definition updates.

Next step >

Back >

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Enable Endpoint Protection malware
definitions to download from a network
share
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

You can manually download the latest definition updates from Microsoft and then
configure clients to download these definitions from a shared folder on the network.
Users can also initiate definition updates when you use this update source.

７ Note

Clients must have read access to the shared folder to be able to download
definition updates.

For more information about how to download the definition and engine updates to
store on the file share, see Install the latest Microsoft antimalware and antispyware
software .

To configure definition downloads from a file

share
1. In the Configuration Manager console, click Assets and Compliance.

2. In the Assets and Compliance workspace, expand Endpoint Protection, and then
click Antimalware Policies.

3. Open the properties page of the Default Antimalware Policy or create a new
antimalware policy. For more information about how to create antimalware
policies, see How to create and deploy antimalware policies for Endpoint
Protection.

4. In the Security Intelligence updates section of the antimalware properties dialog

box, click Set Source.

The Definition updates section was renamed to Security Intelligence

updates starting in Configuration Manager version 1902.
 5. In the Configure Definition Update Sources dialog box, select Updates from UNC
file shares.

6. Click OK to close the Configure Definition Update Sources dialog box.

7. Click Set Paths. Then, in the Configure Definition Update UNC Paths dialog box,
add one or more UNC paths to the location of the definition updates files on a
network share.

8. Click OK to close the Configure Definition Update UNC Paths dialog box.

Next step >

Back >

Feedback
Was this page helpful?  Yes  No

Provide product feedback

How to create and deploy antimalware
policies for Endpoint Protection in
Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

You can deploy antimalware policies to collections of Configuration Manager client

computers to specify how Endpoint Protection protects them from malware and other
threats. These policies include information about the scan schedule, the types of files
and folders to scan, and the actions to take when malware is detected. When you enable
Endpoint Protection, a default antimalware policy is applied to client computers. You can
also use one of the supplied policy templates or create a custom policy to meet the
specific needs of your environment.

Configuration Manager supplies a selection of predefined templates. These are

optimized for various scenarios and can be imported into Configuration Manager. These
templates are available in the folder <ConfigMgr Install
Folder>\AdminConsole\XMLStorage\EPTemplates.

） Important

If you create a new antimalware policy and deploy it to a collection, this

antimalware policy overrides the default antimalware policy.

Use the procedures in this topic to create or import antimalware policies and assign
them to Configuration Manager client computers in your hierarchy.

７ Note

Before you perform these procedures, ensure that Configuration Manager is

configured for Endpoint Protection as described in Configuring Endpoint
Protection.

Modify the default antimalware policy

1. In the Configuration Manager console, click Assets and Compliance.
 2. In the Assets and Compliance workspace, expand Endpoint Protection, and then
click Antimalware Policies.

3. Select the antimalware policy Default Client Antimalware Policy and then, on the
Home tab, in the Properties group, click Properties.

4. In the Default Antimalware Policy dialog box, configure the settings that you
require for this antimalware policy, and then click OK.

７ Note

For a list of settings that you can configure, see List of Antimalware Policy
Settings in this topic.

Create a new antimalware policy

1. In the Configuration Manager console, click Assets and Compliance.

2. In the Assets and Compliance workspace, expand Endpoint Protection, and then
click Antimalware Policies.

3. On the Home tab, in the Create group, click Create Antimalware Policy.

4. In the General section of the Create Antimalware Policy dialog box, enter a name
and a description for the policy.

5. In the Create Antimalware Policy dialog box, configure the settings that you
require for this antimalware policy, and then click OK. For a list of settings that you
can configure, see List of Antimalware Policy Settings.

6. Verify that the new antimalware policy is displayed in the Antimalware Policies list.

Import an antimalware policy

1. In the Configuration Manager console, click Assets and Compliance.

2. In the Assets and Compliance workspace, expand Endpoint Protection, and then
click Antimalware Policies.

3. In the Home tab, in the Create group, click Import.

4. In the Open dialog box, browse to the policy file to import, and then click Open.
 5. In the Create Antimalware Policy dialog box, review the settings to use, and then
click OK.

6. Verify that the new antimalware policy is displayed in the Antimalware Policies list.

Deploy an antimalware policy to client

computers
1. In the Configuration Manager console, click Assets and Compliance.

2. In the Assets and Compliance workspace, expand Endpoint Protection, and then
click Antimalware Policies.

3. In the Antimalware Policies list, select the antimalware policy to deploy. Then, on
the Home tab, in the Deployment group, click Deploy.

７ Note

The Deploy option cannot be used with the default client malware policy.

4. In the Select Collection dialog box, select the device collection to which you want
to deploy the antimalware policy, and then click OK.

List of Antimalware Policy Settings

Many of the antimalware settings are self-explanatory. Use the following sections for
more information about the settings that might require more information before you
configure them.

Scheduled Scans Settings

Scan Settings
Default Actions Settings
Real-time Protection Settings
Exclusion Settings
Advanced Settings
Threat Overrides Settings
Cloud Protection Service
Definition Updates Settings

Scheduled Scans Settings

Scan type - You can specify one of two scan types to run on client computers:

Quick scan - This type of scan checks the in-memory processes and folders where
malware is typically found. It requires fewer resources than a full scan.

Full Scan - This type of scan adds a full check of all local files and folders to the
items scanned in the quick scan. This scan takes longer than a quick scan and uses
more CPU processing and memory resources on client computers.

In most cases, use Quick scan to minimize the use of system resources on client
computers. If malware removal requires a full scan, Endpoint Protection generates
an alert that is displayed in the Configuration Manager console. The default value
is Quick scan.

７ Note

When scheduling scans for times when endpoints are not in use, it’s important to
note that the CPU throttling configuration is not honored. Scans will take full
advantage of available resources to complete as quickly as possible.

Scan Settings
Scan email and email attachments - Set to Yes to turn on e-mail scanning.

Scan removable storage devices such as USB drives - Set to Yes to scan removable
drives during full scans.

Scan network files - Set to Yes to scan network files.

Scan mapped network drives when running a full scan - Set to Yes to scan any mapped
network drives on client computers. Enabling this setting might significantly increase the
scan time on client computers.

The Scan network files setting must be set to Yes for this setting to be available to
configure.

By default, this setting is set to No, meaning that a full scan will not access
mapped network drives.

Scan archived files - Set to Yes to scan archived files such as .zip or .rar files.

Allow users to configure CPU usage during scans - Set to Yes to allow users to specify
maximum percentage of CPU utilization during a scan. Scans will not always use the
maximum load defined by users, but they cannot exceed it.
User control of scheduled scans - Specify level of user control. Allow users to set Scan
time only or Full control of antivirus scans on their devices.

Default Actions Settings

Select the action to take when malware is detected on client computers. The following
actions can be applied, depending on the alert threat level of the detected malware.

Recommended - Use the action recommended in the malware definition file.

Quarantine - Quarantine the malware but do not remove it.

Remove - Remove the malware from the computer.

Allow - Do not remove or quarantine the malware.

Real-time Protection Settings

ﾉ Expand table

Setting name Description

Enable real-time Set to Yes to configure real-time protection settings for client computers.
protection We recommend that you enable this setting.

Monitor file and Set to Yes if you want Endpoint Protection to monitor when files and
program activity on programs start to run on client computers and to alert you about any
your computer actions that they perform or actions taken on them.

Scan system files This setting lets you configure whether incoming, outgoing, or incoming
and outgoing system files are monitored for malware. For performance
reasons, you might have to change the default value of Scan incoming
and outgoing files if a server has high incoming or outgoing file activity.

Enable behavior Enable this setting to use computer activity and file data to detect
monitoring unknown threats. When this setting is enabled, it might increase the time
required to scan computers for malware.

Enable protection Enable this setting to protect computers against known network exploits
against network- by inspecting network traffic and blocking any suspicious activity.
based exploits

Enable script For Configuration Manager with no service pack only.

scanning
Enable this setting if you want to scan any scripts that run on computers
for suspicious activity.
 Setting name Description

Block Potentially Potential Unwanted Applications (PUA) is a threat classification based on

Unwanted reputation and research-driven identification. Most commonly, these are
Applications at unwanted application bundlers or their bundled applications.
download and prior
to installation Microsoft Edge also provides settings to block potentially unwanted
applications. Explore these options for complete protection against
unwanted applications.

This protection policy setting is available and set to Enabled by default.

When enabled, this setting blocks PUA at download and install time.
However, you can exclude specific files or folders to meet the specific
needs of your business or organization.

Starting in Configuration Manager version 2107, you can select to Audit

this setting. Use PUA protection in audit mode to detect potentially
unwanted applications without blocking them. PUA protection in audit
mode is useful if your company would like the gauge the impact that
enabling PUA protections will have in your environment. Enabling
protection in audit mode allows you to determine the impact to your
endpoints prior to enabling the protection in block mode.

Exclusion Settings
For information about folders, files, and processes that are recommended for exclusion
in Configuration Manager 2012 and Current Branch, see Recommended antivirus
exclusions for Configuration Manager 2012 and current branch site servers, site systems,
and clients .

Excluded files and folders:

Click Set to open the Configure File and Folder Exclusions dialog box and specify the
names of the files and folders to exclude from Endpoint Protection scans.

If you want to exclude files and folders that are located on a mapped network drive,
specify the name of each folder in the network drive individually. For example, if a
network drive is mapped as F:\MyFolder and it contains subfolders named Folder1,
Folder2 and Folder 3, specify the following exclusions:

F:\MyFolder\Folder1

F:\MyFolder\Folder2

F:\MyFolder\Folder3
Beginning in version 1602, the existing Exclude files and folders setting in the Exclusion
settings section of an antimalware policy is improved to allow device exclusions. For
example, you can now specify the following as an exclusion: \device\mvfs (for
Multiversion File System). The policy does not validate the device path; the Endpoint
Protection policy is provided to the antimalware engine on the client which must be
able to interpret the device string.

Excluded file types:

Click Set to open the Configure File Type Exclusions dialog box and specify the file
extensions to exclude from Endpoint Protection scans. You can use wildcards when
defining items in the exclusion list. For more information, see Use wildcards in the file
name and folder path or extension exclusion lists.

Excluded processes:

Click Set to open the Configure Process Exclusions dialog box and specify the
processes to exclude from Endpoint Protection scans. You can use wildcards when
defining items in the exclusion list, however, there are some limitations. For more
information, see Use wildcards in the process exclusion list

７ Note

When a device is targeted with two or more Antimalware Policies, the settings for
antivirus exclusions will merge before being applied to the client.

Advanced Settings
Enable reparse point scanning - Set to Yes if you want Endpoint Protection to scan
NTFS reparse points.

For more information about reparse points, see Reparse Points in the Windows Dev
Center.

Randomize the scheduled scan start times (within 30 minutes) - Set to Yes to help
avoid flooding the network, which can occur if all computers send their antimalware
scans results to the Configuration Manager database at the same time. For Windows
Defender Antivirus, this randomizes the scan start time to any interval from 0 to 4 hours,
or for FEP and SCEP, to any interval plus or minus 30 minutes. This can be useful in VM
or VDI deployments. This setting is also useful when you run multiple virtual machines
on a single host. Select this option to reduce the amount of simultaneous disk access for
antimalware scanning.
Beginning in version 1602 of Configuration Manager, the antimalware engine may
request file samples to be sent to Microsoft for further analysis. By default, it will always
prompt before it sends such samples. Administrators can now manage the following
settings to configure this behavior:

Enable auto sample file submission to help Microsoft determine whether certain
detected items are Malicious - Set to Yes to enable auto sample file submission. By
default, this setting is No which means auto sample file submission is disabled and users
are prompted before sending samples.

Allow users to modify auto sample file submission settings - This determines whether
a user with local admin rights on a device can change the auto sample file submission
setting in the client interface. By default, this setting is "No" which means it can only be
changed from the Configuration Manager console, and local admins on a device cannot
change this configuration.
For example, the following shows this setting set by the administrator as enabled, and
greyed out to prevent changes by the user.

Threat Overrides Settings

Threat name and override action - Click Set to customize the remediation action to
take for each threat ID when it is detected during a scan.

７ Note

The list of threat names might not be available immediately after the configuration
of Endpoint Protection. Wait until the Endpoint Protection point has synchronized
the threat information, and then try again.

Cloud Protection Service

Cloud Protection Service enables the collection of information about detected malware
on managed systems and the actions taken. This information is sent to Microsoft.

Cloud Protection Service membership

Do not join Cloud Protection Service - No information is sent

Basic - Collect and send lists of detected malware
Advanced - Basic information as well as more comprehensive information that
could contain personal information. For example, file paths and partial memory
dumps.

Allow users to modify Cloud Protection Service settings - Toggles user control of
Cloud Protection Service settings.

Level for blocking suspicious files - Specify the level at which the Endpoint Protection
Cloud Protection Service will block suspicious files.

Normal - The default Windows Defender blocking level

High - Aggressively blocks unknown files while optimizing for performance
(greater chance of blocking non-harmful files)
High with extra protection - Aggressively blocks unknown files and applies
additional protection measures (might impact client device performance)
Block unknown programs - Blocks all unknown programs

Allow extended cloud check to block and scan for up to (seconds) - Specifies the
number of seconds Cloud Protection Service can block a file while the service checks
that the file is not known to be malicious.

７ Note

The number of seconds that you select for this setting is in addition to a default 10-
second timeout. For example, if you enter 0 seconds, the Cloud Protection Service
blocks the file for 10 seconds.

Details of Cloud Protection Service reporting

ﾉ Expand table

Frequency Data collected or Use of data

sent

When Windows - Version of virus and Microsoft uses this information to ensure the
Defender updates spyware definitions latest virus and spyware updates are present on
 Frequency Data collected or Use of data
sent

virus and spyware - Virus and spyware computers. If not present, Windows Defender
protection or protection version updates automatically so computer protection
definition files stays up-to-date.

If Windows Defender - Name of potentially Windows Defender uses this information to

finds potentially harmful or unwanted determine the type and severity of potentially
harmful or unwanted software unwanted software, and the best action to take.
software on - How the software Microsoft also uses this information to help
computers was found improve the accuracy of virus and spyware
- Any actions that protection.
Windows Defender
took to deal with the
software
- Files affected by the
software
- Information about
the computer from
the manufacturer
(Sysconfig, SysModel,
SysMarker)

Once a month - Virus and spyware Windows Defender uses this information to verify
definition update that computers have the latest virus and spyware
status protection version and definitions. Microsoft also
- Status of real-time wants to make sure that real-time virus and
virus and spyware spyware monitoring is turned on. This is a critical
monitoring (on or off) part of helping protect computers from
potentially harmful or unwanted software.

During installation, List of running To identify any processes that might have been
or whenever users processes in your compromised by potentially harmful software.
manually perform computer's memory
virus and spyware
scan of your
computer

Microsoft collects only the names of affected files, not the contents of the files
themselves. This information helps determine what systems are especially vulnerable to
specific threats.

Definition Updates Settings

Set sources and order for Endpoint Protection client updates - Click Set Source to
specify the sources for definition and scanning engine updates. You can also specify the
order in which these sources are used. If Configuration Manager is specified as one of
the sources, then the other sources are used only if software updates fail to download
the client updates.

If you use any of the following methods to update the definitions on client computers,
then the client computers must be able to access the Internet.

Updates distributed from Microsoft Update

Updates distributed from Microsoft Malware Protection Center

） Important

Clients download definition updates by using the built-in system account. You must
configure a proxy server for this account to enable these clients to connect to the
Internet.

If you have configured a software updates automatic deployment rule to deliver

definition updates to client computers, these updates will be delivered regardless
of the definition updates settings.

Next step >

Back >

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Configure custom client settings for
Endpoint Protection
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

This procedure configures custom client settings for Endpoint Protection, which you can
deploy to collections of devices in your hierarchy.

） Important

Only configure the default Endpoint Protection client settings if you're sure that
you want them applied to all computers in your hierarchy.

To enable Endpoint Protection and configure

custom client settings
1. In the Configuration Manager console, click Administration.

2. In the Administration workspace, click Client Settings.

3. On the Home tab, in the Create group, click Create Custom Client Device Settings.

4. In the Create Custom Client Device Settings dialog box, provide a name and a
description for the group of settings, and then select Endpoint Protection.

5. Configure the Endpoint Protection client settings that you require. For a full list of
Endpoint Protection client settings that you can configure, see the Endpoint
Protection section in About client settings.

） Important

Install the Endpoint Protection site system role before you configure client
settings for Endpoint Protection.

6. Click OK to close the Create Custom Client Device Settings dialog box. The new
client settings are displayed in the Client Settings node of the Administration
workspace.
 7. Next, deploy the custom client settings to a collection. Select the custom client
settings you want to deploy. In the Home tab, in the Client Settings group, click
Deploy.

8. In the Select Collection dialog box, choose the collection to which you want to
deploy the client settings and then click OK. The new deployment is shown in the
Deployments tab of the details pane.

Clients are configured with these settings when they next download client policy. For
more information, see Initiate policy retrieval for a Configuration Manager client.

How to provision the Endpoint Protection

client in a disk image
Install the Endpoint Protection client on a computer that you intend to use as a disk
image source for Configuration Manager OS deployment. This computer is typically
called the reference computer. After you create the OS image, then use Configuration
Manager OS deployment to deploy the image.

） Important

Starting in Windows 10 and Windows Server 2016, Windows Defender is installed

by default. You don't need this procedure on those versions or later versions of
Windows.

Use the following procedures to help you install and configure the Endpoint Protection
client on a reference computer.

Prerequisites
The following list contains the required prerequisites for installing the Endpoint
Protection client software on a reference computer.

You must have access to the Endpoint Protection client installation package,
scepinstall.exe. Find this package in the Client folder of the Configuration
Manager installation folder on the site server.

To deploy the Endpoint Protection client with your organization's required

configuration, create and export an antimalware policy. Then specify this policy
when you manually install the Endpoint Protection client. For more information,
see How to create and deploy antimalware policies.
 ７ Note

You can't export the Default Client Antimalware Policy.

If you want to install the Endpoint Protection client with the latest definitions,
download them from Windows Defender Security Intelligence .

How to install the Endpoint Protection client on the

reference computer
Install the Endpoint Protection client locally on the reference computer from a
command prompt. First get the installation file scepinstall.exe. For more information,
see Install the Endpoint Protection client from a command prompt.

If necessary, also include a preconfigured antimalware policy or with an antimalware

policy that you previously exported.

To install the Endpoint Protection client from a

command prompt
1. Copy scepinstall.exe from the Client folder of the Configuration Manager
installation folder to the computer on which you want to install the Endpoint
Protection client software.

2. Open a command prompt as an administrator. Change directory to the folder with

the installer. Then run scepinstall.exe , adding any additional command-line
properties that you require:

ﾉ Expand table

Property Description

/s Run the installer silently

/q Extract the setup files silently

/i Run the installer normally

/policy Specify an antimalware policy file to configure the client during installation

/sqmoptin Opt-in to the Microsoft Customer Experience Improvement Program (CEIP)

 3. Follow the on-screen instructions to complete the client installation.

4. If you downloaded the latest update definition package, copy the package to the
client computer, and then double-click the definition package to install it.

７ Note

After the Endpoint Protection client install completes, the client automatically
performs a definition update check. If this update check succeeds, you don't
have to manually install the latest definition update package.

Example: install the client with an antimalware policy

scepinstall.exe /policy <full path>\<policy file>

Verify the Endpoint Protection client

installation
After you install the Endpoint Protection client on your reference computer, verify that
the client is working correctly.

1. On the reference computer, open System Center Endpoint Protection from the
Windows notification area.

2. On the Home tab of the System Center Endpoint Protection dialog box, verify that
Real-time protection is set to On.

3. Verify that Up-to-date is displayed for Virus and spyware definitions.

4. To make sure that your reference computer is ready for imaging, under Scan
options, select Full, and then click Scan now.

Prepare the Endpoint Protection client for

imaging
Perform the following steps to prepare the Endpoint Protection client for imaging:

1. On the reference computer, sign in as an administrator.

2. Download and install PsExec from Windows SysInternals.

 3. Run a command prompt as an administrator, change directory to the folder where
you installed PsTools, and then type the following command:

psexec.exe -s -i regedit.exe

） Important

Use caution when you run the Registry Editor in this manner. PsExec.exe runs
it in the LocalSystem context.

4. In the Registry Editor, delete the following registry keys:

） Important

Delete these registry keys as the last step before imaging the reference
computer. The Endpoint Protection client recreates these keys when it starts. If
you restart the reference computer, delete the registry keys again.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware\InstallTime

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft
Antimalware\Scan\LastScanRun

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft

Antimalware\Scan\LastScanType

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft

Antimalware\Scan\LastQuickScanID

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft

Antimalware\Scan\LastFullScanID

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemovalTools\MRT\GUID

You're now ready to prepare the reference computer for imaging.

When you deploy an OS image that contains the Endpoint Protection client, it
automatically reports information to the device's assigned Configuration Manager site.
The client downloads and applies any targeted antimalware policy.

See also
For more information about OS deployment in Configuration Manager, see Manage OS
images.

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Configure Endpoint Protection on a
standalone client
Article • 02/03/2023

Applies to: Configuration Manager (current branch)

Your organization may have a number of standalone clients that you cannot manage or
protect with Microsoft Configuration Manager. Without any endpoint protection in
place, these standalone clients are vulnerable to potential malware attacks. To protect
such standalone clients, you can manually configure them with Endpoint Protection, as
described in this topic.

７ Note

If you install the endpoint protection client on a device that's not managed by
Configuration Manager, a Management License (ML) may be required for the
device.

To configure Endpoint Protection on a standalone client manually:

Create an antimalware policy for the standalone client

Transfer Endpoint Protection client installation package to the standalone client
Install Endpoint Protection on the standalone client

Prerequisites
The following are the prerequisites for configuring Endpoint Protection on a standalone
client:

You must have access to the Endpoint Protection client installation package,
scepinstall.exe. You can find this package in the C:\Program Files\Microsoft
Configuration Manager\Client folder.
Make sure that the January 2017 anti-malware platform update for Endpoint
Protection clients is installed.

Create an antimalware policy for the

standalone client
In this step, you create a custom antimalware policy in the Configuration Manager
console and then transfer it to the standalone client.

When creating the antimalware policy, you must configure the definition update source
to keep the policy definitions up to date on the standalone client. You can configure the
definition update source as Microsoft Update and Microsoft Malware Protection Center,
if your standalone client is connected to the internet. Alternatively, select network share
as the definition distribution source and update it periodically with the latest definition
update package.

To create an antimalware policy for the standalone client:

1. In the Configuration Manager console, click Assets and Compliance.

2. In the Assets and Compliance workspace, expand Endpoint Protection, and then
click Antimalware Policies.

3. On the Home tab, in the Create group, click Create Antimalware Policy.

4. In the General section of the Create Antimalware Policy dialog box, enter a name
and a description for the policy.

5. In the Create Antimalware Policy dialog box, configure the settings that you
require for this antimalware policy, and then click OK. For a list of settings that you
can configure, see List of Antimalware Policy Settings.

７ Note

For the Definition Updates setting, select Updates distributed from

Microsoft Update and Updates distributed from Microsoft Malware
Protection Center if your standalone client is connected to the internet.
Alternatively, select Updates from UNC file shares to distribute the policy
definitions through network share. Then, add one or more UNC paths to the
location of the definition updates files on a network share.

6. Export the newly created policy as an XML:

a. In the Antimalware Policies list, right-click your policy.
b. Select Export.
c. Save the policy as an XML, for example, standalone.xml.

7. Transfer the new antimalware policy XML to the target standalone client on which
you want to configure Endpoint Protection.
Transfer Endpoint Protection client installation
package to the standalone client
In this step, you copy the Endpoint Protection client installation package
(scepinstall.exe) from the Configuration Manager server and transfer it to the
standalone client.

1. Log in to the Configuration Manager server.

2. Navigate to the Client folder of the Configuration Manager installation folder
(C:\Program Files\Microsoft Configuration Manager\Client).
3. Copy scepinstall.exe.
4. Transfer scepinstall.exe to the target standalone client on which you want to install
the Endpoint Protection client software.

Install Endpoint Protection on the standalone

client
In this step, you run the installer package (scepinstall.exe) and the antimalware policy
(both previously transferred from the Configuration Manager server) from the command
prompt on the standalone client.

To install Endpoint Protection on the standalone client:

1. On the standalone client, open a command prompt as an administrator.

2. Change directory to the folder where you saved the scepinstall.exe installer file.

3. Enter the following command to run scepinstall.exe with the antimalware policy:

Windows Command Prompt

scepinstall.exe /policy <full path>\<policy file>

Replace full path with the path where you saved the antimalware policy XML file
and policy file with the antimalware policy file name.

The installer is extracted and the installation wizard is launched.

4. Follow the on-screen instructions to complete the client installation.

On the last screen of the installation wizard, the option to scan the computer for
potential threats after getting the latest updates is selected by default. You can
 clear the checkbox to skip the scanning.

Change antimalware policy settings on a

standalone Endpoint Protection client
To change or update the antimalware policy on your standalone Endpoint Protection
client:

1. Create an antimalware policy for the standalone client.

2. Run the following command on the standalone client:

Windows Command Prompt

C:\Program Files\Microsoft Security Client\ConfigSecurityPolicy.exe <full

path>\<policy file>

Replace full path with the path where you saved the new antimalware policy XML file
and policy file with the antimalware policy file name.

Next steps
For information on how to use Endpoint Protection to manage security and malware on
Configuration Manager client computers, see Configure Endpoint Protection.

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Use Group Policy settings to manage
Endpoint Protection in previous versions
of Windows
Article • 10/04/2022

Applies to:

Microsoft Defender for Endpoint

System Center Endpoint Protection on the following down-level devices:
Windows Server 2012 R2
Windows 8.1
Windows Server 2012
Windows 8
Windows Server 2008 R2 SP1
Windows 7 SP1
Windows Server 2008 SP2
Windows Vista

You may have a number of down-level or legacy Windows devices that are enabled with
Endpoint Protection—but are outside of your Configuration Manager hierarchy. For
example, devices in a demilitarized zone or devices that are integrated through mergers
and acquisitions.

You can manage Endpoint Protection in such devices using Group Policy settings,
described as follows:

Copy Endpoint Protection policy definitions

Load Endpoint Protection policy definitions into any of the following locations:
Central Store on a Domain Controller (Recommended)
Local device

７ Note

For information on how to use Group Policy settings to manage Microsoft Defender
Antivirus in Windows 10, Windows Server 2019, Windows Server 2016, or later as
well as on Windows Server 2012 R2 after installing Microsoft Defender for
Endpoint using the modern, unified solution see Use Group Policy settings to
configure and manage Microsoft Defender Antivirus.
Copy Endpoint Protection policy definitions
On a down-level Windows device that is managed by Endpoint Protection, copy the
Endpoint Protection policy definition files.

1. Go to C:\Program Files\Microsoft Security Client\Admx.

2. Compress the following files into a zip file, for example SCEP_admx.zip:

EndPointProtection.adml
EndPointProtection.admx

3. Copy the zip file into a temporary folder. For example, C:\temp_SCEP_GPO_admx.

4. Extract the file.

７ Note

The registry keys to configure Endpoint Protection policy settings are located in
Hkey_Local_Machine\Software\Policies\Microsoft\Microsoft Antimalware.

Load Endpoint Protection Group Policy settings

into a Central Store on a domain controller
If you are using a Central Store for Group Policy Administrative Templates , perform
the following steps to load and configure Endpoint Protection Group policy settings.
This is the recommended method.

1. Go to the folder where you extracted the Endpoint Protection policy definition
files.

2. Copy the .admx and .adml files into the PolicyDefinitions folder on the domain
controller:
a. Copy EndPointProtection.admx into \\<forest.root>\SYSVOL\
<domain>\Policies\PolicyDefinitions.
b. Copy EndPointProtection.adml into \\<forest.root>\SYSVOL\
<domain>\Policies\PolicyDefinitions\en-US.

For example:

Copy EndPointProtection.admx into

\DC\SYSVOL\contoso.com\Policies\PolicyDefinitions.
 Copy EndPointProtection.adml into
\DC\SYSVOL\contoso.com\Policies\PolicyDefinitions\en-US.

where DC is the name of your Domain Controller and contoso.com is your domain.

3. Open the Group Policy Management Console and create a new Group Policy
Object (GPO) in your domain, for example Endpoint Protection.

4. Right-click the GPO for Endpoint Protection and click Edit.

5. In the Group Policy Management Editor, go to Computer Configuration > Policies

> Administrative Templates: Policy definitions > Windows Components >
Endpoint Protection.

The list of Endpoint Protection Group Policies is displayed.

6. Expand the section that contains the setting you want to configure, double-click
the setting to open it, and make configuration changes.

Load Endpoint Protection Group Policy settings

into your local device
Instead of using Central Store for loading Endpoint Protection policy definitions, you can
store them locally into your device.

1. Go to the folder where you extracted the Endpoint Protection policy definition
files.

2. Copy the .admx and .adml files into your local PolicyDefinitions folder.
a. Copy EndPointProtection.admx into %SystemRoot%/PolicyDefinitions.
b. Copy EndPointProtection.adml into %SystemRoot%/PolicyDefinitions/en-US.

For example:

Copy EndPointProtection.admx into C:\Windows\PolicyDefinitions.

Copy EndPointProtection.adml into C:\Windows\PolicyDefinitions\en-US.

3. Open Local Group Policy Editor.

4. Go to Computer Configuration > Administrative Templates > Windows

Components > Endpoint Protection.

The list of Endpoint Protection Group Policies is displayed.

 5. Expand the section that contains the setting you want to configure, double-click
the setting to open it, and make configuration changes.

Next steps
For an overview on Endpoint Protection, see Endpoint Protection.
For information on configuring Endpoint Protection on a standalone client
manually, see Configure Endpoint Protection on a standalone client.

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Create and deploy Windows Firewall
policies for Endpoint Protection in
Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Firewall policies for Endpoint Protection in Configuration Manager let you perform basic
Windows Firewall configuration and maintenance tasks on client computers in your
hierarchy. You can use Windows Firewall policies to perform the following tasks:

Control whether Windows Firewall is turned on or off.

Control whether incoming connections are allowed to client computers.

Control whether users are notified when Windows Firewall blocks a new program.

1. In the Configuration Manager console, click Assets and Compliance.

2. In the Assets and Compliance workspace, expand Endpoint Protection, and then
click Windows Firewall Policies.

3. On the Home tab, in the Create group, click Create Windows Firewall Policy.

4. On the General page of the Create Windows Firewall Policy Wizard, specify a
name and an optional description for this firewall policy, and then click Next.

5. On the Profile Settings page of the wizard, configure the following settings for
each network profile:

７ Note

For more information about network profiles, see the Windows

documentation.

Enable Windows Firewall

７ Note

If Enable Windows Firewall is not enabled, the other settings on this

page of the wizard are unavailable.
 Block all incoming connections, including those in the list of allowed
programs

Notify the user when Windows Firewall blocks a new program

6. On the Summary page of the wizard, review the actions to be taken, and then
complete the wizard.

7. Verify that the new Windows Firewall policy is displayed in the Windows Firewall
Policies list.

To deploy a Windows Firewall policy

1. In the Configuration Manager console, click Assets and Compliance.

2. In the Assets and Compliance workspace, expand Endpoint Protection, and then
click Windows Firewall Policies.

3. In the Windows Firewall Policies list, select the Windows Firewall policy that you
want to deploy.

4. On the Home tab, in the Deployment group, click Deploy.

5. In the Deploy Windows Firewall Policy dialog box, specify the collection to which
you want to assign this Windows Firewall policy, and specify an assignment
schedule. The Windows Firewall policy evaluates for compliance by using this
schedule and the Windows Firewall settings on clients to reconfigure to match the
Windows Firewall policy.

6. Click OK to close the Deploy Windows Firewall Policy dialog box and to deploy
the Windows Firewall policy.

） Important

When you deploy a Windows Firewall policy to a collection, this policy is

applied to computers in a random order over a 2 hour period to avoid
flooding the network.

Feedback
Was this page helpful?
  Yes  No

Provide product feedback

Microsoft Defender for Endpoint
Article • 12/16/2024

Applies to: Configuration Manager (current branch)

Endpoint Protection can help manage and monitor Microsoft Defender for Endpoint.
Microsoft Defender for Endpoint helps enterprises detect, investigate, and respond to
advanced attacks on their networks. Configuration Manager policies can help you
onboard and monitor Windows 10 or later clients.

Microsoft Defender for Endpoint's cloud-based portal is Microsoft Defender Security

Center . By adding and deploying a client onboarding configuration file, Configuration
Manager can monitor deployment status and Microsoft Defender for Endpoint agent
health. Microsoft Defender for Endpoint is supported on PCs running the Configuration
Manager client or managed by Microsoft Intune.

Prerequisites
Subscription to Microsoft Defender for Endpoint
Clients computers running the Configuration Manager client
Clients using an OS listed in the supported client operating systems section below.
Your administrative user account needs the Endpoint Protection Manager security
role.

Supported client operating systems

You can onboard the following operating systems using Configuration Manager:

Windows 11
Windows 10, version 1709 or newer
Windows Server 2025
Windows Server 2022
Windows Server 2019
Windows Server Semi-Annual Channel (SAC), version 1803 or newer
Windows Server 2016

） Important

Operating systems that have reached the end of their product lifecycle aren't
typically supported for onboarding unless they have been enrolled into the
 Extended Security Updates (ESU program). For more information about supported
operating systems and capabilities with Microsoft Defender for Endpoint, see
Minimum requirements for Microsoft Defender for Endpoint.

Instructions to Onboarding to Microsoft Defender for Endpoint with Configuration

Manager 2207 and later versions

Instructions to Updating onboarding information for Microsoft Defender for Endpoint

devices with Configuration Manager

Onboarding to Microsoft Defender for

Endpoint with Configuration Manager 2207
and later versions
Different operating systems have different needs for onboarding to Microsoft Defender
for Endpoint. Up-level devices, such as Windows Server version 1803, need the
onboarding configuration file. Starting Current Branch 2207, For down-level server
operating system devices, you can choose between Microsoft Defender for Endpoint
(MDE) Client (recommended) or Microsoft Monitoring Agent (MMA) (legacy) in the
Client Settings. For Windows 8.1 devices, you need to use Microsoft Monitoring Agent
(MMA) (legacy) in the Client Settings.
 

If you choose to use MMA, you need the Workspace key and Workspace ID to onboard.
Configuration Manager also installs the Microsoft Monitoring Agent (MMA) when
needed by onboarded devices but it doesn't update the agent automatically.

Up-level operating systems include:

Windows 10, version 1607 and later

Windows 11
Windows Server Semi-Annual Channel (SAC), version 1803 or later
Windows Server 2019
Windows Server 2022
Windows Server 2025

Down-level operating systems that support MDE Client include:

Windows Server 2016

７ Note
 Currently, the modern, unified Microsoft Defender for Endpoint for Windows
Server 2012 R2 & 2016 is generally available. Configuration Manager version
2107 with the update rollup supports configuration using Endpoint Protection
policies, including those policies created in the Microsoft Intune admin center using
tenant attach. Configuration Manager version 2207 now supports automatic
deployment of MDE Client, if you choose to use through Client Settings. For older
supported versions, see Server migration scenarios.

When you onboard devices to Microsoft Defender for Endpoint with Configuration
Manager, you deploy the Defender policy to a target collection or multiple collections.
Sometimes the target collection contains devices running any number of the supported
operating systems. The instructions for onboarding these devices vary based on if you're
targeting a collection containing devices with operating systems that are only up-level
and devices that support MDE Client or if the collection also includes down-level clients
that require MMA.

If your collection contains only up-level devices and/or down-level server

operating system devices that require MDE Client (based on the client settings),
then you can use the onboarding instructions using Microsoft Defender for
Endpoint Client (recommended).
If your target collection contains down-level server operating system devices that
require MMA (based on the client settings) or Windows 8.1 devices, then use the
instructions to onboard devices using Microsoft Monitoring Agent.

２ Warning

If your target collection contains down-level devices that require MMA, and you
use the instructions for onboarding using MDE Client, then the down-level devices
won't be onboarded. The optional Workspace key and Workspace ID fields are
used for onboarding down-level devices that require MMA, but if they aren't
included then the policy will fail on down-level clients that require MMA.

Onboard devices using MDE Client to Microsoft Defender

for Endpoint (recommended)
Up-level clients require an onboarding configuration file for onboarding to Microsoft
Defender for Endpoint. Up-level operating systems include:

Windows 11
Windows 10, version 1607 and later
 Windows Server Semi-Annual Channel (SAC), version 1803 and later
Windows Server 2019
Windows Server 2022
Windows Server 2025

Down-level operating systems that support MDE Client include:

Windows Server 2016

Prerequisites

Prerequisites for Windows Server 2012 R2

If you have fully updated your machines with the latest monthly rollup package, there
are no additional prerequisites.

The installer package will check if the following components have already been installed
via an update:

Update for customer experience and diagnostic telemetry

Update for Universal C Runtime in Windows

Prerequisites for Windows Server 2016

The Servicing Stack Update (SSU) from September 14, 2021 or later must be
installed.
The Latest Cumulative Update (LCU) from September 20, 2018 or later must be
installed. It is recommended to install the latest available SSU and LCU on the
server. - The Microsoft Defender Antivirus feature must be enabled/installed and
up to date. You can download and install the latest platform version using
Windows Update. Alternatively, download the update package manually from the
Microsoft Update Catalog or from MMPC .

Get an onboarding configuration file for up-level devices

1. Go to the Microsoft Defender Security Center and sign in.
2. Select Settings, then select Onboarding under the Endpoint heading.
3. For the operating system, select Windows 10 and 11.
4. Choose Microsoft Endpoint Configuration Manager current branch and later for
the deployment method.
5. Select Download package.
6. Download the compressed archive (.zip) file and extract the contents.
 ７ Note

The steps have you download the onboarding file for Windows 10 and 11 but
this file is also used for up-level Server operating systems.

） Important

The Microsoft Defender for Endpoint configuration file contains sensitive

information which should be kept secure.
If your target collection contains down-level devices that require MMA, and
you use the instructions for onboarding using MDE Client, then the down-
level devices won't be onboarded. The optional Workspace key and
Workspace ID fields are used for onboarding down-level devices, but if they
aren't included then the policy will fail on down-level clients.

Onboard the up-level devices

1. In the Configuration Manager console, navigate to Administration > Client
Settings.
2. Create custom Client Device Settings or go to the properties of the required client
setting and select Endpoint Protection
3. For Microsoft Defender for Endpoint Client on Windows Server 2012 R2 and
Windows Server 2016 setting, The default value is set as Microsoft Monitoring
 Agent (legacy) which needs to be changed to MDE Client (recommended).

4. In the Configuration Manager console, navigate to Assets and Compliance >

Endpoint Protection > Microsoft Defender ATP Policies and select Create
Microsoft Defender ATP Policy. The policy wizard opens.
5. Type the Name and Description for the Microsoft Defender for Endpoint policy
and select Onboarding.
6. Browse to the configuration file you extracted from the downloaded .zip file.
7. Specify the file samples that are collected and shared from managed devices for
analysis.

None
All file types

8. Review the summary and complete the wizard.

9. Right-click on the policy you created, then select Deploy to target the Microsoft
Defender for Endpoint policy to clients.

Onboard devices with MDE Client and MMA to Microsoft

Defender for Endpoint
You can onboard devices running any of the supported operating systems to Microsoft
Defender for Endpoint by providing the configuration file, Workspace key, and
Workspace ID to Configuration Manager.

Get the configuration file, workspace ID, and workspace key

1. Go to the Microsoft Defender for Endpoint online service and sign in.

2. Select Settings, then select Onboarding under the Endpoints heading.

3. For the operating system, select Windows 10 and 11.

4. Choose Microsoft Endpoint Configuration Manager current branch and later for
the deployment method.

5. Select Download package.

6. Download the compressed archive (.zip) file and extract the contents.

7. Select Settings, then select Onboarding under the Device management heading.

8. For the operating system, select either Windows 7 SP1 and 8.1 or Windows Server
2008 R2 Sp1, 2012 R2 and 2016 from the list.

The Workspace key and Workspace ID will be the same regardless of which
of these options you choose.

9. Copy the values for the Workspace key and Workspace ID from the Configure
connection section.

） Important
 The Microsoft Defender for Endpoint configuration file contains sensitive
information which should be kept secure.

Onboard the devices

1. In the Configuration Manager console, navigate to Administration > Client

Settings.

2. Create custom Client Device Settings or go to the properties of the required client
setting and select Endpoint Protection

3. For Microsoft Defender for Endpoint Client on Windows Server 2012 R2 and
Windows Server 2016 setting, ensure the value is set as Microsoft Monitoring
Agent (legacy).

4. In the Configuration Manager console, navigate to Assets and Compliance >

Endpoint Protection > Microsoft Defender ATP Policies.

5. Select Create Microsoft Defender ATP Policy to open the policy wizard.

6. Type the Name and Description for the Microsoft Defender for Endpoint policy
and select Onboarding.

7. Browse to the configuration file you extracted from the downloaded .zip file.

8. Supply the Workspace key and Workspace ID then select Next.

Verify that the Workspace key and Workspace ID are in the correct fields. The
order in the console may vary from the order in Microsoft Defender for
 Endpoint online service.

9. Specify the file samples that are collected and shared from managed devices for
analysis.

None
All file types

10. Review the summary and complete the wizard.

11. Right-click on the policy you created, then select Deploy to target the Microsoft
Defender for Endpoint policy to clients.

Monitor
1. In the Configuration Manager console, navigate Monitoring > Security and then
select Microsoft Defender ATP.

2. Review the Microsoft Defender for Endpoint dashboard.

Microsoft Defender ATP Agent Onboarding Status: The number and

percentage of eligible managed client computers with active Microsoft
Defender for Endpoint policy onboarded
 Microsoft Defender ATP Agent Health: Percentage of computer clients
reporting status for their Microsoft Defender for Endpoint agent

Healthy - Working properly

Inactive - No data sent to service during time period

Agent state - The system service for the agent in Windows isn't running

Not onboarded - Policy was applied but the agent hasn't reported policy
onboard

Create an offboarding configuration file

1. Sign in to the Microsoft Defender Security Center .

2. Select Settings, then select Offboarding under the Endpoint heading.

3. Select Windows 10 and 11 for the operating system and Microsoft Endpoint
Configuration Manager current branch and later for the deployment method.

Using the Windows 10 and 11 option ensures that all devices in the collection
are off boarded and the MMA is uninstalled when needed.

4. Download the compressed archive (.zip) file and extract the contents. Offboarding
files are valid for 30 days.

5. In the Configuration Manager console, navigate to Assets and Compliance >

Endpoint Protection > Microsoft Defender ATP Policies and select Create
Microsoft Defender ATP Policy. The policy wizard opens.

6. Type the Name and Description for the Microsoft Defender for Endpoint policy
and select Offboarding.

7. Browse to the configuration file you extracted from the downloaded .zip file.

8. Review the summary and complete the wizard.

Select Deploy to target the Microsoft Defender for Endpoint policy to clients.

） Important

The Microsoft Defender for Endpoint configuration files contains sensitive

information which should be kept secure.
Updating the onboarding information for
existing devices
Organizations may need to update the onboarding information on a device via
Microsoft Configuration Manager.

This can be necessary due to a change in the onboarding payload for Microsoft
Defender for Endpoint, or when directed by Microsoft support.

Updating the onboarding information will direct the device to start utilizing the new
onboarding payload at the next Restart.

This process compromises of actions to update the existing onboarding policy, and
executing a one time action on all existing devices to update the onboarding payload.
Utilize the Group Policy onboarding script to perform a one time uplift of devices from
the old payload to the new payload.

７ Note

This information will not necessarily move a device between tenants without fully
offboarding the device from the original tenant. For options migrating devices
between Microsoft Defender for Endpoint organizations, engage Microsoft
Support.

Validate the new onboarding payload

1. Download the Group Policy onboarding package from the Microsoft Defender for
Endpoint portal.

2. Create a collection for validation of the new onboarding payload

3. Exclude this collection from the existing Microsoft Defender for Endpoint
collection targeted with the onboarding payload.

4. Deploy the Group Policy onboarding script to the test collection.

5. Validate the devices are utilizing the new onboarding payload.

Migrate to the new onboarding payload

1. Download the Microsoft Configuration Manager onboarding package from the
Microsoft Defender for Endpoint portal.
 2. Update the existing Microsoft Defender for Endpoint onboarding policy with the
new onboarding payload.

3. Deploy the script from Validate the new onboarding payload to the existing target
collection for the Microsoft Defender for Endpoint onboarding policy.

4. Validate the devices are utilizing the new onboarding payload and successfully
consuming the payload from the script

７ Note

Once all devices are migrated you can remove the script and validation collections
from your environment, using the onboarding policy moving forward.

Next steps
Microsoft Defender for Endpoint

Troubleshoot Microsoft Defender for Endpoint onboarding issues

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Create and deploy an Exploit Guard
policy
Article • 04/19/2024

Applies to: Configuration Manager (current branch)

You can configure and deploy Configuration Manager policies that manage all four
components of Windows Defender Exploit Guard. These components include:

Attack Surface Reduction

Controlled folder access
Exploit protection
Network protection

Compliance data for Exploit Guard policy deployment is available from within the
Configuration Manager console.

７ Note

Configuration Manager doesn't enable this optional feature by default. You must
enable this feature before using it. For more information, see Enable optional
features from updates.

Prerequisites
Managed devices must run Windows 10 1709 or later; the minimum Windows Server
build is version 1809 or later until Server 2019 only. The following requirements must
also be satisfied, depending on the components and rules configured:

ﾉ Expand table

Exploit Guard Additional prerequisites

component

Attack Surface Devices must have Microsoft Defender for Endpoint always-on
Reduction protection enabled.

Controlled folder access Devices must have Microsoft Defender for Endpoint always-on
protection enabled.

Exploit protection None

Exploit Guard Additional prerequisites
component

Network protection Devices must have Microsoft Defender for Endpoint always-on
protection enabled.

Create an Exploit Guard policy

1. In the Configuration Manager console, go to Assets and compliance > Endpoint
Protection, and then click Windows Defender Exploit Guard.

2. On the Home tab, in the Create group, click Create Exploit Policy.

3. On the General page of the Create Configuration Item Wizard, specify a name,
and optional description for the configuration item.

4. Next, select the Exploit Guard components you want to manage with this policy.
For each component you select, you can then configure additional details.

Attack Surface Reduction: Configure the Office threat, scripting threats, and
email threats you want to block or audit. You can also exclude specific files or
folders from this rule.
Controlled folder access: Configure blocking or auditing, and then add Apps
that can bypass this policy. You can also specify additional folders that are
not protected by default.
Exploit protection: Specify an XML file that contains settings for mitigating
exploits of system processes and apps. You can export these settings from
the Windows Defender Security Center app on a Windows 10 or later device.
Network protection: Set network protection to block or audit access to
suspicious domains.

5. Complete the wizard to create the policy, which you can later deploy to devices.

２ Warning

The XML file for exploit protection should be kept secure when transferring it
between machines. The file should be deleted after import or kept in a secure
location.

Deploy an Exploit Guard policy

After you create Exploit Guard policies, use the Deploy Exploit Guard Policy wizard to
deploy them. To do so, open the Configuration Manager console to Assets and
compliance > Endpoint Protection, and then click Deploy Exploit Guard Policy.

） Important

Once you deploy an Exploit Guard policy, such as Attack Surface Reduction or
Controlled folder access, the Exploit Guard settings will not removed from the
clients if you remove the deployment. Delete not supported is recorded in the
client's ExploitGuardHandler.log if you remove the client's Exploit Guard
deployment. The following PowerShell script can be run under SYSTEM context to
remove these settings:

PowerShell

$defenderObject = Get-WmiObject -Namespace "root/cimv2/mdm/dmmap" -

Class "MDM_Policy_Config01_Defender02" -Filter "InstanceID='Defender'
and ParentID='./Vendor/MSFT/Policy/Config'"
$defenderObject.AttackSurfaceReductionRules = $null
$defenderObject.AttackSurfaceReductionOnlyExclusions = $null
$defenderObject.EnableControlledFolderAccess = $null
$defenderObject.ControlledFolderAccessAllowedApplications = $null
$defenderObject.ControlledFolderAccessProtectedFolders = $null
$defenderObject.EnableNetworkProtection = $null
$defenderObject.Put()

$exploitGuardObject = Get-WmiObject -Namespace "root/cimv2/mdm/dmmap" -

Class "MDM_Policy_Config01_ExploitGuard02" -Filter
"InstanceID='ExploitGuard' and ParentID='./Vendor/MSFT/Policy/Config'"
$exploitGuardObject.ExploitProtectionSettings = $null
$exploitGuardObject.Put()

Windows Defender Exploit Guard policy

settings

Attack Surface Reduction policies and options

Attack Surface Reduction can reduce the attack surface of your applications with
intelligent rules that stop the vectors used by Office, script, and mail-based malware.
Learn more about Attack Surface Reduction and the Event IDs used for it.

Files and Folders to exclude from Attack Surface Reduction rules - Click on Set
and specify any files or folders to exclude.
Email Threats:
Block executable content from email client and webmail.
Not configured
Block
Audit

Office Threats:
Block Office application from creating child processes.
Not configured
Block
Audit
Block Office applications from creating executable content.
Not configured
Block
Audit
Block Office applications from injecting code into other processes.
Not configured
Block
Audit
Block Win32 API calls from Office macros.
Not configured
Block
Audit

Scripting Threats:
Block JavaScript or VBScript from launching downloaded executable content.
Not configured
Block
Audit
Block execution of potentially obfuscated scripts.
Not Configured
Block
Audit

Ransomware threats: (starting in Configuration Manager version 1802)

Use advanced protection against ransomware.
Not configured
Block
Audit

Operating system threats: (starting in Configuration Manager version 1802)

Block credential stealing from the Windows local security authority subsystem.
 Not configured
Block
Audit
Block executable files from running unless they meet a prevalence, age, or
trusted list criteria.
Not configured
Block
Audit

External device threats: (starting in Configuration Manager version 1802)

Block untrusted and unsigned processes that run from USB.
Not configured
Block
Audit

Controlled folder access policies and options

Helps protect files in key system folders from changes made by malicious and suspicious
apps, including file-encrypting ransomware malware. For more information, see
Controlled folder access and the Event IDs it uses.

Configure Controlled folder access:

Block
Block disk sectors only (starting in Configuration Manager version 1802)
Allows Controlled folder access to be enabled for boot sectors only and does
not enable the protection of specific folders or the default protected folders.
Audit
Audit disk sectors only (starting in Configuration Manager version 1802)
Allows Controlled folder access to be enabled for boot sectors only and does
not enable the protection of specific folders or the default protected folders.
Disabled
Allow apps through Controlled folder access -Click on Set and specify apps.
Additional protected folders -Click on Set and specify additional protected
folders.

Exploit protection policies

Applies exploit mitigation techniques to operating system processes and apps your
organization uses. These settings can be exported from the Windows Defender Security
Center app on Windows 10 or later devices. For more information, see Exploit
protection.
 Exploit protection XML: -Click on Browse and specify the XML file to import.

２ Warning

The XML file for exploit protection should be kept secure when transferring it
between machines. The file should be deleted after import or kept in a secure
location.

Network protection policy

Helps minimize the attack surface on devices from internet-based attacks. The service
restricts access to suspicious domains that might host phishing scams, exploits, and
malicious content. For more information, see Network protection.

Configure network protection:

Block
Audit
Disabled

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Create and deploy Microsoft Defender
Application Guard policy
Article • 12/05/2022

Applies to: Configuration Manager (current branch)

You can create and deploy Microsoft Defender Application Guard (Application Guard)
policies by using the Configuration Manager endpoint protection. These policies help
protect your users by opening untrusted web sites in a secure isolated container that
isn't accessible by other parts of the operating system.

Prerequisites
To create and deploy a Microsoft Defender Application Guard policy, you must use
Windows 10 1709 or later. The Windows 10 or later devices to which you deploy the
policy must be configured with a network isolation policy. For more information, see the
Microsoft Defender Application Guard overview.

Create a policy, and to browse the available

settings
1. In the Configuration Manager console, choose Assets and Compliance.

2. In the Assets and Compliance workspace, choose Overview > Endpoint

Protection > Microsoft Defender Application Guard.

3. In the Home tab, in the Create group, click Create Microsoft Defender Application
Guard Policy.

4. Using the article as a reference, you can browse and configure the available
settings. Configuration Manager allows you to set certain policy settings:

Application behavior
Host interaction settings

5. On the Network Definition page, specify the corporate identity, and define your
corporate network boundary.

７ Note
 Windows 10 or later PCs store only one network isolation list on the client.
You can create two different kinds of network isolation lists and deploy them
to the client:

one from Windows Information Protection

one from Microsoft Defender Application Guard

If you deploy both policies, these network isolation lists must match. If you
deploy lists that don't match to the same client, the deployment will fail. For
more information, see the Windows Information Protection documentation.

6. When you're finished, complete the wizard, and deploy the policy to one or more
Windows 10 1709 or later devices.

Application behavior
Configures interactions between host devices and the Application Guard container.
Before Configuration Manager version 1802, both application behavior and host
interaction were under the Settings tab.

Clipboard - Under settings prior to Configuration Manager 1802

Permitted content type
Text
Images
Printing:
Enable printing to XPS
Enable printing to PDF
Enable printing to local printers
Enable printing to network printers
Graphics: (starting with Configuration Manager version 1802)
Virtual graphics processor access
Files: (starting with Configuration Manager version 1802)
Save downloaded files to host
Policies: (starting with Configuration Manager version 2207)
Enable or disable cameras and microphones
Certificate matching the thumbprints to the isolated container

Host interaction settings

Configures application behavior inside the Application Guard session. Before
Configuration Manager version 1802, both application behavior and host interaction
were under the Settings tab.

Other:
Retain user-generated browser data
Audit security events in the isolated application guard session

To edit Application Guard settings, expand Endpoint Protection in the Assets and
Compliance workspace, then click on the Microsoft Defender Application Guard node.
Right-click on the policy you want to edit, then select Properties.

Known issues
Applies to version 2203 or earlier

Devices running Windows 10, version 2004 will show failures in compliance reporting for
Microsoft Defender Application Guard File Trust Criteria. This issue occurs because some
subclasses were removed from the WMI class
MDM_WindowsDefenderApplicationGuard_Settings01 in Windows 10, version 2004. All other

Microsoft Defender Application Guard settings will still apply, only File Trust Criteria will
fail. Currently, there are no workarounds to bypass the error.

Applies to version 2207 or later

Enabling the policy doesn't install Microsoft Defender Application Guard feature by
default. Deploy a PowerShell script via ConfigMgr to all applicable machines.

Use the following commands to enable feature. Enable-WindowsOptionalFeature -

online -FeatureName "Windows-Defender-ApplicationGuard"

Next steps
For more information about Microsoft Defender Application Guard, see

Microsoft Defender Application Guard overview.

Microsoft Defender Application Guard FAQ.

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Windows Defender Application Control
management with Configuration
Manager
Article • 12/16/2024

Applies to: Configuration Manager (current branch)

Windows Defender Application Control is designed to protect devices against malware

and other untrusted software. It prevents malicious code from running by ensuring that
only approved code, that you know, can be run.

Application Control is a software-based security layer that enforces an explicit list of

software that is allowed to run on a PC. On its own, Application Control doesn't have
any hardware or firmware prerequisites. Application Control policies deployed with
Configuration Manager enable a policy on devices in targeted collections that meet the
minimum Windows version and SKU requirements outlined in this article. Optionally,
hypervisor-based protection of Application Control policies deployed through
Configuration Manager can be enabled through group policy on capable hardware.

For more information, see the Windows Defender Application Control deployment
guide.

７ Note

This feature was previously known as configurable code integrity and Device Guard.

Using Application Control with Configuration

Manager
You can use Configuration Manager to deploy an Application Control policy. This policy
lets you configure the mode in which Application Control runs on devices in a collection.

You can configure one of the following modes:

1. Enforcement enabled - Only trusted executables are allowed to run.

2. Audit only - Allow all executables to run, but log untrusted executables that run in
the local client event log.
What can run when you deploy an Application
Control policy?
Application Control lets you strongly control what can run on devices you manage. This
feature can be useful for devices in high-security departments, where it's vital that
unwanted software can't run.

When you deploy a policy, typically, the following executables can run:

Windows OS components
Hardware Dev Center drivers with Windows Hardware Quality Labs signatures
Windows Store apps
The Configuration Manager client
All software deployed through Configuration Manager that devices install after
they process the Application Control policy
Updates to built-in Windows components from:
Windows Update
Windows Update for Business
Windows Server Update Services
Configuration Manager
Optionally, software with a good reputation as determined by the Microsoft
Intelligent Security Graph (ISG). The ISG includes Windows Defender
SmartScreen and other Microsoft services. The device must be running
Windows Defender SmartScreen and Windows 10 version 1709 or later for this
software to be trusted.

） Important

These items don't include any software that isn't built-into Windows that
automatically updates from the internet or third-party software updates. This
limitation applies whether they're installed by any of the listed update mechanisms
or from the internet. Application Control only allows software changes that are
deployed through the Configuration Manager client.

Supported operating systems

To use Application Control with Configuration Manager, devices must be running
supported versions of:

Windows 11 or later, Enterprise edition

 Windows 10 or later, Enterprise edition
Windows Server 2019 or later

 Tip

Existing Application Control policies created with Configuration Manager version

2006 or earlier won't work with Windows Server. To support Windows Server, create
new Application Control policies.

Before you start

Once a policy is successfully processed on a device, Configuration Manager is
configured as a managed installer on that client. After the policy processes,
software deployed by Configuration Manager is automatically trusted. Before the
device processes the Application Control policy, software installed by
Configuration Manager isn't automatically trusted.

７ Note

For example, you can't use the Install Application step in a task sequence to
install applications during an OS deployment. For more information, see Task
sequence steps - Install Application.

The default compliance evaluation schedule for Application Control policies is

every day. This schedule is configurable during policy deployment. If you notice
issues in policy processing, configure the compliance evaluation schedule to be
more frequent. For example, every hour. This schedule dictates how often clients
reattempt to process an Application Control policy if a failure occurs.

Regardless of the enforcement mode you select, when you deploy an Application
Control policy, devices can't run HTML applications with the .hta file extension.

Create an Application Control policy

1. In the Configuration Manager console, go to the Assets and Compliance
workspace.

2. Expand Endpoint Protection, and then select the Windows Defender Application
Control node.
 3. On the Home tab of the ribbon, in the Create group, select Create Application
Control policy.

4. On the General page of the Create Application Control policy Wizard, specify the
following settings:

Name: Enter a unique name for this Application Control policy.

Description: Optionally, enter a description for the policy that helps you
identify it in the Configuration Manager console.

Enforce a restart of devices so that this policy can be enforced for all
processes: After the device processes the policy, a restart is scheduled on the
client according to the Client Settings for Computer Restart. Applications
currently running on the device won't apply the new Application Control
policy until after a restart. However, applications launched after the policy
applies will honor the new policy.

Enforcement Mode: Choose one of the following enforcement methods:

Enforcement Enabled: Only trusted applications are allowed to run.

Audit Only: Allow all applications to run, but log untrusted programs that
run. The audit messages are in the local client event log.

5. On the Inclusions tab of the Create Application Control policy Wizard, choose if
you want to Authorize software that is trusted by the Intelligent Security Graph.

6. If you want to add trust for specific files or folders on devices, select Add. In the
Add Trusted File or Folder dialog box, you can specify a local file or a folder path
to trust. You can also specify a file or folder path on a remote device on which you
have permission to connect. When you add trust for specific files or folders in an
Application Control policy, you can:

Overcome issues with managed installer behaviors.

Trust line-of-business apps that you can't deploy with Configuration

Manager.

Trust apps that are included in an OS deployment image.

7. Complete the wizard.

Deploy an Application Control policy

 1. In the Configuration Manager console, go to the Assets and Compliance
workspace.

2. Expand Endpoint Protection, and then select the Windows Defender Application
Control node.

3. From the list of policies, select the one you want to deploy. On the Home tab of
the ribbon, in the Deployment group, select Deploy Application Control Policy.

4. In the Deploy Application Control policy dialog box, select the collection to which
you want to deploy the policy. Then configure a schedule for when clients evaluate
the policy. Finally, select whether the client can evaluate the policy outside of any
configured maintenance windows.

5. When you're finished, select OK to deploy the policy.

Monitor an Application Control policy

In general, use the information in the Monitor compliance settings article. This
information can help you monitor that the deployed policy has been correctly applied to
all devices.

To monitor the processing of an Application Control policy, use the following log file on
devices:

%WINDIR%\CCM\Logs\DeviceGuardHandler.log

To verify the specific software being blocked or audited, see the following local client
event logs:

For blocking and auditing of executable files, use Applications and Services Logs
> Microsoft > Windows > Code Integrity > Operational.

For blocking and auditing of Windows Installer and script files, use Applications
and Services Logs > Microsoft > Windows > AppLocker > MSI and Script.

Security and privacy information

Devices that have a policy deployed to them in Audit Only or Enforcement
Enabled mode, but haven't been restarted to enforce the policy, are vulnerable to
untrusted software being installed. In this situation, the software might continue to
run even if the device restarts, or receives a policy in Enforcement Enabled mode.
 To help the effectiveness of the Application Control policy, first prepare the device
in a lab environment. Deploy an Enforcement Enabled policy, then restart the
device. Once you verify the apps work, then give the device to the user.

Don't deploy a policy with Enforcement Enabled and then later deploy a policy
with Audit Only to the same device. This configuration might result in untrusted
software being allowed to run.

When you use Configuration Manager to enable Application Control on devices,

the policy doesn't prevent users with local administrator rights from circumventing
the Application Control policies or otherwise running untrusted software.

The only way to prevent users with local administrator rights from disabling
Application Control is to deploy a signed binary policy. This deployment is possible
through group policy, but not currently supported in Configuration Manager.

Setting up Configuration Manager as a managed installer on devices uses a

Windows AppLocker policy. AppLocker is only used to identify managed installers.
All enforcement happens with Application Control.

Next steps
Manage antimalware policies and firewall settings

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Manage antimalware policies and
firewall settings
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Use the information in this topic to help you manage Endpoint Protection antimalware
policies and Windows Firewall policies, to perform on-demand scans, to force
computers to download the latest available definitions, and to remediate detected
malware.

Manage antimalware policies

In the Assets and Compliance workspace, expand Endpoint Protection, choose
Antimalware Policies, select the antimalware policy that you want to manage, and then
select a management task.

This table provides more information.

ﾉ Expand table

Task Details

Increase If multiple antimalware policies are deployed to the same computer, they are
Priority applied in order. Use this option to increase the priority by which the selected
antimalware policy is applied. Use the Order column to see the order in which the
policies are applied.

The antimalware policy that has the highest priority is always applied first.

Decrease If multiple antimalware policies are deployed to the same computer, they are
Priority applied in order. Use this option to decrease the priority by which the selected
antimalware policy is applied. Use the Order column to view the order in which the
policies are applied.

Merge Merges the two selected antimalware policies. In the Merge Policies dialog box,
enter a name for the new, merged policy. The Base policy is the antimalware policy
that is merged with this new antimalware policy.

Note: If two settings conflict, the most secure setting is applied to computers.

Deploy Opens the Select Collection dialog box. Select the collection to which you want to
deploy the antimalware policy, and then choose OK.
Manage Windows Firewall policies
In the Assets and Compliance workspace, choose Endpoint Protection > Windows
Firewall Policies, select the Windows Firewall policy that you want to manage, and then
select a management task.

This table provides more information.

ﾉ Expand table

Task Details

Increase If multiple Windows Firewall policies are deployed to the same computer, they are
Priority applied in order. Use this option to increase the priority by which the selected
Windows Firewall policy is applied. Use the Order column to view the order in
which the policies are applied.

Decrease If multiple Windows Firewall policies are deployed to the same computer, they are
Priority applied in order. Use this option to decrease the priority by which the selected
Windows Firewall policy is applied. Use the Order column to view the order in
which the policies are applied.

Deploy Opens the Deploy Windows Firewall Policy dialog box from where you can deploy
the firewall policy to a collection.

How to perform an on-demand scan of

computers
You can perform a scan of a single computer, multiple computers, or a collection of
computers in the Configuration Manager console. This scan occurs in addition to any
scheduled scans.

７ Note

If any of the computers that you select do not have the Endpoint Protection client
installed, the on-demand scan option is unavailable.

To perform an on-demand scan of computers

1. In the Configuration Manager console, choose Assets and Compliance.

2. In the Devices or Device Collections node, select the computer or collection of

computers that you want to scan.
 3. On the Home tab, in the Collection group, click Endpoint Protection, and then
click Full Scan or Quick Scan.

The scan will take place when the computer or collection of computers next
downloads client policy. To monitor the results from the scan, use the procedures
in How to monitor Endpoint Protection.

How to force computers to download the latest

definition files
You can force a single computer, multiple computers, or a collection of computers to
download the latest definition files from the Configuration Manager console.

７ Note

If any of the computers that you select do not have the Endpoint Protection client
installed, the Download Definition option is unavailable.

To force computers to download the latest definition files

1. In the Devices or Device Collections node, select the computer or collection of
computers for which you want to download definitions.

2. On the Home tab, in the Collection group, choose Endpoint Protection, and then
click Download Definition. The download will take place when the computer or
collection of computers next downloads client policy.

７ Note

Use the Endpoint Protection Status node under Security in the Monitoring
workspace to discover clients that have out-of-date definitions.

Remediate detected malware

When malware is detected on client computers, this will be displayed in the Malware
Detected node under Endpoint Protection Status under Security in the Monitoring
workspace of the Configuration Manager console. Select an item from the Malware
Detected list, and then use one of the following management tasks to remediate or
allow the detected malware:
 Allow this threat - Creates an antimalware policy to allow the selected malware.
The policy is deployed to the All Systems collection and can be monitored in the
Client Operations node of the Monitoring workspace.

Restore files quarantined by this threat - Opens the Restore quarantined files
dialog box where you can select one of the following options:

Run the allow-threat or exclusion operation first to assure that files are not
put back into quarantine - Restores the files that were quarantined because of
the detected malware and also excludes the files from malware scans. If you do
not exclude the files from malware scans, they will be quarantined again when
the next scan runs.

Restore files without a dependency on the allow or exclusion job - Restores

the quarantined files but does not add them to the exclusion list.

View infected clients - Displays a list of all clients that were infected by the
selected malware.

Exclude selected files or paths from scan - When you select this option from the
malware details pane, the Exclude files and paths dialog box opens where you can
specify the files and folders that you want to exclude from malware scans.

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Example scenario: Use Endpoint
Protection to protect computers from
malware
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

This article provides an example scenario for how you can implement Endpoint
Protection in Configuration Manager to protect computers in your organization from
malware attacks.

Scenario overview
Configuration Manager is installed and used at Woodgrove Bank. The bank currently
uses Endpoint Protection to protect computers against malware attacks. Additionally,
the bank uses Windows Group Policy to ensure that the Windows Firewall is enabled on
all computers in the company and that users are notified when Windows Firewall blocks
a new program.

The Configuration Manager administrators have been asked to upgrade the Woodgrove
Bank antimalware software to Endpoint Protection so that the bank can benefit from the
latest antimalware features and be able to centrally manage the antimalware solution
from the Configuration Manager console.

Business requirements
This implementation has the following requirements:

Use Configuration Manager to manage the Windows Firewall settings that are
currently managed by Group Policy.

Use Configuration Manager software updates to download malware definitions to

computers. If software updates aren't available, for example if the computer isn't
connected to the corporate network, computers must download definition updates
from Microsoft Update.

Users' computers must perform a quick malware scan every day. Servers, however,
must run a full scan every Saturday, outside business hours, at 1 A.M.

Send an email alert whenever any one of the following events occurs:
 Malware is detected on any computer

The same malware threat is detected on more than 5 percent of computers

The same malware threat is detected more than 5 times in any 24-hour period

More than 3 different types of malware are detected in any 24-hour period

The admins then do the following steps to implement Endpoint Protection:

Steps to implement Endpoint Protection

ﾉ Expand table

Process Reference

The admins review the available information about the For overview information about
basic concepts for Endpoint Protection in Configuration Endpoint Protection, see Endpoint
Manager. Protection.

The admins install the Endpoint Protection site system For more information about how to
role on one site system server only, at the top of the install the Endpoint Protection site
Woodgrove Bank hierarchy. system role, see "Prerequisites" in
Configure Endpoint Protection.

The admins configure Configuration Manager to use an For more information, see Configure
SMTP server to send the email alerts. alerts in Endpoint Protection.

Note: You must configure an SMTP server only if you

want to be notified by email when an Endpoint
Protection alert is generated.

The admins create a device collection that contains all For more information about how to
computers and servers to install the Endpoint create collections, see How to create
Protection client. They name this collection All collections
Computers Protected by Endpoint Protection.

Tip: You can't configure alerts for user collections.

The admins configure the following alerts for the See "Configure Alerts for Endpoint
collection: Protection" in Configuring Endpoint
Protection.
1) Malware is detected: The admins configure an alert
severity of Critical.

2) The same type of malware is detected on a number

of computers: The admins configure an alert severity of
Critical and specify that the alert will be generated
when more than 5 percent of computers have malware
Process Reference

detected.

3) The same type of malware is repeatedly detected

within the specified interval on a computer: The
admins configure an alert severity of Critical and
specify that the alert will be generated when malware is
detected more than 5 times in a 24-hour period.

4) Multiple types of malware are detected on the

same computer within the specified interval: The
admins configure an alert severity of Critical and
specify that the alert will be generated when more than
3 types of malware are generated in a 24-hour period.

The value for Alert Severity indicates the alert level

that will be displayed in the Configuration Manager
console and in alerts that they receive in an email
message.

They additionally select the option View this collection

in the Endpoint Protection dashboard so that they can
monitor the alerts in the Configuration Manager
console.

The admins configure Configuration Manager software For more information, see the "Using
updates to download and deploy definition updates Configuration Manager Software
three times a day by using an automatic deployment Updates to Deliver Definition Updates"
rule. section in Use Configuration Manager
software updates to deliver definition
updates.

The admins examine the settings in the default See How to create and deploy
antimalware policy, which contains recommended antimalware policies for Endpoint
security settings from Microsoft. For computers to Protection.
perform a quick scan every day to, they change the
following settings:

1) Run a daily quick scan on client computers: Yes.

2) Daily quick scan schedule time: 9:00 AM.

The admins note that Updates distributed from

Microsoft Update is selected by default as a definition
update source. This fulfills the business requirement
that computers download definitions from Microsoft
Update when they can't receive Configuration Manager
software updates.
Process Reference

The admins create a collection that contains only the See How to create collections
Woodgrove Bank servers named Woodgrove Bank
Servers.

The admins create a custom antimalware policy named See How to create and deploy
Woodgrove Bank Server Policy. They add only the antimalware policies for Endpoint
settings for Scheduled scans and make the following Protection.
changes:

Scan type: Full

Scan day: Saturday

Scan time: 1:00 AM

Run a daily quick scan on client computers: No.

The admins deploy the Woodgrove Bank Server Policy See "To deploy an antimalware policy to
custom antimalware policy to the Woodgrove Bank client computers" How to create and
Servers collection. deploy antimalware policies for
Endpoint Protection article.

The admins create a new set of custom client device For more information, see Configure
settings for Endpoint Protection and names these Custom Client Settings for Endpoint
Woodgrove Bank Endpoint Protection Settings. Protection.

Note: If you don't want to install and enable Endpoint

Protection on all clients in your hierarchy, make sure
that the options Manage Endpoint Protection client
on client computers and Install Endpoint Protection
client on client computers are both configured as No
in the default client settings.

They configure the following settings for Endpoint

Protection:

Manage Endpoint Protection client on client

computers: Yes

This setting and value ensures that any existing

Endpoint Protection client that is installed becomes
managed by Configuration Manager.

Install Endpoint Protection client on client computers:

Yes.

The admins deploy the Woodgrove Bank Endpoint See "Configure Custom Client Settings
Protection Settings client settings to the All for Endpoint Protection" in Configuring
 Process Reference

Computers Protected by Endpoint Protection Endpoint Protection in Configuration

collection. Manager.

The admins use the Create Windows Firewall Policy See How to create and deploy Windows
Wizard to create a policy by configuring the following Firewall policies for Endpoint Protection
settings for the domain profile:

1) Enable Windows Firewall: Yes

2)
Notify the user when Windows Firewall blocks a new
program: Yes

The admins deploy the new firewall policy to the See "To deploy a Windows Firewall
collection All Computers Protected by Endpoint policy" in the How to create and deploy
Protection that they created earlier. Windows Firewall policies for Endpoint
Protection

The admins use the available management tasks for See How to manage antimalware
Endpoint Protection to manage antimalware and policies and firewall settings for
Windows Firewall policies, perform on-demand scans Endpoint Protection
of computers when necessary, force computers to
download the latest definitions, and to specify any
further actions to take when malware is detected.

The admins use the following methods to monitor the See How to monitor Endpoint
status of Endpoint Protection and the actions that are Protection
taken by Endpoint Protection:

1) By using the Endpoint Protection Status node under

Security in the Monitoring workspace.

2) By using the Endpoint Protection node in the Assets

and Compliance workspace.

3) By using the built-in Configuration Manager reports.

The admins report a successful implementation of Endpoint Protection to their manager,

and confirms that the computers at Woodgrove Bank are now protected from
antimalware, according to the business requirements that they were given.

Next steps
For more information, see How to Configure Endpoint Protection
Feedback
Was this page helpful?  Yes  No

Provide product feedback

Endpoint Protection Client Help
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

This version of Windows Defender or Endpoint Protection includes the following

features to help protect your computer from threats:

Windows Firewall integration. Endpoint Protection setup enables you to turn on

or off Windows Firewall.
Network Inspection System. This feature enhances real-time protection by
inspecting network traffic to help proactively block exploitation of known network-
based vulnerabilities.
Protection engine. Real-time protection finds and stops malware from installing or
running on your PC. The updated engine offers enhanced detection and cleanup
capabilities with better performance.

Windows Defender comes as part of the operating system starting in Windows 10. On
earlier versions of Windows, your administrator can provide either Windows Defender or
Endpoint Protection using management software.

You can also find a list of frequently asked questions for Windows Defender and
Endpoint Protection. For help troubleshooting, see Troubleshooting Windows Defender
or Endpoint Protection client. For a list of new features, see What's new Windows
Defender client .

Windows Firewall integration

Windows Firewall can help prevent attackers or malicious software from gaining access
to your computer through the Internet or a network. Now when you install Endpoint
Protection, the installation wizard verifies that Windows Firewall is turned on. If you have
intentionally turned off Windows Firewall, you can avoid turning it on by clearing a
check box. You can change your Windows Firewall settings at any time via the System
and Security settings in Control Panel.

Network Inspection System

Attackers are increasingly carrying out network-based attacks against exposed
vulnerabilities before software vendors can develop and distribute security updates.
Studies of vulnerabilities show that it can take a month or longer from the time of an
initial attack report before a suitable security update is developed, tested, and released.
This gap in protection leaves many computers vulnerable to attacks and exploitation for
a substantial period of time. Network Inspection System works with real-time protection
to better protect you against network-based attacks by greatly reducing the timespan
between vulnerability disclosures and update deployment from weeks to a few hours.

Award-winning protection engine

Under the hood of Windows Defender or Endpoint Protection is its award-winning
protection engine that is updated regularly. The engine is backed by a team of
antimalware researchers from the Microsoft Malware Protection Center, providing
responses to the latest malware threats 24 hours a day.

Windows Defender settings

Windows Defender settings enable settings that help protect your PC from malicious
software. Your administrator might manage some Windows Defender settings for you.
You can manage others using the Windows Defender settings. We recommend you
enable Windows Defender settings to help protect your PC and data.

To view Windows Defender settings, search for Windows Defender on your PC. Open
Windows Defender and select Settings. Windows Defender settings include:

Real-time protection - Find and stop malware from installing or running on your
PC.
Cloud-based Protection - Windows Defender sends info to Microsoft about
potential security threats.
Automatic sample submission - Allow Windows Defender to send samples of
suspicious files to Microsoft to help improve malware detection.
Exclusions - You can exlude specific files, folders, file extensions, or processes from
Windows Defender scanning.
Enhanced notification - Enables notifications that inform about the health of your
PC. Even Off you will receive critical notifications.
Windows Defender Offline - You can run Windows Defender Offline to help find
and remove malicious software. This scan will restart your PC and will take about
15 minutes.

See also
Endpoint Protection client frequently asked questions
Troubleshooting Windows Defender or Endpoint Protection client

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Troubleshoot Windows Defender or
Endpoint Protection client
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

If you come across problems with Windows Defender or Endpoint Protection, use this
article to troubleshoot the following problems:

Update Windows Defender or Endpoint Protection

Starting Windows Defender or Endpoint Protection service
Internet connection issues
Detected threat can't be remediated

Update Windows Defender or Endpoint

Protection

Symptoms
Windows Defender or Endpoint Protection works automatically with Microsoft Update
to make sure that your virus and spyware definitions are kept up-to-date.

This section addresses common issues with automatic updates, including the following
situations:

You see error messages indicating that updates have failed.

When you check for updates, you receive an error message that the virus and
spyware definition updates can't be checked, downloaded, or installed.

Even though your device is connected to the internet, the updates fail.

Updates aren't automatically installing as scheduled.

Causes
The most common causes for update issues are problems with internet connectivity. If
you know your device is connected to the internet because you can browse to other
Web sites, the issue might be caused by conflicts with your internet settings in Windows.
Options to resolve

Step 1: Reset your internet settings

1. Exit all open programs, including the web browser.

７ Note

When you reset these internet settings, it may delete your browser temporary
files, cookies, browsing history, and online passwords. It doesn't delete your
favorites.

2. Go to the Start menu, and open inetcpl.cpl .

3. Switch to the Advanced tab.

4. In the section to Reset Internet Explorer settings, select Reset, and then select
Reset again to confirm.

5. Select OK when the settings are reset.

6. Try to update Windows Defender again.

If the issue persists, continue to the next step.

Step 2: Make sure that the date and time are set correctly on your
computer
If the error message contains the code 0x80072f8f, the problem is most likely caused by
an incorrect date or time setting on your computer. Go to the Start menu, select
Settings, select Time & language, and select Date & time.

Step 3: Rename the Software Distribution folder on your computer

1. Stop the Windows Update service.

a. Go to Start, and open services.msc.

b. Select the Windows Update service. Go to the Action menu, and select Stop.

2. Rename the SoftwareDistribution directory.

a. Open a command prompt as an administrator.

 b. Enter the following commands:

Windows Command Prompt

cd %windir%
ren SoftwareDistribution SDTemp
exit

3. Restart the Windows Update service.

a. Switch back to the Services window.

b. Select the Windows Update service. Go to the Action menu, and select Start.

c. Close the Services window.

Step 4: Reset the Microsoft antivirus update engine on your

computer

1. Open a command prompt as an administrator.

2. Enter the following commands:

Windows Command Prompt

cd \

cd program files\windows defender

MpCmdRun -RemoveDefinitions -all

exit

3. Restart the computer.

4. Try to update Windows Defender again.

If the issue persists, continue to the next step.

Step 5: Manually install the definition updates

Manually download the latest updates .

Step 6: Contact Microsoft support

If these steps didn't resolve the issue, contact Microsoft support. For more information,
see Support options and community resources.

Starting Windows Defender or Endpoint

Protection service

Symptom
You receive a message notifying you that Windows Defender or Endpoint Protection
isn't monitoring your computer because the program's service stopped. You should
restart it now.

Solution

Step 1: Restart your computer

Close all applications and restart your computer.

Step 2: Check the Windows service

1. Go to Start, and open services.msc.

2. Select the Windows Defender Antivirus Service.

3. Make sure that the Startup Type is set to Automatic.

4. Go to the Action menu and select Start.

a. If this action isn't available, select Stop. Wait for the service to stop, and then
select the Start action to restart the service.

Note any errors that may appear during this process. Contact Microsoft Support and
provide the error information.

Step 3: Remove any third-party security programs

７ Note
 Some security applications don't uninstall completely. You may need to download
and run a cleanup utility for your previous security application to completely
remove it.

1. Go to Start and open appwiz.cpl.

2. In the list of installed programs, uninstall any third-party security programs.

3. Restart your computer.

Ｕ Caution

When you remove security programs, your computer may be unprotected. If you
have problems installing Windows Defender after you remove existing security
programs, contact Microsoft Support . Select the Security product family, and
then the Windows Defender product.

Internet connection issues

For your computer to receive the latest updates from Windows Update, connect it to the
internet.

1. Go to Start and open ncpa.cpl.

2. Open the connection name to view the connection Status.

3. If your computer is connected, the IPv4 connectivity and/or IPv6 connectivity

status is Internet.

4. If your computer doesn't appear to be connected, select the connection name, and
select Diagnose this connection.

Close any open programs and restart your computer.

Detected threat can't be remediated

When Windows Defender or Endpoint Protection detects a potential threat, it tries to
mitigate the threat by quarantining or removing the threat. These threats can hide
inside a compressed archive ( .zip ) or in a network share.

Remove or scan the file

 If the detected threat was in a compressed archive file, browse to the file. Delete
the file, or manually scan it. Right-click the file and select Scan with Windows
Defender. If Windows Defender detects additional threats in the file, it notifies you.
Then you can choose an appropriate action.

If the detected threat was in a network share, open the share, and manually scan it.
Right-click the file and select Scan with Windows Defender. If Windows Defender
detects additional threats in the network share, it notifies you. Then you can
choose an appropriate action.

If you're not sure of the file's origin, run a full scan on your computer. A full scan
may take some time to complete.

See also
Endpoint Protection client frequently asked questions

Endpoint Protection client help

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Endpoint Protection client frequently
asked questions
FAQ

Applies to: Configuration Manager (current branch)

This FAQ is for computer users whose IT administrator has deployed Windows Defender
or Endpoint Protection to their managed computer. The content here might not apply to
other antimalware software. Microsoft System Center Endpoint Protection manages
Windows Defender on Windows 10 or later. It can also deploy and manage the Endpoint
Protection client to computers before Windows 10. While Windows Defender is
described in this article, its information also applies to Endpoint Protection.

Why do I need antivirus and

antispyware software?
It's critical to make sure that your computer is running software that protects against
malicious software. Malicious software, which includes viruses, spyware, or other
potentially unwanted software can try to install itself on your computer anytime you
connect to the Internet. It can also infect your computer when you install a program
using a CD, DVD, or other removable media. Malicious software can also be
programmed to run at unexpected times, not just when it's installed.

Windows Defender or Endpoint Protection offers three ways to help keep malicious
software from infecting your computer:

Using real-time protection - Real-time protection enables Windows Defender to

monitor your computer all the time and alert you when malicious software,
including viruses, spyware, or other potentially unwanted software attempts to
install itself or run on your computer. Windows Defender then suspends the
software and enables you to follow its recommendation on the software or take an
alternative action.

Scanning options - You can use Windows Defender to scan for potential threats,
such as viruses, spyware, and other malicious software that might put your
computer at risk. You can also use it to schedule scans on a regular basis and to
remove malicious software that is detected during a scan.

Microsoft Active Protection Service community - The online Microsoft Active

Protection Service community helps you see how other people respond to
 software that hasn't yet been classified for risks. You can use this information to
help you choose whether to allow this software on your computer. In turn, if you
participate, your choices are added to the community ratings to help other people
decide what to do.

How can I tell if my computer is infected

with malicious software?
You might have some form of malicious software, including viruses, spyware, or other
potentially unwanted software, on your computer if:

You notice new toolbars, links, or favorites that you didn't intentionally add to your
Web browser.

Your home page, mouse pointer, or search program changes unexpectedly.

You type the address for a specific site, such as a search engine, but you're taken
to a different Web site without notice.

Files are automatically deleted from your computer.

Your computer is used to attack other computers.

You see pop-up ads, even if you're not on the Internet.

Your computer suddenly starts running more slowly than it usually does. Not all
computer performance problems are caused by malicious software, but malicious
software, especially spyware, can cause a noticeable change.

There might be malicious software on your computer even if you don't see any
symptoms. This type of software can collect information about you and your computer
without your knowledge or consent. To help protect your privacy and your computer,
you should run Windows Defender or Endpoint Protection at all times.

How can I find the version of Windows

Defender?
To view the version of Windows Defender running on your computer, open Windows
Defender (click Start and then search for Windows Defender), click Settings, and scroll
to the bottom of the Windows Defender settings to find Version info.
What should I do if Windows Defender
or Endpoint Protection detects
malicious software on my computer?
If Windows Defender detects malicious software or potentially unwanted software on
your computer (either when monitoring your computer using real-time protection or
after running a scan), it notifies you about the detected item by displaying a notification
message in the bottom right-hand corner of your screen.

The notification message includes a Clean computer button and a Show details link that
lets you view additional information about the detected item. Click the Show details link
to open the Potential threat details window to get additional information about the
detected item. You can now choose which action to apply to the item, or click Clean
computer. If you need help with determining which action to apply to the detected
item, use the alert level that Windows Defender assigned to the item as your guide (for
more information see, Understanding alert levels).

Alert levels help you choose how to respond to viruses, spyware, and other potentially
unwanted software. While Windows Defender will recommend that you remove all
viruses and spyware, not all software that is flagged is malicious or unwanted. The
following information can help you decide what to do if Windows Defender detects
potentially unwanted software on your computer.

Depending on the alert level, you can choose one of the following actions to apply to
the detected item:

Remove - This action permanently deletes the software from your computer.

Quarantine - This action quarantines the software so that it can't run. When
Windows Defender quarantines software, it moves it to another location on your
computer, and then prevents the software from running until you choose to
restore it or remove it from your computer.

Allow - This action adds the software to the Windows Defender allowed list and
allows it to run on your computer. Windows Defender will stop alerting you to risks
that the software might pose to your privacy or to your computer.

If you choose Allow for an item, such as software, Windows Defender will stop
alerting you to risks that the software might pose to your privacy or to your
computer. Therefore, add software to the allowed list only if you trust the software
and the software publisher.
How to remove potentially harmful
software
To remove all unwanted or potentially harmful items that Windows Defender detects
quickly and easily, use the Clean computer option.

1. When you see the notification message that displays in the Notification area after
it detects potential threats, click Clean computer.

2. Windows Defender removes the potential threat (or threats), and then notifies you
when it's finished cleaning your computer.

3. To learn more about the detected threats, click the History tab, and then select All
detected items.

4. If you don't see all the detected items, click View details. If you're prompted for an
administrator password or confirmation, type the password or confirm the action.

７ Note

During computer cleanup, whenever possible, Windows Defender removes only the
infected part of a file, not the entire file.

What is a virus?
Computer viruses are software programs deliberately designed to interfere with
computer operation, to record, corrupt, or delete data, or to infect other computers
throughout the Internet. Viruses often slow things down and cause other problems in
the process.

What is spyware?
Spyware is software that can install itself or run on your computer without getting your
consent or providing you with adequate notice or control. Spyware might not display
symptoms after it infects your computer, but many malicious or unwanted programs can
affect how your computer runs. For example, spyware can monitor your online behavior
or collect information about you (including information that can identify you or other
sensitive information), change settings on your computer, or cause your computer to
run slowly.
What's the difference between viruses,
spyware, and other potentially harmful
software?
Both viruses and spyware are installed on your computer without your knowledge and
both have the potential to be intrusive and destructive. They also have the ability to
capture information on your computer and damage or delete that information. They
both can negatively affect your computer's performance.

The main difference between viruses and spyware is how they behave on your
computer. Viruses, like living organisms, want to infect a computer, replicate, and then
spread to as many other computers as possible. Spyware, however, is more like a mole -
it wants to "move into" your computer and stay there as long as possible, sending
valuable information about your computer to an outside source while it's there.

Where do viruses, spyware, and other

potentially unwanted software come
from?
Unwanted software, such as viruses, can be installed by Web sites or by programs that
you download or that you install using a CD, DVD, external hard disk, or a device.
Spyware is most commonly installed through free software, such as file sharing, screen
savers, or search toolbars.

Can I get malicious software without

knowing it?
Yes, some malicious software can be installed from a website through an embedded
script or program in a webpage. Some malicious software requires your help to install it.
This software uses Web pop-ups or free software that requires you to accept a
downloadable file. However, if you keep Microsoft Windows® up to date and don't
reduce your security settings, you can minimize the chances of an infection.

Why is it important to review license

agreements before installing software?
When you visit websites, don't automatically agree to download anything the site offers.
If you download free software, such as file sharing programs or screen savers, read the
license agreement carefully. Look for clauses that say that you must accept advertising
and pop-ups from the company, or that the software will send certain information back
to the software publisher.

Why doesn't Windows Defender detect

cookies?
Cookies are small text files that websites put on your computer to store information
about you and your preferences. Websites use cookies to offer you a personalized
experience and to gather information about website use. Windows Defender doesn't
detect cookies because it doesn't consider them a threat to your privacy or to the
security of your computer. Most internet browser programs allow you to block cookies.

How can I prevent malware?

Two of the biggest concerns for computer users today are viruses and spyware. In both
cases, while these can be a problem, you can defend yourself against them easily
enough with just a little bit of planning:

Keep your computer's software current and remember to install all patches.
Remember to update your operating system on a regular basis.

Make sure your antivirus and antispyware software, Windows Defender, is using
the latest updates again potential threats (see How do I keep virus and spyware
definitions up to date?). Also make sure you're always using the latest version of
Windows Defender.

Only download updates from reputable sources. For Windows operating systems,
always go to the Microsoft Update catalog . For other software, always use the
legitimate websites of the company or person who produces it.

If you receive an e-mail with an attachment and you're unsure of the source, then
you should delete it immediately. Don't download any applications or files from
unknown sources, and be careful when trading files with other users.

Install and use a firewall. It's recommended that you enable Windows Firewall.

What are virus and spyware definitions?

When you use Windows Defender or Endpoint Protection, it's important to have up-to-
date virus and spyware definitions. Definitions are files that act like an ever-growing
encyclopedia of potential software threats. Windows Defender or Endpoint Protection
uses definitions to determine if software that it detects is a virus, spyware, or other
potentially unwanted software, and then to alert you to potential risks. To help keep
your definitions up to date, Windows Defender or Endpoint Protection works with
Microsoft Update to install new definitions automatically as they're released. You can
also set Windows Defender or Endpoint Protection to check online for updated
definitions before scanning.

How do I keep virus and spyware

definitions up to date?
Virus and spyware definitions are files that act like an encyclopedia of known malicious
software, including viruses, spyware, and other potentially unwanted software. Because
malicious software is continually being developed, Windows Defender or Endpoint
Protection relies on up-to-date definitions to determine if software that is trying to
install, run, or change settings on your computer is a virus, spyware, or other potentially
unwanted software.

To automatically check for new definitions before

scheduled scans (recommended)
1. Open Windows Defender or Endpoint Protection client by clicking the icon in the
notification area or launching it from the Start menu.

2. Click Settings, and then click Scheduled scan.

3. Make sure the Check for the latest virus and spyware definitions before running
a scheduled scan check box is selected, and then click Save changes. If you're
prompted for an administrator password or confirmation, type the password or
confirm the action.

To check for new definitions manually

Windows Defender or Endpoint Protection updates the virus and spyware definitions on
your computer automatically. If the definitions haven't been updated for over seven
days (for example, if you didn't turn on your computer for a week), Windows Defender
or Endpoint Protection will notify you that the definitions are out of date.
 1. Open Windows Defender or Endpoint Protection client by clicking the icon in the
notification area or launching it from the Start menu.

2. To check for new definitions manually, click the Update tab and then click Update
definitions.

How do I remove or restore items

quarantined by Windows Defender or
Endpoint Protection?
When Windows Defender or Endpoint Protection quarantines software, it moves the
software to another location on your computer, and then it prevents the software from
running until you choose to restore it or to remove it from your computer.

For all the steps mentioned in this procedure, if you're prompted for an administrator
password or confirmation, type the password or provide confirmation.

To remove or restore items quarantined by Windows

Defender or Endpoint Protection
1. Click the History tab, select Quarantined items, and then select the Quarantined
items option.

2. Click View details to see all of the items.

3. Review each item, and then for each, click Remove or Restore. If you want to
remove of the all quarantined items from your computer, click Remove All.

What is real-time protection?

Real-time protection enables Windows Defender to monitor your computer all the time
and alert you when potential threats, such as viruses and spyware, are trying to install
themselves or run on your computer. Because this feature is an important element of
the way that Windows Defender helps protect your computer, you should make sure
real-time protection is always turned on. If real-time protection gets turned off,
Windows Defender notifies you, and changes your computer's status to at risk.

Whenever real-time protection detects a threat or potential threat, Windows Defender

displays a notification. You can now choose from the following options:
 Click Clean computer to remove the detected item. Windows Defender will
automatically remove the item from your computer.

Click the Show details link to display the Potential threat details window, and then
choose which action to apply to the detected item.

You can choose the software and settings that you want Windows Defender to
monitor, but we recommend that you turn on real-time protection and enable all
real-time protection options. The following table explains the available options.

ﾉ Expand table

Real-time Purpose
protection
option

Scan all This option monitors files and programs that are downloaded, including
downloads files that are automatically downloaded via Windows Internet Explorer
and Microsoft Outlook® Express, such as ActiveX® controls and
software installation programs. These files can be downloaded,
installed, or run by the browser itself. Malicious software, including
viruses, spyware, and other potentially unwanted software, can be
included with these files and installed without your knowledge.

Using the real-time protection option, Windows Defender monitors

your computer all the time and checks for any malicious files or
programs that you may have downloaded. This monitoring feature
means that Windows Defender doesn't need to slow down your
browsing or e-mail experience by requiring a check of any files or
programs you may want to download.

Monitor file This option monitors when files and programs start running on your
and program computer, and then it alerts you about any actions they perform and
activity on your actions taken on them. This is important, because malicious software
computer can use vulnerabilities in programs that you have installed to run
malicious or unwanted software without your knowledge. For example,
spyware can run itself in the background when you start a program that
you frequently use. Windows Defender monitors your programs and
alerts you if it detects suspicious activity.

Enable This option monitors collections of behavior for suspicious patterns that
behavior might not be detected by traditional antivirus detection methods.
monitoring
 Real-time Purpose
protection
option

Enable This option helps protect your computer against zero day exploits of
Network known vulnerabilities, decreasing the window of time between the
Inspection moment a vulnerability is discovered and an update is applied.
System

To turn off real-time protection

1. Click Settings, and then click Real-time protection.

2. Clear the real-time protection options you want to turn off, and then click Save
changes. If you're prompted for an administrator password or confirmation, type
the password or confirm the action.

How do I know that Windows Defender

or Endpoint Protection is running on my
computer?
After you install Windows Defender on your computer, you can close the main window
and let Windows Defender run quietly in the background. Windows Defender will
continue running on your computer, monitor it, and help protect it against threats.

Of course, you'll know that Windows Defender is running whenever it displays

notification messages in the notification area. These notifications alert you to potential
threats that Windows Defender has detected.

You'll also receive other alert notifications, for example, if for some reason real-time
protection has been turned off, if you haven't updated your virus and spyware
definitions for a number of days, or when upgrades to the program become available.
Windows Defender also briefly displays a notification to let you know that it's scanning
your computer.

 Tip
 If you don't see the Windows Defender icon in the notification area, click the arrow
in the notification area to show hidden icons, including the Windows Defender
icon.

The icon color depends on your computer's current status:

Green indicates that your computer's status is "protected."

Yellow indicates that your computer's status is "potentially unprotected."

Red indicates that your computer's status is "at risk."

Can you describe a little bit what

protected, potentially protected or at
risk means?
Depending whether Defender or another antivirus product is being used as primary
provider, the general states above represented by a color show the overall assessment
of the security state of the device. In case of security level being satisfactory, a green
label will be provided.

The "potentially unprotected" state is mostly due to settings - not directly impacting
detection - not being set to the recommended security level. For example, in Defender
case, a quick scan didn't run in a while, or cloud protection is turned off. In the case of
another antivirus, those states are reported via Security Center and could be in basically
the following categories - a scan is recommended, settings change is recommended or
an update is recommended.

The "at risk" status represents serious security issues, such as a malware detection,
software out of date or antivirus not running at all. In the case of another Antivirus that
could mean license has expired.

How to set up Windows Defender or

Endpoint Protection alerts?
When Windows Defender is running on your computer, it automatically alerts you if it
detects viruses, spyware, or other potentially unwanted software. You can also set
Windows Defender to alert you if you run software that hasn't yet been analyzed, and
you can choose to be alerted when software makes changes to your computer.
To set up alerts
1. Click Settings, and then click Real-time protection.

2. Make sure the Turn on real-time protection (recommended) check box is

selected.

3. Select the check boxes next to the real-time protections options you want to run,
and then click Save changes. If you're prompted for an administrator password or
confirmation, type the password or confirm the action.

See also
Troubleshooting Windows Defender or Endpoint Protection client

Endpoint Protection Client Help

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Encrypt recovery data over the network
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

When you create a BitLocker management policy, Configuration Manager deploys the
recovery service to a management point. On the Client Management page of the
BitLocker management policy, when you Configure BitLocker Management Services,
the client backs up key recovery information to the site database. This information
includes BitLocker recovery keys, recovery packages, and TPM password hashes. When
users are locked out of their protected device, you can use this information to help them
recover access to the device.

Given the sensitive nature of this information, you need to protect it.

） Important

Starting in version 2103, the implementation of the recovery service changed. It's
no longer using legacy MBAM components, but is still conceptually referred to as
the recovery service. All version 2103 clients use the message processing engine
component of the management point as their recovery service. They escrow their
recovery keys over the secure client notification channel. With this change, you can
enable the Configuration Manager site for enhanced HTTP. This configuration
doesn't affect the functionality of BitLocker management in Configuration
Manager.

When both the site and clients are running Configuration Manager version 2103 or
later, clients send their recovery keys to the management point over the secure
client notification channel. If any clients are on version 2010 or earlier, they need an
HTTPS-enabled recovery service on the management point to escrow their keys.

HTTPS certificate requirements

７ Note

These requirements only apply if the site is version 2010 or earlier, or if you deploy
BitLocker management policies to devices with Configuration Manager client
version 2010 or earlier.
Configuration Manager requires a secure connection between the client and the
recovery service to encrypt the data in transit across the network. Use one of the
following options:

HTTPS-enable the IIS website on the management point that hosts the recovery
service, not the entire management point role.

Configure the management point for HTTPS. On the properties of the

management point, the Client connections setting must be HTTPS.

７ Note

If your site has more than one management point, enable HTTPS on all
management points at the site with which a BitLocker-managed client could
potentially communicate. If the HTTPS management point is unavailable, the client
could fail over to an HTTP management point, and then fail to escrow its recovery
key.

This recommendation applies to both options: enable the management point for
HTTPS, or enable the IIS website that hosts the recovery service on the
management point.

Configure the management point for HTTPS

In earlier versions of Configuration Manager current branch, to integrate the BitLocker
recovery service you had to HTTPS-enable a management point. The HTTPS connection
is necessary to encrypt the recovery keys across the network from the Configuration
Manager client to the management point. Configuring the management point and all
clients for HTTPS can be challenging for many customers.

HTTPS-enable the IIS website

The HTTPS requirement is now for the IIS website that hosts the recovery service, not
the entire management point role. This configuration relaxes the certificate
requirements, and still encrypts the recovery keys in transit.

The Client connections property of the management point can be HTTP or HTTPS. If
the management point is configured for HTTP, to support the BitLocker recovery
service:

1. Acquire a server authentication certificate. Bind the certificate to the IIS website on
the management point that hosts the BitLocker recovery service.
 2. Configure clients to trust the server authentication certificate. There are two
methods to accomplish this trust:

Use a certificate from a public and globally trusted certificate provider.

Windows clients include trusted root certificate authorities (CAs) from these
providers. By using a server authentication certificate that's issued by one of
these providers, your clients should automatically trust it.

Use a certificate issued by a CA from your organization's public key

infrastructure (PKI). Most PKI implementations add the trusted root CAs to
Windows clients. For example, using Active Directory Certificate Services with
group policy. If you issue the server authentication certificate from a CA that
your clients don't automatically trust, add the CA trusted root certificate to
clients.

 Tip

The only clients that need to communicate with the recovery service are those
clients that you plan to target with a BitLocker management policy and includes a
Client Management rule.

Troubleshoot the connection

On the client, use the BitLockerManagementHandler.log to troubleshoot this
connection. For connectivity to the recovery service, the log shows the URL that the
client is using. Locate an entry in the log based on the version of Configuration
Manager:

In version 2103 and later, the entry starts with Recovery keys escrowed to MP
In version 2010 and earlier, the entry starts with Checking for Recovery Service at

Next steps
Encrypt recovery data in the database is an optional prerequisite before deploying
policy for the first time.

Deploy BitLocker management client

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Encrypt recovery data in the database
06/12/2025

Applies to: Configuration Manager (current branch)

When you create a BitLocker management policy, Configuration Manager deploys the recovery
service to a management point. On the Client Management page of the BitLocker
management policy, when you Configure BitLocker Management Services, the client backs up
key recovery information to the site database. This information includes BitLocker recovery
keys, recovery packages, and TPM password hashes. When users are locked out of their
protected device, you can use this information to help them recover access to the device.

Given the sensitive nature of this information, you need to protect it. Configuration Manager
requires an HTTPS connection between the client and the recovery service to encrypt the data
in transit across the network. For more information, see Encrypt recovery data over the
network.

Consider also encrypting this data when stored in the site database. If you install a SQL Server
certificate, Configuration Manager encrypts your data in SQL.

If you don't want to create a BitLocker management encryption certificate, opt-in to plain-text
storage of the recovery data. When you create a BitLocker management policy, enable the
option to Allow recovery information to be stored in plain text.

７ Note

Another layer of security is to encrypt the entire site database. If you enable encryption on
the database, there aren't any functional issues in Configuration Manager.

Encrypt with caution, especially in large-scale environments. Depending upon the tables
you encrypt and the version of SQL, you might notice up to a 25% performance
degradation. Update your backup and recovery plans, so that you can successfully recover
the encrypted data.

７ Note

Configuration Manager never removes or deletes recovery information for devices from
the database, even if the client is inactive or deleted. This behavior is for security reasons.
It helps with scenarios where a device is stolen but later recovered. For large
environments, the impact to the database size is about 9 KB of data per encrypted
volume.
SQL Server encryption certificate
Use this SQL Server certificate for Configuration Manager to encrypt BitLocker recovery data in
the site database. You can create a self-signed certificate using a script in SQL Server.

Alternatively, you can use your own process to create and deploy this certificate, as long as it
meets the following requirements:

The name of the BitLocker management encryption certificate must be

BitLockerManagement_CERT .

Encrypt this certificate with a database master key.

The following SQL Server users need Control permissions on the certificate:
RecoveryAndHardwareCore
RecoveryAndHardwareRead
RecoveryAndHardwareWrite

Deploy the same certificate at every site database in your hierarchy.

Create the certificate with the latest version of SQL Server.

） Important
Certificates created with SQL Server 2016 or later are compatible with SQL Server
2014 or earlier.
Certificates created with SQL Server 2014 or earlier aren't compatible with SQL
Server 2016 or later.

Manage the encryption certificate on SQL Server upgrade

If your site database is on SQL Server 2014 or earlier, before you upgrade SQL Server to version
2016 or later, use the following procedure to rotate the certificate to a supported version.

1. On an instance of SQL Server running the latest available version, at least version 2016:

a. Create a new certificate

b. Back up the new certificate

2. On the SQL Server instance with the encrypted site database that you plan to upgrade:

a. Move the existing certificate on the site database server SQL Server instance to
another name.
 b. Restore the new certificate.

c. Rotate the new certificate in for the existing certificate. Use the provided SQL function
[RecoveryAndHardwareCore].[RecryptKey]

） Important

If you upgrade SQL Server before you rotate the certificate, contact Microsoft Support for
assistance with a work around.

You can also use this process if your business requirements specify that you need to regularly
renew this certificate.

Example scripts
These SQL scripts are examples to create and deploy a BitLocker management encryption
certificate in the Configuration Manager site database.

Create certificate
This sample script does the following actions:

Creates a certificate
Sets the permissions
Creates a database master key

Before you use this script in a production environment, change the following values:

Site database name ( CM_ABC )

Password to create the master key ( MyMasterKeyPassword )
Certificate expiry date ( 20391022 )

SQL

USE CM_ABC
IF NOT EXISTS (SELECT name FROM sys.symmetric_keys WHERE name =
'##MS_DatabaseMasterKey##')
BEGIN
CREATE MASTER KEY ENCRYPTION BY PASSWORD = 'MyMasterKeyPassword'
END

IF NOT EXISTS (SELECT name from sys.certificates WHERE name =

'BitLockerManagement_CERT')
BEGIN
 CREATE CERTIFICATE BitLockerManagement_CERT AUTHORIZATION
RecoveryAndHardwareCore
WITH SUBJECT = 'BitLocker Management',
EXPIRY_DATE = '20391022'

GRANT CONTROL ON CERTIFICATE ::BitLockerManagement_CERT TO

RecoveryAndHardwareRead
GRANT CONTROL ON CERTIFICATE ::BitLockerManagement_CERT TO
RecoveryAndHardwareWrite
END

７ Note

SQL doesn't check or enforce the certificate expiration date when the certificate is used for
database encryption as is the case here.

If your business requirements specify that you regularly renew this certificate, use the
same process to Manage the encryption certificate on SQL Server upgrade.

Back up certificate
This sample script backs up a certificate. When you save the certificate to a file, you can then
restore it to other site databases in the hierarchy.

Before you use this script in a production environment, change the following values:

Site database name ( CM_ABC )

File path and name ( C:\BitLockerManagement_CERT_KEY )
Export key password ( MyExportKeyPassword )

SQL

USE CM_ABC
BACKUP CERTIFICATE BitLockerManagement_CERT TO FILE =
'C:\BitLockerManagement_CERT'
WITH PRIVATE KEY ( FILE = 'C:\BitLockerManagement_CERT_KEY',
ENCRYPTION BY PASSWORD = 'MyExportKeyPassword')

） Important

Always back up the certificate. In case you need to recover the site database, you might
need to restore the certificate to regain access to the recovery keys.
 Store the exported certificate file and associated password in a secure location.

Restore certificate
This sample script restores a certificate from a file. Use this process to deploy a certificate that
you created on another site database.

Before you use this script in a production environment, change the following values:

Site database name ( CM_ABC )

Master key password ( MyMasterKeyPassword )
File path and name ( C:\BitLockerManagement_CERT_KEY )
Export key password ( MyExportKeyPassword )

SQL

USE CM_ABC
IF NOT EXISTS (SELECT name FROM sys.symmetric_keys WHERE name =
'##MS_DatabaseMasterKey##')
BEGIN
CREATE MASTER KEY ENCRYPTION BY PASSWORD = 'MyMasterKeyPassword'
END

IF NOT EXISTS (SELECT name from sys.certificates WHERE name =

'BitLockerManagement_CERT')
BEGIN

CREATE CERTIFICATE BitLockerManagement_CERT AUTHORIZATION RecoveryAndHardwareCore

FROM FILE = 'C:\BitLockerManagement_CERT'
WITH PRIVATE KEY ( FILE = 'C:\BitLockerManagement_CERT_KEY',
DECRYPTION BY PASSWORD = 'MyExportKeyPassword')

GRANT CONTROL ON CERTIFICATE ::BitLockerManagement_CERT TO RecoveryAndHardwareRead

GRANT CONTROL ON CERTIFICATE ::BitLockerManagement_CERT TO
RecoveryAndHardwareWrite
END

Verify certificate
Use this SQL script to verify that SQL Server successfully created the certificate with the
required permissions.

SQL

USE CM_ABC
declare @count int
 select @count = count(distinct u.name) from sys.database_principals u
join sys.database_permissions p on p.grantee_principal_id = u.principal_id or
p.grantor_principal_id = u.principal_id
join sys.certificates c on c.certificate_id = p.major_id
where u.name in('RecoveryAndHardwareCore', 'RecoveryAndHardwareRead',
'RecoveryAndHardwareWrite') and
c.name = 'BitLockerManagement_CERT' and p.permission_name like 'CONTROL'
if(@count >= 3) select 1
else select 0

If the certificate is valid, the script returns a value of 1 .

SQL AlwaysOn when BitLocker recovery data is

encrypted in the database
If using SQL AlwaysOn, see SQL AlwaysOn when BitLocker recovery data is encrypted in the
database for additional important and required steps and instructions.

Related articles
For more information on these SQL commands, see the following articles:

SQL Server and database encryption keys.

Create certificate.
Backup certificate.
Create master key.
Backup master key.
Grant certificate permissions.
SQL AlwaysOn when BitLocker recovery data is encrypted in the database.

Next steps
Deploy BitLocker management client.
SQL AlwaysOn when BitLocker recovery data is encrypted in the database.
Deploy BitLocker management
Article • 02/09/2023

Applies to: Configuration Manager (current branch)

BitLocker management in Configuration Manager includes the following components:

BitLocker management agent: Configuration Manager enables this agent on a

device when you create a policy and deploy it to a collection.

Recovery service: The server component that receives BitLocker recovery data
from clients. For more information, see Recovery service.

Before you create and deploy BitLocker management policies:

Review the prerequisites

If necessary, encrypt recovery keys in the site database

Create a policy
When you create and deploy this policy, the Configuration Manager client enables the
BitLocker management agent on the device.

７ Note

To create a BitLocker management policy, you need the Full Administrator role in
Configuration Manager.

1. In the Configuration Manager console, go to the Assets and Compliance

workspace, expand Endpoint Protection, and select the BitLocker Management
node.

2. In the ribbon, select Create BitLocker Management Control Policy.

3. On the General page, specify a name and optional description. Select the
components to enable on clients with this policy:

Operating System Drive: Manage whether the OS drive is encrypted

Fixed Drive: Manage encryption for other data drives in a device

 Removable Drive: Manage encryption for drives that you can remove from a
device, like a USB key

Client Management: Manage the key recovery service backup of BitLocker

Drive Encryption recovery information

4. On the Setup page, configure the following global settings for BitLocker Drive
Encryption:

７ Note

Configuration Manager applies these settings when you enable BitLocker. If

the drive is already encrypted or is in progress, any change to these policy
settings doesn't change the drive encryption on the device.

If you disable or don't configure these settings, BitLocker uses the default
encryption method (AES 128-bit).

For Windows 8.1 devices, enable the option for Drive encryption method
and cipher strength. Then select the encryption method.

For Windows 10 or later devices, enable the option for Drive encryption
method and cipher strength (Windows 10 or later). Then individually select
the encryption method for OS drives, fixed data drives, and removable data
drives.

For more information on these and other settings on this page, see Settings
reference - Setup.

5. On the Operating System Drive page, specify the following settings:

Operating System Drive Encryption Settings: If you enable this setting, the
user has to protect the OS drive, and BitLocker encrypts the drive. If you
disable it, the user can't protect the drive.

On devices with a compatible TPM, two types of authentication methods can be

used at startup to provide added protection for encrypted data. When the
computer starts, it can use only the TPM for authentication, or it can also require
the entry of a personal identification number (PIN). Configure the following
settings:

Select protector for operating system drive: Configure it to use a TPM and
PIN, or just the TPM.
 Configure minimum PIN length for startup: If you require a PIN, this value is
the shortest length the user can specify. The user enters this PIN when the
computer boots to unlock the drive. By default, the minimum PIN length is 4 .

For more information on these and other settings on this page, see Settings
reference - OS drive.

6. On the Fixed Drive page, specify the following settings:

Fixed data drive encryption: If you enable this setting, BitLocker requires
users to put all fixed data drives under protection. It then encrypts the data
drives. When you enable this policy, either enable auto-unlock or the settings
for Fixed data drive password policy.

Configure auto-unlock for fixed data drive: Allow or require BitLocker to

automatically unlock any encrypted data drive. To use auto-unlock, also
require BitLocker to encrypt the OS drive.

For more information on these and other settings on this page, see Settings
reference - Fixed drive.

7. On the Removable Drive page, specify the following settings:

Removable data drive encryption: When you enable this setting, and allow
users to apply BitLocker protection, the Configuration Manager client saves
recovery information about removable drives to the recovery service on the
management point. This behavior allows users to recover the drive if they
forget or lose the protector (password).

Allow users to apply BitLocker protection on removable data drives: Users

can turn on BitLocker protection for a removable drive.

Removable data drive password policy: Use these settings to set the
constraints for passwords to unlock BitLocker-protected removable drives.

For more information on these and other settings on this page, see Settings
reference - Removable drive.

8. On the Client Management page, specify the following settings:

） Important
 For versions of Configuration Manager prior to 2103, if you don't have a
management point with an HTTPS-enabled website, don't configure this
setting. For more information, see Recovery service.

Configure BitLocker Management Services: When you enable this setting,

Configuration Manager automatically and silently backs up key recovery
information in the site database. If you disable or don't configure this setting,
Configuration Manager doesn't save key recovery information.

Select BitLocker recovery information to store: Configure it to use a

recovery password and key package, or just a recovery password.

Allow recovery information to be stored in plain text: Without a BitLocker

management encryption certificate, Configuration Manager stores the key
recovery information in plain text. For more information, see Encrypt
recovery data in the database.

For more information on these and other settings on this page, see Settings
reference - Client management.

9. Complete the wizard.

To change the settings of an existing policy, choose it in the list, and select Properties.

When you create more than one policy, you can configure their relative priority. If you
deploy multiple policies to a client, it uses the priority value to determine its settings.

Starting in version 2006, you can use Windows PowerShell cmdlets for this task. For
more information, see New-CMBlmSetting.

Deploy a policy
1. Choose an existing policy in the BitLocker Management node. In the ribbon, select
Deploy.

2. Select a device collection as the target of the deployment.

3. If you want the device to potentially encrypt or decrypt its drives at any time, select
the option to Allow remediation outside the maintenance window. If the
collection has any maintenance windows, it still remediates this BitLocker policy.

4. Configure a Simple or Custom schedule. The client evaluates its compliance based
on the settings specified in the schedule.
 5. Select OK to deploy the policy.

You can create multiple deployments of the same policy. To view additional information
about each deployment, select the policy in the BitLocker Management node, and then
in the details pane, switch to the Deployments tab. You can also use Windows
PowerShell cmdlets for this task. For more information, see New-CMSettingDeployment.

） Important

If a remote desktop protocol (RDP) connection is active, the MBAM client doesn't
start BitLocker Drive Encryption actions. Close all remote console connections and
sign in to a console session with a domain user account. Then BitLocker Drive
Encryption begins and the client uploads recovery keys and packages. If you sign in
with a local user account, BitLocker Drive Encryption doesn't start.

You can use RDP to remotely connect to the console session of the device with the
/admin switch. For example: mstsc.exe /admin /v:<IP address of device>

A console session is either when you're at the computer's physical console, or a

remote connection that's the same as if you're at the computer's physical console.

Monitor
View basic compliance statistics about the policy deployment in the details pane of the
BitLocker Management node:

Compliance count
Failure count
Non-compliance count

Switch to the Deployments tab to see compliance percentage and recommended

action. Select the deployment, then in the ribbon, select View Status. This action
switches the view to the Monitoring workspace, Deployments node. Similar to the
deployment of other configuration policy deployments, you can see more detailed
compliance status in this view.

To understand why clients are reporting not compliant with the BitLocker management
policy, see Non-compliance codes.

For more troubleshooting information, see Troubleshoot BitLocker.

Use the following logs to monitor and troubleshoot:

Client logs
MBAM event log: in the Windows Event Viewer, browse to Applications and
Services > Microsoft > Windows > MBAM. For more information, see About
BitLocker event logs and Client event logs.

BitlockerManagementHandler.log and
BitlockerManagement_GroupPolicyHandler.log in client logs path,
%WINDIR%\CCM\Logs by default

Management point logs (recovery service)

Recovery service event log: in the Windows Event Viewer, browse to Applications
and Services > Microsoft > Windows > MBAM-Web. For more information, see
About BitLocker event logs and Server event logs.

Recovery service trace logs: <Default IIS Web Root>\Microsoft BitLocker

Management Solution\Logs\Recovery And Hardware Service\trace*.etl

Migration considerations
If you currently use Microsoft BitLocker Administration and Monitoring (MBAM), you can
seamlessly migrate management to Configuration Manager. When you deploy BitLocker
management policies in Configuration Manager, clients automatically upload recovery
keys and packages to the Configuration Manager recovery service.

） Important

When you migrate from stand-alone MBAM to Configuration Manager BitLocker

management, if you require existing functionality of stand-alone MBAM, don't
reuse stand-alone MBAM servers or components with Configuration Manager
BitLocker management. If you reuse these servers, stand-alone MBAM will stop
working when Configuration Manager BitLocker management installs its
components on those servers. Don't run the MBAMWebSiteInstaller.ps1 script to
set up the BitLocker portals on stand-alone MBAM servers. When you set up
Configuration Manager BitLocker management, use separate servers.

Group policy
 The BitLocker management settings are fully compatible with MBAM group policy
settings. If devices receive both group policy settings and Configuration Manager
policies, configure them to match.

７ Note

If a group policy setting exists for standalone MBAM, it will override the
equivalent setting attempted by Configuration Manager. Standalone MBAM
uses domain group policy, while Configuration Manager sets local policies for
BitLocker management. Domain policies will override the local Configuration
Manager BitLocker management policies. If the standalone MBAM domain
group policy doesn't match the Configuration Manager policy, Configuration
Manager BitLocker management will fail. For example, if a domain group
policy sets the standalone MBAM server for key recovery services,
Configuration Manager BitLocker management can't set the same setting for
the management point. This behavior causes clients to not report their
recovery keys to the Configuration Manager BitLocker management key
recovery service on the management point.

Configuration Manager doesn't implement all MBAM group policy settings. If you
configure more settings in group policy, the BitLocker management agent on
Configuration Manager clients honors these settings.

） Important

Don't set a group policy for a setting that Configuration Manager BitLocker
management already specifies. Only set group policies for settings that don't
currently exist in Configuration Manager BitLocker management.
Configuration Manager version 2002 has feature parity with standalone
MBAM. With Configuration Manager version 2002 and later, in most instances
there should be no reason to set domain group policies to configure BitLocker
policies. To prevent conflicts and problems, avoid use of group policies for
BitLocker. Configure all settings through Configuration Manager BitLocker
management policies.

TPM password hash

Previous MBAM clients don't upload the TPM password hash to Configuration
Manager. The client only uploads the TPM password hash once.
 If you need to migrate this information to the Configuration Manager recovery
service, clear the TPM on the device. After it restarts, it uploads the new TPM
password hash to the recovery service.

７ Note

Uploading of the TPM password hash mainly pertains to versions of Windows

before Windows 10. Windows 10 or later by default doesn't save the TPM password
hash, so these devices don't normally upload it. For more information, see About
the TPM owner password.

Re-encryption
Configuration Manager doesn't re-encrypt drives that are already protected with
BitLocker Drive Encryption. If you deploy a BitLocker management policy that doesn't
match the drive's current protection, it reports as non-compliant. The drive is still
protected.

For example, you used MBAM to encrypt the drive with the AES-XTS 128 encryption
algorithm, but the Configuration Manager policy requires AES-XTS 256. The drive is
non-compliant with the policy, even though the drive is encrypted.

To work around this behavior, first disable BitLocker on the device. Then deploy a new
policy with the new settings.

Co-management and Intune

The Configuration Manager client handler for BitLocker is co-management aware. If the
device is co-managed, and you switch the Endpoint Protection workload to Intune, then
the Configuration Manager client ignores its BitLocker policy. The device gets Windows
encryption policy from Intune.

７ Note

Switching encryption management authorities while maintaining the desired

encryption algorithm doesn't require any additional actions on the client. However,
if you switch encryption management authorities and the desired encryption
algorithm also changes, you will need to plan for re-encryption.

For more information about managing BitLocker with Intune, see the following articles:
 Use device encryption with Intune
Troubleshoot BitLocker policies in Microsoft Intune

Next steps
About the BitLocker recovery service

Set up BitLocker reports and portals

Feedback
Was this page helpful?  Yes  No

Provide product feedback

About the BitLocker recovery service
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

） Important

Starting in version 2103, the implementation of the recovery service changed. It's
no longer using legacy MBAM components, but is still conceptually referred to as
the recovery service. All version 2103 clients use the message processing engine
component of the management point as their recovery service. They escrow their
recovery keys over the secure client notification channel. With this change, you can
enable the Configuration Manager site for enhanced HTTP. This configuration
doesn't affect the functionality of BitLocker management in Configuration
Manager.

When both the site and clients are running Configuration Manager version 2103 or
later, clients send their recovery keys to the management point over the secure
client notification channel. If any clients are on version 2010 or earlier, they need an
HTTPS-enabled recovery service on the management point to escrow their keys.

The BitLocker recovery service is a server component that receives BitLocker recovery
data from Configuration Manager clients. The site deploys the recovery service when
you create a BitLocker management policy. Configuration Manager automatically installs
the recovery service on each management point with an HTTPS-enabled website.

Configuration Manager stores the recovery information in the site database. Without a
BitLocker management encryption certificate, Configuration Manager stores the key
recovery information in plain text. For more information, see Encrypt recovery data in
the database.

Starting in version 2010, you can manage BitLocker policies and escrow recovery keys
over a cloud management gateway (CMG). When domain-joined clients communicate
via the CMG, they don't use the legacy recovery service, but the message processing
engine component of the management point. Microsoft Entra hybrid joined devices also
use the message processing engine.

Starting in version 2103, all supported clients use the message processing engine
component of the management point as the recovery service. This change reduces
dependencies on legacy MBAM components, and enables support for enhanced HTTP.
 ７ Note

For version 2010, the message processing engine channel only escrows keys for OS
and fixed drive volumes. It doesn't support recovery keys for removable drives or
the TPM password hash.

Starting in version 2103, BitLocker management policies over a CMG support the
following capabilities:

Recovery keys for removable drives

TPM password hash, otherwise known as TPM owner authorization

Rotate keys
When you recover a key with the self-service or helpdesk portals, since it's disclosed,
Configuration Manager requires the client to rotate the key. Rotating the key means that
the client generates a new key for BitLocker recovery. It then escrows the new key to the
recovery service.

７ Note

When you migrate from MBAM, when the device receives a BitLocker management
policy from Configuration Manager, it first rotates its key. It then sends the new key
to the Configuration Manager recovery service.

Next steps
Migrate from MBAM

Set up BitLocker reports and portals

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Migrate from MBAM
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

If you currently use Microsoft BitLocker Administration and Monitoring (MBAM), you can
seamlessly migrate management to Configuration Manager. When you deploy BitLocker
management policies in Configuration Manager, clients automatically rotate their keys
and upload them to the Configuration Manager recovery service.

） Important

When you migrate from stand-alone MBAM to Configuration Manager BitLocker

management, if you require existing functionality of stand-alone MBAM, don't
reuse stand-alone MBAM servers or components with Configuration Manager
BitLocker management. If you reuse these servers, stand-alone MBAM will stop
working when Configuration Manager BitLocker management installs its
components on those servers. Don't run the MBAMWebSiteInstaller.ps1 script to
set up the BitLocker portals on stand-alone MBAM servers. When you set up
Configuration Manager BitLocker management, use separate servers.

Group policy
If a group policy setting exists for standalone MBAM, it will override the equivalent
setting attempted by Configuration Manager. Standalone MBAM uses domain group
policy, while Configuration Manager sets local policies for BitLocker management.
Domain policies will override the local Configuration Manager BitLocker management
policies. If the standalone MBAM domain group policy doesn't match the Configuration
Manager policy, Configuration Manager BitLocker management will fail. For example, if
a domain group policy sets the standalone MBAM server for key recovery services,
Configuration Manager BitLocker management can't set the same setting for its
recovery service. This behavior causes clients to not report their recovery keys to the
Configuration Manager BitLocker management recovery service.

Don't set a group policy for a setting that Configuration Manager BitLocker
management already specifies. Only set group policies for settings that don't currently
exist in Configuration Manager BitLocker management. Configuration Manager has
feature parity with standalone MBAM. In most instances there should be no reason to
set domain group policies to configure BitLocker policies. To prevent conflicts and
problems, avoid use of group policies for BitLocker. Configure all settings through
Configuration Manager BitLocker management policies.

TPM password hash

Previous MBAM clients don't upload the TPM password hash to Configuration
Manager. The client only uploads the TPM password hash once.

If you need to migrate this information to the Configuration Manager recovery

service, clear the TPM on the device. After it restarts, it uploads the new TPM
password hash to the recovery service.

７ Note

Uploading of the TPM password hash mainly pertains to versions of Windows

before Windows 10. Windows 10 or later by default doesn't save the TPM password
hash, so these devices don't normally upload it. For more information, see About
the TPM owner password.

Re-encryption
Configuration Manager doesn't re-encrypt drives that are already protected with
BitLocker Drive Encryption. If you deploy a BitLocker management policy that doesn't
match the drive's current protection, it reports as non-compliant. The drive is still
protected.

For example, you used MBAM to encrypt the drive with the AES-XTS 128 encryption
algorithm, but the Configuration Manager policy requires AES-XTS 256. The drive is
non-compliant with the policy, even though the drive is encrypted.

To work around this behavior, first disable BitLocker on the device. Then deploy a new
policy with the new settings.

Next steps
About the BitLocker recovery service

Set up BitLocker reports and portals

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Set up BitLocker portals
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

To use the following BitLocker management components in Configuration Manager, you

first need to install them:

User self-service portal

Administration and monitoring website (helpdesk portal)

You can install the portals on an existing site server or site system server with IIS
installed, or use a standalone web server to host them.

７ Note

Starting in version 2006, you can install the BitLocker self-service portal and the
administration and monitoring website at the central administration site.

In version 2002 and earlier, only install the self-service portal and the
administration and monitoring website with a primary site database. In a hierarchy,
install these websites for each primary site.

Before you start, confirm the prerequisites for these components.

Run the script

On the target web server, do the following actions:

７ Note

Depending upon your site design, you may need to run the script multiple times.
For example, run the script on the management point to install the administration
and monitoring website. Then run it again on a standalone web server to install the
self-service portal.

1. Copy the following files from SMSSETUP\BIN\X64 in the Configuration Manager

installation folder on the site server to a local folder on the target server:

MBAMWebSite.cab
 MBAMWebSiteInstaller.ps1

2. Run PowerShell as an administrator, and then run the script similar to the following
command line:

PowerShell

.\MBAMWebSiteInstaller.ps1 -SqlServerName <ServerName> -SqlInstanceName

<InstanceName> -SqlDatabaseName <DatabaseName> -ReportWebServiceUrl
<ReportWebServiceUrl> -HelpdeskUsersGroupName <DomainUserGroup> -
HelpdeskAdminsGroupName <DomainUserGroup> -MbamReportUsersGroupName
<DomainUserGroup> -SiteInstall Both

For example,

PowerShell

.\MBAMWebSiteInstaller.ps1 -SqlServerName sql.contoso.com -

SqlInstanceName instance1 -SqlDatabaseName CM_ABC -ReportWebServiceUrl
https://rsp.contoso.com/ReportServer -HelpdeskUsersGroupName
"contoso\BitLocker help desk users" -HelpdeskAdminsGroupName
"contoso\BitLocker help desk admins" -MbamReportUsersGroupName
"contoso\BitLocker report users" -SiteInstall Both

） Important

This example command line uses all of the possible parameters to show their
usage. Adjust your use according to your requirements in your environment.

After installation, access the portals via the following URLs:

Self-service portal: https://webserver.contoso.com/SelfService

Administration and monitoring website: https://webserver.contoso.com/HelpDesk

７ Note

Microsoft recommends but doesn't require the use of HTTPS. For more
information, see How to set up SSL on IIS.

Script usage
This process uses a PowerShell script, MBAMWebSiteInstaller.ps1, to install these
components on the web server. It accepts the following parameters:
-SqlServerName <ServerName> (required): The fully qualified domain name of the

primary site database server.

-SqlInstanceName <InstanceName> : The SQL Server instance name for the primary

site database. If SQL Server uses the default instance, don't include this parameter.

-SqlDatabaseName <DatabaseName> (required): The name of the primary site

database, for example CM_ABC .

-ReportWebServiceUrl <ReportWebServiceUrl> : The web service URL of the primary

site's reporting service point. It's the Web Service URL value in Reporting Services
Configuration Manager.

７ Note

This parameter is to install the Recovery Audit Report that's linked from the
administration and monitoring website. By default Configuration Manager
includes the other BitLocker management reports.

-HelpdeskUsersGroupName <DomainUserGroup> : For example, contoso\BitLocker help

desk users . A domain user group whose members have access to the Manage

TPM and Drive Recovery areas of the administration and monitoring website.
When using these options, this role needs to fill in all fields, including the user's
domain and account name.

-HelpdeskAdminsGroupName <DomainUserGroup> : For example, contoso\BitLocker

help desk admins . A domain user group whose members have access to all

recovery areas of the administration and monitoring website. When helping users
recover their drives, this role only has to enter the recovery key.

-MbamReportUsersGroupName <DomainUserGroup> : For example, contoso\BitLocker

report users . A domain user group whose members have read-only access to the

Reports area of the administration and monitoring website.

７ Note

The installer script doesn't create the domain user groups that you specify in
the -HelpdeskUsersGroupName, -HelpdeskAdminsGroupName, and -
MbamReportUsersGroupName parameters. Before you run the script, make
sure to create these groups.
 When you specify the -HelpdeskUsersGroupName, -
HelpdeskAdminsGroupName, and -MbamReportUsersGroupName
parameters, make sure to specify both the domain name and the group name.
Use the format "domain\user_group" . Don't exclude the domain name. If the
domain name or group name contains spaces or special characters, enclose
the parameter in quotation marks ( " ).

-SiteInstall Both : Specify which of the components to install. Valid options

include:
Both : Install both components

HelpDesk : Install only the administration and monitoring website

SSP : Install only the self-service portal

-IISWebSite : The website where the script installs the MBAM web applications. By

default, it uses the IIS default website. Create the custom website before using this
parameter.

-InstallDirectory : The path where the script installs the web application files. By

default, this path is C:\inetpub . Create the custom directory before using this
parameter.

-DomainName applies to version 2002 and later: Specify the NetBIOS domain name

of the server with the help desk or self-service web portal role. Only necessary if
the NetBIOS domain name doesn't match the DNS domain name. This
configuration is also known as a disjointed domain namespace. For example, -
DomainName fabrikham where the DNS domain name is contoso.com .

-Uninstall : Uninstalls the BitLocker Management Help Desk/Self-Service web

portal sites on a web server where they have been previously installed.

Verify
Monitor and troubleshoot using the following logs:

Windows Event logs under Microsoft-Windows-MBAM-Web. For more

information, see About BitLocker event logs and Server event logs.

Trace logs for each component are in the following default locations:

Self-service portal: C:\inetpub\Microsoft BitLocker Management

Solution\Logs\Self Service Website
 Administration and monitoring website: C:\inetpub\Microsoft BitLocker
Management Solution\Logs\Help Desk Website

For more troubleshooting information, see Troubleshoot BitLocker.

Next steps
Customize the self-service portal

For more information on using the components that you installed, see the following
articles:

BitLocker administration and monitoring website

BitLocker self-service portal

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Customize the self-service portal
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

After you install the BitLocker self-service portal, you can customize it for your
organization. Add a custom notice, your organization name, and other organization-
specific information.

Branding
Brand the self-service portal with your organization's name, help desk URL, and notice
text.

1. On the web server that hosts the self-service portal, sign in as an administrator.

2. Start the Internet Information Services (IIS) Manager (run inetmgr.exe).

3. Expand Sites, expand Default Web Site, and select the SelfService node. In the
details pane, ASP.NET group, open Application Settings.

4. Select the item that you want to change, and in the Actions pane, select Edit.
Change the Value to the new name that you want to use.

Ｕ Caution
 Don't change the Name values. For example, don't change CompanyName ,
change Contoso IT . If you change the Name values, the self-service portal will
stop working.

The changes take effect immediately.

Supported branding values

For the values that you can set, see the following table:

ﾉ Expand table

Name Description Default value

CompanyName The organization name that the self-service portal displays Contoso IT
as a header at the top of every page.

DisplayNotice Display an initial notice that the user has to acknowledge. true

HelpdeskText The string in the right pane below "For all other related Contact
issues" Helpdesk or IT
Department

HelpdeskUrl The link for the HelpdeskText string. (empty)

NoticeTextPath The text of the initial notice that the user has to Notice.txt
acknowledge. By default, the full file path on the web server
is C:\inetpub\Microsoft BitLocker Management
Solution\Self Service Website\Notice.txt . Edit and save
the file in a plain text editor. This path value is relative to
the SelfService application.

For a screenshot of the default self-service portal, see BitLocker self-service portal.

 Tip

If necessary, you can localize some of these strings to display in different

languages. For more information, see Localization.

Session time-out
To make the user's session expire after a specified period of inactivity, you can change
the session time-out setting for the self-service portal.
 1. On the web server that hosts the self-service portal, sign in as an administrator.

2. Start the Internet Information Services (IIS) Manager (run inetmgr.exe).

3. Expand Sites, expand Default Web Site, and select the SelfService node. In the
details pane, ASP.NET group, open Session State.

4. In the Cookie Settings group, change the Time-out (in minutes) value. It's the
number of minutes after which the user's session expires. The default value is 5 . To
disable the setting, so that there's no time-out, set the value to 0 .

5. In the Actions pane, select Apply.

Localize helpdesk text and URL

You can configure localized versions of the self-service portal HelpdeskText statement
and HelpdeskUrl link. This string informs users how to get additional help when they
use the portal. If you configure localized text, the portal displays the localized version for
web browsers in that language. If it doesn't find a localized version, it displays the
default value in the HelpdeskText and HelpdeskUrl settings.

1. On the web server that hosts the self-service portal, sign in as an administrator.

2. Start the Internet Information Services (IIS) Manager (run inetmgr.exe).

3. Expand Sites, expand Default Web Site, and select the SelfService node. In the
details pane, ASP.NET group, open Application Settings.

4. In the Actions pane, select Add.

5. In the Add Application Setting window, configure the following values:

Name: enter HelpdeskText_<language> , where <language> is the language

code for the text.

For example, to create a localized HelpdeskText statement in Spanish (Spain),

the name is HelpdeskText_es-es .

Value: the localized string to display in the right pane of the self-service
portal below "For all other related issues"

6. Select OK to save the new setting.

7. Repeat this process to add a new application setting for HelpdeskUrl_<language>

that matches the associated HelpdeskText_<language> setting.
Repeat this process to add a pair of settings for all languages that you support in your
organization.

Localize the notice file

You can configure localized versions of the initial notice that the user has to
acknowledge in the self-service portal. By default, the full file path on the web server is
C:\inetpub\Microsoft BitLocker Management Solution\Self Service Website\Notice.txt .

To display localized notice text, create a localized notice.txt file. Then save it under a
specific language folder. For example: Self Service Website\es-es\Notice.txt for
Spanish (Spain).

The self-service portal displays the notice text based on the following rules:

If the default notice file is missing, the portal displays a message that the default
file is missing.

If you create a localized notice file in the appropriate language folder, it displays
the localized notice text.

If the web server doesn't find a localized version of the notice file, it displays the
default notice.

If the user sets their browser to a language that doesn't have a localized notice, the
portal displays the default notice.

Create a localized notice file

1. On the web server that hosts the self-service portal, sign in as an administrator.

2. Create a <language> folder for each supported language in the Self Service
Website application path. For example, es-es for Spanish (Spain). By default, the

full path is C:\inetpub\Microsoft BitLocker Management Solution\Self Service

Website\es-es .

For a list of the valid language codes you can use, see National Language Support
(NLS) API Reference.

 Tip

The name of the language folder can also be the language neutral name. For
example, es for Spanish, instead of es-es for Spanish (Spain) and es-ar for
 Spanish (Argentina). If the user sets their browser to es-es, and that language
folder doesn't exist, the web server recursively checks the parent locale folder
(es). (The parent locales are defined in .NET.) For example, Self Service
Website\es\Notice.txt . This recursive fallback mimics the .NET resource

loading rules.

3. Create a copy of your default notice file with the localized text. Save it in the folder
for the language code. For example, for Spanish (Spain), by default the full path is
C:\inetpub\Microsoft BitLocker Management Solution\Self Service Website\es-
es\Notice.txt .

Repeat this process to a localized notice file for all languages that you support in your
organization.

Next steps
Now that you've installed and customized the self-service portal, try it out! For more
information, see BitLocker self-service portal.

Feedback
Was this page helpful?  Yes  No

Provide product feedback

View BitLocker reports
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

After you install the reports on the reporting services point, you can view the reports.
The reports show BitLocker compliance for the enterprise and for individual devices.
They provide tabular information and charts, and have filters that let you view data from
different perspectives.

In the Configuration Manager console, go to the Monitoring workspace, expand

Reporting, and select the Reports node. The following reports are in the BitLocker
Management category:

BitLocker Computer Compliance

BitLocker Enterprise Compliance Dashboard

BitLocker Enterprise Compliance Details

BitLocker Enterprise Compliance Summary

Recovery Audit Report

You can access all of these reports directly from the reporting services point website.

７ Note

For these reports to display complete data:

Create and deploy a BitLocker management policy to a device collection

Clients in the target collection need to send hardware inventory

BitLocker computer compliance

Use this report to collect information that's specific to a computer. It provides detailed
encryption information about the OS drive and any fixed data drives. To view the details
of each drive, expand the Computer Name entry. It also indicates the policy that's
applied to each drive type on the computer.
 

You can also use this report to determine the last known BitLocker encryption status of
lost or stolen computers. Configuration Manager determines compliance of the device
based on the BitLocker policies that you deploy. Before you try to determine the
BitLocker encryption state of a device, verify the policies that you've deployed to it.

７ Note

This report doesn't show the Removable Data Volume encryption status.

Computer details

ﾉ Expand table

Column name Description

Computer name User-specified DNS computer name.

Domain name Fully qualified domain name for the computer.

Computer Type Type of computer, valid types are Non-Portable and Portable.

Operating system OS type of the computer.

Column name Description

Overall Overall BitLocker compliance status of the computer. Valid states are
compliance Compliant and Non-compliant. The compliance status per drive may
indicate different compliance states. However, this field represents that
compliance state from the specified policy.

Operating system Compliance status of the OS on the computer. Valid states are Compliant
compliance and Non-compliant.

Fixed data drive Compliance status of a fixed data drive on the computer. Valid states are
compliance Compliant and Non-compliant.

Last update date Date and time that the computer last contacted the server to report
compliance status.

Exemption Indicates whether the user is exempt or non-exempt from the BitLocker
policy.

Exempted user The user who's exempt from the BitLocker policy.

Exemption date Date on which the exemption was granted.

Compliance status Error and status messages about the compliance state of the computer from
details the specified policy.

Policy cipher Cipher strength that you selected in the BitLocker management policy.
strength

Policy: Operating Indicates if encryption is required for the OS drive and the appropriate
system drive protector type.

Policy: Fixed data Indicates if encryption is required for the fixed data drive.
drive

Manufacturer Computer manufacturer name as it appears in the computer BIOS.

Model Computer manufacturer model name as it appears in the computer BIOS.

Device users Known users on the computer.

Computer volume

ﾉ Expand table

Column name Description

Drive letter The drive letter on the computer.

 Column name Description

Drive type Type of drive. Valid values are Operating System Drive and Fixed Data Drive.
These entries are physical drives rather than logical volumes.

Cipher Cipher strength that you selected during in the BitLocker management policy.
strength

Protector types Type of protector that you selected in the policy to encrypt the drive. The valid
protector types for an OS drive are TPM or TPM+PIN. The valid protector type
for a fixed data drive is Password.

Protector state Indicates that the computer enabled the protector type specified in the policy.
The valid states are ON or OFF.

Encryption Encryption state of the drive. Valid states are Encrypted, Not Encrypted, or
state Encrypting.

BitLocker enterprise compliance dashboard

This report provides the following graphs, which show BitLocker compliance status
across your organization:

Compliance status distribution

Non-compliant - Errors distribution

Compliance status distribution by drive type

 

Compliance status distribution

This pie chart shows compliance status for computers in the organization. It also shows
the percentage of computers with that compliance status, compared to the total
number of computers in the selected collection. The actual number of computers with
each status is also shown.

The pie chart shows the following compliance statuses:

Compliant

Non-compliant

User exempt

Temporary user exempt

Policy not enforced

７ Note
 This state may be caused by a device that's encrypted and previously
escrowed its key, but can't currently escrow its key. Because it can't escrow its
key it doesn't enforce policy anymore.

Unknown. These computers reported a status error, or they're part of the collection
but have never reported their compliance status. The lack of a compliance status
could occur if the computer is disconnected from the organization.

Non-compliant - Errors distribution

This pie chart shows the categories of computers in your organization that aren't
compliant with the BitLocker Drive Encryption policy. It also shows the number of
computers in each category. The report calculates each percentage from the total
number of non-compliant computers in the collection.

User postponed encryption

Unable to find compatible TPM

System partition not available or large enough

TPM visible but not initialized

Policy conflict

Waiting for TPM auto provisioning

An unknown error has occurred

No information. These computers don't have the BitLocker management agent

installed, or it's installed but not activated. For example, the service isn't working.

Compliance status distribution by drive type

This bar chart shows the current BitLocker compliance status by drive type. The statuses
are Compliant and Non-compliant. Bars are shown for fixed data drives and OS drives.
The report includes computers without a fixed data drive, and only shows a value in the
Operating System Drive bar. The chart doesn't include users who have been granted an
exemption from the BitLocker Drive Encryption policy or the No Policy category.

BitLocker enterprise compliance details

This report shows information about the overall BitLocker compliance across your
organization for the collection of computers to which you deployed the BitLocker
management policy.

ﾉ Expand table

Column name Description

Managed computers Number of computers to which you deployed a BitLocker management

policy.

% Compliant Percentage of compliant computers in the organization.

% Non-compliant Percentage of non-compliant computers in the organization.

% Unknown Percentage of computers with a compliance state that's not known.

compliance

% Exempt Percentage of computers exempt from the BitLocker encryption

requirement.

% Non-exempt Percentage of computers not exempt from the BitLocker encryption

requirement.

Compliant Count of compliant computers in the organization.

Non-Compliant Count of non-compliant computers in the organization.

Unknown Compliance Count of computers with a compliance state that's not known.

Exempt Count of computers that are exempt from the BitLocker encryption
requirement.

Non-exempt Count of computers that aren't exempt from the BitLocker encryption
requirement.
Computer details

ﾉ Expand table

Column name Description

Computer name DNS computer name of the managed device.

Domain name Fully qualified domain name for the computer.

Compliance status Overall compliance status of the computer. Valid states are Compliant
and Non-compliant.

Exemption Indicates whether the user is exempt or non-exempt from the BitLocker
policy.

Device users Users of the device.

Compliance status Error and status messages about the compliance state of the computer
details from the specified policy.

Last contact Date and time that the computer last contacted the server to report
compliance status.

BitLocker enterprise compliance summary

Use this report to show the overall BitLocker compliance across your organization. It
also shows the compliance for individual computers to which you deployed the
BitLocker management policy.


 ﾉ Expand table

Column name Description

Managed computers Number of computers that you manage with BitLocker policy.

% Compliant Percentage of compliant computers in your organization.

% Non-compliant Percentage of non-compliant computers in your organization.

% Unknown Percentage of computers with a compliance state that's not known.

compliance

% Exempt Percentage of computers exempt from the BitLocker encryption

requirement.

% Non-exempt Percentage of computers not exempt from the BitLocker encryption

requirement.

Compliant Count of compliant computers in your organization.

Non-compliant Count of non-compliant computers in your organization.

Unknown compliance Count of computers with a compliance state that's not known.

Exempt Count of computers that are exempt from the BitLocker encryption
requirement.

Non-exempt Count of computers that aren't exempt from the BitLocker encryption
requirement.

Recovery audit report

７ Note

This report is only available from the BitLocker administration and monitoring
website.

Use this report to audit users who have requested access to BitLocker recovery keys. You
can filter on the following criteria:

A specific type of user, for example, a help desk user or an end user
If the request failed or was successful
The specific type of key requested: Recovery Key Password, Recovery Key ID, or
TPM Password Hash
A date range during which the retrieval occurred
 

ﾉ Expand table

Column name Description

Request date Date and time that an end user or help desk user requested a key.
and time

Audit request The site from where the request came. Valid values are Self-Service Portal or
source Helpdesk.

Request result Status of the request. Valid values are Successful or Failed.

Helpdesk user The administrative user who requested the key. If a helpdesk admin recovers
the key without specifying the user name, the End User field is blank. A
standard helpdesk user must specify the user name, which appears in this field.
For recovery via the self-service portal, this field and the End User field display
the name of the user making the request.

End user Name of the user who requested key retrieval.

Computer Name of the computer that was recovered.

Key type Type of key that the user requested. The three types of keys are:

- Recovery key password: used to recover a computer in recovery mode

- Recovery key ID: used to recover a computer in recovery mode for another
user
- TPM password hash: used to recover a computer with a locked TPM

Reason Why the user requested the specified key type, based upon the option they
description selected in the form.
Feedback
Was this page helpful?  Yes  No

Provide product feedback

BitLocker administration and
monitoring website
Article • 02/22/2023

Applies to: Configuration Manager (current branch)

The BitLocker administration and monitoring website is an administrative interface for

BitLocker Drive Encryption. It's also referred to as the help desk portal. Use this website
to review reports, recover users' drives, and manage device TPMs.

Before you can use it, install this component on a web server. For more information, see
Set up BitLocker reports and portals.

Access the administration and monitoring website via the following URL:
https://webserver.contoso.com/HelpDesk

７ Note

You can view the Recovery Audit Report in the administration and monitoring
website. You add other BitLocker management reports to the reporting services
point. For more information, see View BitLocker reports.
Groups
To access specific areas of the administration and monitoring website, your user account
needs to be in one of the following groups. Create these groups in Active Directory
using any name you want. When you install this website, you specify these group names.
For more information, see Set up BitLocker reports and portals.

ﾉ Expand table

Group Description

BitLocker Provides access to all areas of the administration and monitoring website. When
help desk you help a user recover their drives, you enter only the recovery key, and not the
admins domain and user name. If a user is a member of both this group and the BitLocker
help desk users group, the admin group permissions override the user group
permissions.

BitLocker Provides access to the Manage TPM and Drive Recovery areas of the
help desk administration and monitoring website. When you use either area, you need to fill
users in all fields including the user's domain and account name. If a user is a member of
both this group and the BitLocker help desk admins group, the admin group
permissions override the user group permissions.

BitLocker Provides access to the Reports area of the administration and monitoring website.
report users

Manage TPM
If a user enters the incorrect PIN too many times, they can lockout the TPM. The number
of times that a user can enter an incorrect PIN before the TPM locks varies from
manufacturer to manufacturer. From the Manage TPM area of the administration and
monitoring website, access the centralized key recovery data system.

For more information about TPM ownership, see Configure MBAM to escrow the TPM
and store OwnerAuth passwords.

７ Note

Starting with Windows 10, version 1607, Windows doesn't keep the TPM owner
password when provisioning the TPM.

1. Go to the administration and monitoring website in the web browser, for example
https://webserver.contoso.com/HelpDesk .
2. In the left pane, select the Manage TPM area.

3. Enter the fully qualified domain name for the computer and the computer name.

4. If necessary, enter the user's domain and user name to retrieve the TPM owner
password file.

5. Choose one of the following options for the Reason for requesting TPM owner
password file:

Reset PIN lockout

Turn on TPM
Turn off TPM
Change TPM password
Clear TPM
Other

After you Submit the form, the website returns one of the following responses:

If it can't find a matching TPM owner password file, it returns an error

message.

The TPM owner password file for the submitted computer

After you retrieve the TPM owner password file, the website displays the owner
password.

6. To save the password to a file, select Save.

 7. In the Manage TPM area, select the Reset TPM lockout option, and provide the
TPM owner password file.

The TPM lockout is reset. BitLocker restores the user's access to the device.

） Important

Don't share the TPM hash value or TPM owner password file.

Drive recovery

 Tip

Starting in version 2107, you can also get BitLocker recovery keys for a tenant-
attached device from the Microsoft Intune admin center. For more information, see
Tenant attach: BitLocker recovery keys.

Recover a drive in recovery mode

Drives go into recovery mode in the following scenarios:

The user loses or forgets their PIN or password

The Trusted Module Platform (TPM) detects changes to the BIOS or startup files of
the computer

To get a recovery password, use the Drive recovery area of the administration and
monitoring website.

） Important

Recovery passwords expire after a single use. On OS drives and fixed data drives,
the single-use rule automatically applies. On removable drives, it applies when you
remove and reinsert the drive.

1. Go to the administration and monitoring website in the web browser, for example
https://webserver.contoso.com/HelpDesk .

2. In the left pane, select the Drive Recovery area.

3. If necessary, enter the user's domain and user name to view recovery information.

4. To see a list of possible matching recovery keys, enter the first eight digits of the
recovery key ID. To get the exact recovery key, enter the entire recovery key ID.

5. Choose one of the following options as the Reason for Drive Unlock:

Operating system boot order changed

BIOS changed
Operating system files modified
Lost startup key
Lost PIN
TPM reset
Lost passphrase
Lost smartcard
Other

After you Submit the form, the website returns one of the following responses:

If the user has multiple matching recovery passwords, it returns multiple

possible matches.

The recovery password and recovery package for the submitted user.

７ Note

If you're recovering a damaged drive, the recovery package option

provides BitLocker with critical information that it needs to recover the
drive.
 If it can't find a matching recovery password, it returns an error message.

After you retrieve the recovery password and recovery package, the website
displays the recovery password.

6. To copy the password, select Copy Key. To save the recovery password to a file,
select Save.

To unlock the drive, enter the recovery password or use the recovery package.

Recover a moved drive

When you move a drive to a new computer, because the TPM is different, BitLocker
doesn't accept the previous PIN. To recover the moved drive, get the recovery key ID to
retrieve the recovery password.

To recover a moved drive, use the Drive recovery area of the administration and
monitoring website.

1. On the computer with the moved drive, start the computer in Windows Recovery
Environment (WinRE) mode.

2. In WinRE, BitLocker treats the moved OS drive as a fixed data drive. BitLocker
displays the drive's recovery password ID and prompts for the recovery password.

７ Note

In some situations, during the startup process select I forgot the PIN if the
option is available. Then enter recovery mode to display the recovery key ID.

3. Use the recovery key ID to get the recovery password from the administration and
monitoring website. For more information, see Recover a drive in recovery mode.

If you configured the moved drive to use a TPM chip on the original computer,
complete the following steps. Otherwise, the recovery process is complete.

1. After you unlock the drive, start the computer in WinRE mode. Open a command
prompt in WinRE, and use the manage-bde command to decrypt the drive. This tool
is the only way to remove the TPM + PIN protector without the original TPM chip.
For more information about this command, see Manage-bde.

2. When it's complete, start the computer normally. Configuration Manager will
enforce the BitLocker policy to encrypt the drive with the new computer's TPM
plus PIN.
Recover a corrupted drive
Use the recovery key ID to get a recovery key package from the administration and
monitoring website. For more information, see Recover a drive in recovery mode.

1. Save the Recovery Key Package on your computer, then copy it to the computer
with the corrupted drive.

2. Open a command prompt as an administrator, and type the following command:

repair-bde <corrupted drive> <fixed drive> -kp <key package> -rp <recovery
password>

Replace the following values:

<corrupted drive> : The drive letter of the corrupted drive, for example D:

<fixed drive> : The drive letter of an available hard disk drive of similar or

larger size than the corrupted drive. BitLocker recovers and moves data on
the corrupted drive to the specified drive. All data on this drive is overwritten.
<key package> : The location of the recovery key package
<recovery password> : The associated recovery password

For example:

repair-bde C: D: -kp F:\RecoveryKeyPackage -rp 111111-222222-333333-444444-

555555-666666-777777-888888

For more information about this command, see Repair-bde.

Reports
The administration and monitoring website includes the Recovery Audit Report. Other
reports are available from the Configuration Manager reporting services point. For more
information, see View BitLocker reports.

1. Go to the administration and monitoring website in the web browser, for example
https://webserver.contoso.com/HelpDesk .

2. In the left pane, select the Reports area.

3. From the top menu bar, select the Recovery Audit Report.

For more information on this report, see Recovery Audit Report

  Tip

To save report results, select Export on the Reports menu bar.

Feedback
Was this page helpful?  Yes  No

Provide product feedback

BitLocker self-service portal
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

After you install the BitLocker self-service portal, if BitLocker locks a user's device, they
can independently get access to their computers. The self-service portal requires no
assistance from help desk staff.

） Important

To get a recovery key from the self-service portal, a user must have successfully
signed in to the computer at least once. This sign-in must be local to the device,
not in a remote session. Otherwise, they need to contact the help desk for key
 recovery. A help desk administrator can use the administration and monitoring
website to request the recovery key.

BitLocker can lock the device in the following situations:

The user forgets their BitLocker password or PIN

There's a change to the device's OS files, BIOS, or Trusted Platform Module (TPM)

To request the BitLocker recovery key from the self-service portal:

1. When BitLocker locks a device, it displays the BitLocker recovery screen during
startup. Write down the 32-digit BitLocker recovery key ID.

2. On another computer, go to the self-service portal in the web browser, for example
https://webserver.contoso.com/SelfService .

3. Read and accept the notice.

4. In the Recovery Key ID field, enter the first eight digits of the BitLocker recovery
key ID. If it matches multiple keys, then enter all 32 digits.

5. Choose one of the following options for the Reason for this request:

BIOS/TPM changed
OS filed modified
Lost PIN/passphrase

6. Select Get Key. The self-service portal displays the 48-digit BitLocker recovery key.

7. Enter this 48-digit code into the BitLocker recovery screen on your computer.

７ Note

The BitLocker self-service portal may timeout after a period of inactivity. For
example, after five minutes you may see a timeout warning with a 60 second
counter.
 If you don't respond to the countdown, the session will expire.

Feedback
Was this page helpful?  Yes  No

Provide product feedback

SQL Always On when BitLocker recovery
data is encrypted in the database
06/12/2025

For SQL Always On, additional steps are required when the BitLocker information is encrypted
using the instructions at Encrypt recovery data in the database. The additional steps ensure
that all Always On nodes can automatically open the Database Master Key (DMK) when a
failover event occurs. Following steps allows seamless retrieval of BitLocker keys without
manual intervention.

Overview of SQL Always On when BitLocker

recovery data is encrypted in the database
SQL Server encrypts data using a hierarchical infrastructure and is described in depth at
Encryption Hierarchy.

Site Master Key (SMK) - This key is a per instance key that is unique to each SQL Server
Always On node and isn't replicated. It's used to encrypt the database master key.
Database Master Key (DMK) - This key is stored in the database and is replicated. It's
used to encrypt the BitLockerManagement_CERT.
BitLockerManagement_CERT - This certificate is stored in the database and is replicated.
It's used to encrypt some BitLocker-related data like recovery keys.

The SMK encrypts the DMK password. SMKs are node-specific. When a failover event occurs,
the new primary node can't decrypt the DMK password since it was encrypted with a different
SMK. Setting the DMK password on each node allows the node to decrypt the password on
failover.

７ Note

The BitLockerManagement_CERT performs the encryption of the columns. If this certificate

is lost or deleted, or the DMK that encrypted it's lost or deleted, BitLocker keys have to be
escrowed and re-encrypted again.

If the Database Master Key (DMK) password is

known
Execute the following command on each node in the Availability Group that hosts the
Configuration Manager database:

） Important

In the following command:

Replace password everywhere with a strong password of your choosing. Make sure
to securely store the password for future reference.
Replace CM_XXX with the name of the Configuration Manager (CM) database.

SQL

EXEC sp_control_dbmasterkey_password
@db_name = N'CM_XXX',
@password = N'password',
@action = N'add';

This command registers the DMK password with the local Service Master Key (SMK) allowing
SQL Server to automatically open the DMK when a failover event occurs. This process ensures
the DMK can be decrypted automatically on that node after a failover or a restart.

To verify that all nodes can automatically open the Database Master Key (DMK) and decrypt the
data, see the section Verify all nodes can automatically open the Database Master Key (DMK)
and decrypt the data in this article.

If the existing Database Master Key (DMK)

password is unknown
If the existing DMK password is unknown, the existing DMK must be dropped and a new one
created with a known password. These steps document how to perform this procedure.

Find a valid DMK

If it's unknown which node has a valid DMK, follow these steps to determine where the existing
DMK is open:

） Important

In the following queries and commands:

 Replace password everywhere with a strong password of your choosing. Make sure
to securely store the password in a known location for future reference.
Replace CM_XXX with the name of the Configuration Manager (CM) database.

1. Run the following query on the primary node:

SQL

SELECT TOP 5 RecoveryAndHardwareCore.DecryptString(RecoveryKey, DEFAULT)

FROM RecoveryAndHardwareCore_Keys
ORDER BY LastUpdateTime DESC

2. In the resultant query:

If the DMK is open, the query returns plaintext values for any rows that have a valid
key in them. This node is the node to start on and the next step can be skipped.
If the DMK isn't open, the query returns NULL values for all rows. The current node
isn't the node where the DMK is open. Follow the next step to find the node where
the DMK is open.

3. If the query returns all NULL values, then failover to each secondary node and repeat the
previous steps until the node that can successfully decrypt
RecoveryAndHardwareCore_Keys is found. This node is the node to start on.

Create a new Database Master Key (DMK)

Once the proper node with the open DMK is identified, follow these steps:

1. On the node that was identified in the previous steps, run the following query to export
the BitLockerManagement_CERT certificate with its private key. Make sure to use a strong
password:

SQL

BACKUP CERTIFICATE BitLockerManagement_CERT

TO FILE = 'C:\Windows\Temp\BitLockerManagement_CERT'
WITH PRIVATE KEY
(
FILE = 'C:\Windows\Temp\BitLockerManagement_CERT_KEY',
ENCRYPTION BY PASSWORD = 'password'
);

2. Back up the existing Database Master Key (DMK) by running the following query to
export the existing DMK:
 SQL

BACKUP MASTER KEY

TO FILE = 'C:\Windows\Temp\DMK'
ENCRYPTION BY PASSWORD = 'password';

７ Note

This step is optional but recommended. Make sure to keep the backup in a secure
known location.

3. Run the following query to drop the existing certificate and DMK:

SQL

DROP CERTIFICATE BitLockerManagement_CERT;

DROP MASTER KEY;

This step removes the old keys.

4. Run the following query to create a new DMK. Make sure to use a strong password:

SQL

CREATE MASTER KEY

ENCRYPTION BY PASSWORD = 'password';

5. Run the following query to register the new DMK password with the local SMK:

SQL

EXEC sp_control_dbmasterkey_password
@db_name = N'CM_XXX',
@password = N'password',
@action = N'add';

6. Run the following query to import the previously exported BitLockerManagement_CERT

certificate:

SQL

CREATE CERTIFICATE BitLockerManagement_CERT AUTHORIZATION

RecoveryAndHardwareCore
FROM FILE = 'C:\Windows\Temp\BitLockerManagement_CERT'
WITH PRIVATE KEY
 (
FILE = 'C:\Windows\Temp\BitLockerManagement_CERT_KEY',
DECRYPTION BY PASSWORD = 'password'
);

7. Run the following query to grant required control permissions on the certificate:

SQL

GRANT CONTROL ON CERTIFICATE::BitLockerManagement_CERT TO

RecoveryAndHardwareRead;
GRANT CONTROL ON CERTIFICATE::BitLockerManagement_CERT TO
RecoveryAndHardwareWrite;

8. Fail over to the next node.

9. Run the following query to register the DMK password with the local SMK. Execute once
per replica:

SQL

EXEC sp_control_dbmasterkey_password
@db_name = N'CM_XXX',
@password = N'password',
@action = N'add';

10. Perform the previous two steps on any remaining nodes.

11. Fail over to the original node.

12. To verify that all nodes can automatically open the Database Master Key (DMK) and
decrypt the data, see the next section Verify all nodes can automatically open the
Database Master Key (DMK) and decrypt the data in this article.

Verify all nodes can automatically open the

Database Master Key (DMK) and decrypt the data
To verify that all nodes can automatically open the Database Master Key (DMK) and decrypt the
data:

1. Fail over to a node.

2. Run the following query:

SQL
 SELECT TOP 5 RecoveryAndHardwareCore.DecryptString(RecoveryKey, DEFAULT)
FROM RecoveryAndHardwareCore_Keys
ORDER BY LastUpdateTime DESC

3. If the query returns plaintext values for any rows that have a valid key in them, then the
node can automatically open the Database Master Key (DMK) and can decrypt the data.

4. Repeat the previous three steps for each additional node.

 Tip

For improved security, store the strong DMK password securely. For example, in Azure Key
Vault or another secure secret store. Additionally, avoid hardcoding the DMK password in
plain text in scripts or configuration files.

Related articles
Encrypt recovery data in the database.
Prepare to use a SQL Server Always On availability group with Configuration Manager.
Configure a SQL Server Always On availability group for Configuration Manager.
Windows Hello for Business settings in
Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Configuration Manager integrates with Windows Hello for Business. (This feature was
formerly known as Microsoft Passport for Work.) Windows Hello for Business is an
alternative sign-in method for Windows 10 devices. It uses Active Directory or a
Microsoft Entra account to replace a password, smart card, or virtual smart card. Hello
for Business lets you use a user gesture to sign in instead of a password. A user gesture
might be a PIN, biometric authentication, or an external device such as a fingerprint
reader.

） Important

Starting in version 2203, this company resource access feature is no longer

supported. For more information, see Frequently asked questions about resource
access deprecation.

Active Directory Federation Services Registration Authority (ADFS RA) deployment

is simpler, provides a better user experience, and has a more deterministic
certificate enrollment experience. Use ADFS RA for certificate-based authentication
with Windows Hello for Business.

For more information, see Windows Hello for Business.

７ Note

Configuration Manager doesn't enable this optional feature by default. You must
enable this feature before using it. For more information, see Enable optional
features from updates.

Configuration Manager integrates with Windows Hello for Business in the following
ways:

Control which gestures users can and can't use to sign in.

Store authentication certificates in the Windows Hello for Business key storage
provider (KSP). For more information, see Certificate profiles.
 Create and deploy a Windows Hello for Business profile to control its settings on
domain-joined Windows 10 devices that run the Configuration Manager client.
Starting in version 1910, you can't use certificate-based authentication. When
using key-based authentication, you don't need to deploy a certificate profile.

Configure a profile
1. In the Configuration Manager console, go to the Assets and Compliance
workspace. Expand Compliance Settings, expand Company Resource Access, and
select the Windows Hello for Business Profiles node.

2. In the ribbon, select Create Windows Hello for Business Profile to start the profile
wizard.

3. On the General page, specify a name and an optional description for this profile.

4. On the Supported Platforms page, select the OS versions to which this profile
should apply.

5. On the Settings page, configure the following settings:

Configure Windows Hello for Business: Specify whether this profile enables,
disables, or doesn't configure Hello for Business.

Use a Trusted Platform Module (TPM): A TPM provides an additional layer of

data security. Choose one of the following values:

Required: Only devices with an accessible TPM can provision Windows

Hello for Business.

Preferred: Devices first attempt to use a TPM. If it's not available, they can
use software encryption.

Authentication method: Set this option to Not configured or Key-based.

７ Note

Starting in version 1910, certificate-based authentication with Windows

Hello for Business settings in Configuration Manager isn't supported.

Configure minimum PIN length: If you want to require a minimum length for
the user's PIN, enable this option and specify a value. When enabled, the
default value is 4 .
Configure maximum PIN length: If you want to require a maximum length
for the user's PIN, enable this option and specify a value. When enabled the
default value is 127 .

Require PIN expiration (days): Specifies the number of days before the user
must change the device PIN.

Prevent reuse of previous PINs: Don't allow users to use PINs they have
previously used.

Require upper-case letters in PIN: Specifies whether users must include

uppercase letters in the Windows Hello for Business PIN. Choose from:

Allowed: Users can use uppercase characters in their PIN, but don't have
to.

Required: Users must include at least one uppercase character in their PIN.

Not allowed: Users can't use uppercase characters in their PIN.

Require lower-case letters in PIN: Specifies whether users must include

lowercase letters in the Windows Hello for Business PIN. Choose from:

Allowed: Users can use lowercase characters in their PIN, but don't have
to.

Required: Users must include at least one lowercase character in their PIN.

Not allowed: Users can't use lowercase characters in their PIN.

Configure special characters: Specifies the use of special characters in the

PIN. Choose from:

７ Note

Special characters include the following set:

characters

! " # $ % & ' ( ) * + , - . / : ; < = > ? @ [ \ ] ^ _ ` { | }

~

Allowed: Users can use special characters in their PIN, but don't have to.

Required: Users must include at least one special character in their PIN.
 Not allowed: Users can't use special characters in their PIN. This behavior
is also if the setting is Not configured.

Configure the use of digits in PIN: Specifies the use of numbers in the PIN.
Choose from:

Allowed: Users can use numbers in their PIN, but don't have to.

Required: Users must include at least one number in their PIN.

Not allowed: Users can't use numbers in their PIN.

Enable biometric gestures: Use biometric authentication such as facial

recognition or fingerprint. These modes are an alternative to a PIN for
Windows Hello for Business. Users still configure a PIN in case biometric
authentication fails.

If set to Yes, Windows Hello for Business allows biometric authentication. If

set to No, Windows Hello for Business prevents biometric authentication for
all account types.

Use enhanced anti-spoofing: Configures enhanced anti-spoofing on devices

that support it. If set to Yes, where supported, Windows requires all users to
use anti-spoofing for facial features.

Use Phone Sign In: Configures two-factor authentication with a mobile

phone.

6. Complete the wizard.

The following screenshot is an example of Windows Hello for Business profile settings:
Configure permissions
1. As a Domain Administrator or equivalent credentials, sign in to a secure,
administrative workstation that has the following optional feature installed: RSAT:
Active Directory Domain Services and Lightweight Directory Services Tools.

2. Open the Active Directory Users and Computers console.

3. Select the domain, go to the Action Menu, and select Properties.

4. Switch to the Security tab, and select Advanced.

 Tip

If you don't see the Security tab, close the properties window. Go to the View
menu, and select Advanced Features.

5. Select Add.

6. Choose Select a principal and enter Key Admins .

7. From the Applies to list, select Descendant User objects.

 8. At the bottom of the page, select Clear all.

9. In the Properties section, select Read msDS-KeyCredentialLink.

10. Select OK to save your changes and close all windows.

Next steps
Certificate profiles

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Introduction to certificate profiles in
Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

） Important

Starting in version 2203, this company resource access feature is no longer

supported. For more information, see Frequently asked questions about resource
access deprecation.

Certificate profiles work with Active Directory Certificate Services and the Network
Device Enrollment Service (NDES) role. Create and deploy authentication certificates for
managed devices so that users can easily access organizational resources. For example,
you can create and deploy certificate profiles to provide the necessary certificates for
users to connect to VPN and wireless connections.

Certificate profiles can automatically configure user devices for access to organizational
resources such as Wi-Fi networks and VPN servers. Users can access these resources
without manually installing certificates or using an out-of-band process. Certificate
profiles help to secure resources because you can use more secure settings that are
supported by your public key infrastructure (PKI). For example, require server
authentication for all Wi-Fi and VPN connections because you've deployed the required
certificates on the managed devices.

Certificate profiles provide the following management capabilities:

Certificate enrollment and renewal from a certification authority (CA) for devices
that run different OS types and versions. These certificates can then be used for
Wi-Fi and VPN connections.

Deployment of trusted root CA certificates and intermediate CA certificates. These

certificates configure a chain of trust on devices for VPN and Wi-Fi connections
when server authentication is required.

Monitor and report about the installed certificates.

Example 1: All employees need to connect to Wi-Fi hotspots in multiple office locations.
To enable easy user connection, first deploy the certificates needed to connect to Wi-Fi.
Then deploy Wi-Fi profiles that reference the certificate.
Example 2: You have a PKI in place. You want to move to a more flexible, secure method
of deploying certificates. Users need to access organizational resources from their
personal devices without compromising security. Configure certificate profiles with
settings and protocols that are supported for the specific device platform. The devices
can then automatically request these certificates from an internet-facing enrollment
server. Then, configure VPN profiles to use these certificates so that the device can
access organizational resources.

Types
There are three types of certificate profiles:

Trusted CA certificate: Deploy a trusted root CA or intermediate CA certificate.

These certificates form a chain of trust when the device must authenticate a server.

Simple Certificate Enrollment Protocol (SCEP): Request a certificate for a device or

user by using the SCEP protocol. This type requires the Network Device Enrollment
Service (NDES) role on a server running Windows Server 2012 R2 or later.

To create a Simple Certificate Enrollment Protocol (SCEP) certificate profile, first

create a Trusted CA certificate profile.

Personal information exchange (.pfx): Request a .pfx (also known as PKCS #12)
certificate for a device or user. There are two methods to create PFX certificate
profiles:
Import credentials from existing certificates
Define a certificate authority to process requests

７ Note

Configuration Manager doesn't enable this optional feature by default. You

must enable this feature before using it. For more information, see Enable
optional features from updates.

You can use Microsoft or Entrust as certificate authorities for Personal information
exchange (.pfx) certificates.

Requirements
To deploy certificate profiles that use SCEP, install the certificate registration point on a
site system server. Also install a policy module for NDES, the Configuration Manager
Policy Module, on a server that runs Windows Server 2012 R2 or later. This server
requires the Active Directory Certificate Services role. It also requires a working NDES
that's accessible to the devices that require the certificates. If your devices need to enroll
for certificates from the internet, then your NDES server must be accessible from the
internet. For example, to safely enable traffic to the NDES server from the internet, you
can use Azure Application Proxy.

PFX certificates also require a certificate registration point. Also specify the certificate
authority (CA) for the certificate and the relevant access credentials. You can specify
either Microsoft or Entrust as certificate authorities.

For more information about how NDES supports a policy module so that Configuration
Manager can deploy certificates, see Using a Policy Module with the Network Device
Enrollment Service.

Depending on the requirements, Configuration Manager supports deploying certificates

to different certificate stores on various device types and operating systems. The
following devices and operating systems are supported:

Windows 10

Windows 10 Mobile

Windows 8.1

Windows Phone 8.1

７ Note

Use Configuration Manager on-premises MDM to manage Windows Phone 8.1 and
Windows 10 Mobile. For more information, see On-premises MDM.

A typical scenario for Configuration Manager is to install trusted root CA certificates to

authenticate Wi-Fi and VPN servers. Typical connections use the following protocols:

Authentication protocols: EAP-TLS, EAP-TTLS, and PEAP

VPN tunneling protocols: IKEv2, L2TP/IPsec, and Cisco IPsec

An enterprise root CA certificate must be installed on the device before the device can
request certificates by using a SCEP certificate profile.

You can specify settings in a SCEP certificate profile to request customized certificates
for different environments or connectivity requirements. The Create Certificate Profile
Wizard has two pages for enrollment parameters. The first, SCEP Enrollment, includes
settings for the enrollment request and where to install the certificate. The second,
Certificate Properties, describes the requested certificate itself.

Deploy
When you deploy a SCEP certificate profile, the Configuration Manager client processes
the policy. It then requests a SCEP challenge password from the management point. The
device creates a public/private key pair, and generates a certificate signing request
(CSR). It sends this request to the NDES server. The NDES server forwards the request to
the certificate registration point site system via the NDES policy module. The certificate
registration point validates the request, checks the SCEP challenge password, and
verifies that the request wasn't tampered with. It then approves or denies the request. If
approved, the NDES server sends the signing request to the connected certificate
authority (CA) for signing. The CA signs the request, and then it returns the certificate to
the requesting device.

Deploy certificate profiles to user or device collections. You can specify the destination
store for each certificate. Applicability rules determine whether the device can install the
certificate.

When you deploy a certificate profile to a user collection, user device affinity determines
which of the users' devices install the certificates. When you deploy a certificate profile
with a user certificate to a device collection, by default each of the users' primary
devices install the certificates. To install the certificate on any of the users' devices,
change this behavior on the SCEP Enrollment page of the Create Certificate Profile
Wizard. If the devices are in a workgroup, Configuration Manager doesn't deploy user
certificates.

Monitor
You can monitor certificate profile deployments by viewing compliance results or
reports. For more information, see How to monitor certificate profiles.

Automatic revocation
Configuration Manager automatically revokes user and computer certificates that were
deployed by using certificate profiles in the following circumstances:

The device is retired from Configuration Manager management.

The device is blocked from the Configuration Manager hierarchy.

To revoke the certificates, the site server sends a revocation command to the issuing
certification authority. The reason for the revocation is Cease of Operation.

７ Note

To properly revoke a certificate, the computer account for the top-level site in the
hierarchy needs the permission to issue and manage certificates on the CA.

For improved security, you can also restrict CA managers on the CA. Then only give
this account permissions on the specific certificate template that you use for the
SCEP profiles on the site.

Next steps
Create certificate profiles

Configure certificate infrastructure

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Create certificate profiles
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

） Important

Starting in version 2203, this company resource access feature is no longer

supported. For more information, see Frequently asked questions about resource
access deprecation.

Use certificate profiles in Configuration Manager to provision managed devices with the
certificates they need to access company resources. Before creating certificate profiles,
set up the certificate infrastructure as described in Set up certificate infrastructure.

This article describes how to create trusted root and Simple Certificate Enrollment
Protocol (SCEP) certificate profiles. If you want to create PFX certificate profiles, see
Create PFX certificate profiles.

To create a certificate profile:

1. Start the Create Certificate Profile Wizard.

2. Provide general information about the certificate.
3. Configure a trusted certificate authority (CA) certificate.
4. Configure SCEP certificate information.
5. Specify supported platforms for the certificate profile.

Start the wizard

To start the Create Certificate Profile:

1. In the Configuration Manager console, go to the Assets and Compliance

workspace, expand Compliance Settings, expand Company Resource Access, and
then select the Certificate Profiles node.

2. On the Home tab of the ribbon, in the Create group, select Create Certificate
Profile.

General
On the General page of the Create Certificate Profile Wizard, specify the following
information:

Name: Enter a unique name for the certificate profile. You can use a maximum of
256 characters.

Description: Provide a description that gives an overview of the certificate profile.

Also include other relevant information that helps to identify it in the
Configuration Manager console. You can use a maximum of 256 characters.

Specify the type of certificate profile that you want to create:

Trusted CA certificate: Select this type to deploy a trusted root certification

authority (CA) or intermediate CA certificate to form a certificate chain of trust
when the user or device must authenticate another device. For example, the
device might be a Remote Authentication Dial-In User Service (RADIUS) server
or a virtual private network (VPN) server.

Also configure a trusted CA certificate profile before you can create a SCEP
certificate profile. In this case, the trusted CA certificate must be for the CA that
issues the certificate to the user or device.

Simple Certificate Enrollment Protocol (SCEP) settings: Select this type to

request a certificate for a user or device with the Simple Certificate Enrollment
Protocol and the Network Device Enrollment Service (NDES) role service.

Personal Information Exchange PKCS #12 (PFX) settings - Import: Select this
option to import a PFX certificate. For more information, see Import PFX
certificate profiles.

Personal Information Exchange PKCS #12 (PFX) settings - Create: Select this
option to process PFX certificates using a certificate authority. For more
information, see Create PFX certificate profiles.

Trusted CA certificate

） Important

Before you create a SCEP certificate profile, configure at least one trusted CA
certificate profile.

After the certificate is deployed, if you change any of these values, a new certificate
is requested:
 Key Storage Provider
Certificate template name
Certificate type
Subject name format
Subject alternative name
Certificate validity period
Key usage
Key size
Extended key usage
Root CA certificate

1. On the Trusted CA Certificate page of the Create Certificate Profile Wizard, specify
the following information:

Certificate file: Select Import, and then browse to the certificate file.

Destination store: For devices that have more than one certificate store,
select where to store the certificate. For devices that have only one store, this
setting is ignored.

2. Use the Certificate thumbprint value to verify that you've imported the correct
certificate.

SCEP certificates

1. SCEP Servers
On the SCEP Servers page of the Create Certificate Profile Wizard, specify the URLs for
the NDES Servers that will issue certificates via SCEP. You can automatically assign an
NDES URL based on the configuration of the certificate registration point, or add URLs
manually.

2. SCEP Enrollment
Complete the SCEP Enrollment page of the Create Certificate Profile Wizard.

Retries: Specify the number of times that the device automatically retries the
certificate request to the NDES server. This setting supports the scenario where a
CA manager must approve a certificate request before it's accepted. This setting is
typically used for high-security environments or if you have a stand-alone issuing
CA rather than an enterprise CA. You might also use this setting for testing
purposes so that you can inspect the certificate request options before the issuing
CA processes the certificate request. Use this setting with the Retry delay
(minutes) setting.

Retry delay (minutes): Specify the interval, in minutes, between each enrollment
attempt when you use CA manager approval before the issuing CA processes the
certificate request. If you use manager approval for testing purposes, specify a low
value. Then you're not waiting a long time for the device to retry the certificate
request after you approve the request.

If you use manager approval on a production network, specify a higher value. This
behavior allows sufficient time for the CA administrator to approve or deny
pending approvals.

Renewal threshold (%): Specify the percentage of the certificate lifetime that
remains before the device requests renewal of the certificate.

Key Storage Provider (KSP): Specify where the key to the certificate is stored.
Choose from one of the following values:

Install to Trusted Platform Module (TPM) if present: Installs the key to the
TPM. If the TPM isn't present, the key is installed to the storage provider for the
software key.

Install to Trusted Platform Module (TPM) otherwise fail: Installs the key to the
TPM. If the TPM module isn't present, the installation fails.

Install to Windows Hello for Business otherwise fail: This option is available for
Windows 10 or later devices. It allows you to store the certificate in the
Windows Hello for Business store, which is protected by multi-factor
authentication. For more information, see Windows Hello for Business.

７ Note

This option doesn't support Smart card logon for the Enhanced key usage
on the Certificate Properties page.

Install to Software Key Storage Provider: Installs the key to the storage
provider for the software key.

Devices for certificate enrollment: If you deploy the certificate profile to a user
collection, allow certificate enrollment only on the user's primary device, or on any
 device to which the user signs in.

If you deploy the certificate profile to a device collection, allow certificate

enrollment for only the primary user of the device, or for all users that sign in to
the device.

3. Certificate Properties
On the Certificate Properties page of the Create Certificate Profile Wizard, specify the
following information:

Certificate template name: Select the name of a certificate template that you
configured in NDES and added to an issuing CA. To successfully browse to
certificate templates, your user account needs Read permission to the certificate
template. If you can't Browse for the certificate, type its name.

） Important

If the certificate template name contains non-ASCII characters, the certificate

isn't deployed. (One example of these characters is from the Chinese
alphabet.) To make sure that the certificate is deployed, first create a copy of
the certificate template on the CA. Then rename the copy by using ASCII
characters.

If you browse to select the name of the certificate template, some fields on the
page automatically populate from the certificate template. In some cases, you
can't change these values unless you choose a different certificate template.

If you type the name of the certificate template, make sure that the name
exactly matches one of the certificate templates. It must match the names that
are listed in the registry of the NDES server. Make sure that you specify the
name of the certificate template, and not the display name of the certificate
template.

To find the names of certificate templates, browse to the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MSCEP . It lists the

certificate templates as the values for EncryptionTemplate,

GeneralPurposeTemplate, and SignatureTemplate. By default, the value for all
three certificate templates is IPSECIntermediateOffline, which maps to the
template display name of IPSec (Offline request).
 ２ Warning

When you type the name of the certificate template, Configuration

Manager can't verify the contents of the certificate template. You may be
able to select options that the certificate template doesn't support, which
may result in a failed certificate request. When this behavior happens, you'll
see an error message for w3wp.exe in the CPR.log file that the template
name in the certificate signing request (CSR) and the challenge don't
match.

When you type the name of the certificate template that's specified for the
GeneralPurposeTemplate value, select the Key encipherment and the
Digital signature options for this certificate profile. If you want to enable
only the Key encipherment option in this certificate profile, specify the
certificate template name for the EncryptionTemplate key. Similarly, if you
want to enable only the Digital signature option in this certificate profile,
specify the certificate template name for the SignatureTemplate key.

Certificate type: Select whether you'll deploy the certificate to a device or a user.

Subject name format: Select how Configuration Manager automatically creates the
subject name in the certificate request. If the certificate is for a user, you can also
include the user's email address in the subject name.

７ Note

If you select IMEI number or Serial number, you can differentiate between
different devices that are owned by the same user. For example, those devices
could share a common name, but not an IMEI number or serial number. If the
device doesn't report an IMEI or serial number, the certificate is issued with
the common name.

Subject alternative name: Specify how Configuration Manager automatically

creates the values for the subject alternative name (SAN) in the certificate request.
For example, if you selected a user certificate type, you can include the user
principal name (UPN) in the subject alternative name. If the client certificate will
authenticate to a Network Policy Server, set the subject alternative name to the
UPN.

Certificate validity period: If you set a custom validity period on the issuing CA,
specify the amount of remaining time before the certificate expires.
  Tip

Set a custom validity period with the following command line: certutil -
setreg Policy\EditFlags +EDITF_ATTRIBUTEENDDATE For more information

about this command, see Certificate infrastructure.

You can specify a value that's lower than the validity period in the specified
certificate template, but not higher. For example, if the certificate validity period in
the certificate template is two years, you can specify a value of one year, but not a
value of five years. The value must also be lower than the remaining validity period
of the issuing CA's certificate.

Key usage: Specify key usage options for the certificate. Choose from the following
options:

Key encipherment: Allow key exchange only when the key is encrypted.

Digital signature: Allow key exchange only when a digital signature helps
protect the key.

If you browsed for a certificate template, you can't change these settings, unless
you select a different certificate template.

Configure the selected certificate template with one or both of the two key usage
options above. If not, you'll see the following message in the certificate registration
point log file, Crp.log: Key usage in CSR and challenge do not match

Key size (bits): Select the size of the key in bits.

Extended key usage: Add values for the certificate's intended purpose. In most
cases, the certificate requires Client Authentication so that the user or device can
authenticate to a server. You can add any other key usages as required.

Hash algorithm: Select one of the available hash algorithm types to use with this
certificate. Select the strongest level of security that the connecting devices
support.

７ Note

SHA-2 supports SHA-256, SHA-384, and SHA-512. SHA-3 supports only SHA-
3.
 Root CA certificate: Choose a root CA certificate profile that you previously
configured and deployed to the user or device. This CA certificate must be the root
certificate for the CA that will issue the certificate that you're configuring in this
certificate profile.

） Important

If you specify a root CA certificate that's not deployed to the user or device,
Configuration Manager won't initiate the certificate request that you're
configuring in this certificate profile.

Supported platforms
On the Supported Platforms page of the Create Certificate Profile Wizard, select the OS
versions where you want to install the certificate profile. Choose Select all to install the
certificate profile to all available operating systems.

Next steps
The new certificate profile appears in the Certificate Profiles node in the Assets and
Compliance workspace. It's ready for you to deploy to users or devices. For more
information, see How to deploy profiles.

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Configure certificate infrastructure
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

） Important

Starting in version 2203, this company resource access feature is no longer

supported. For more information, see Frequently asked questions about resource
access deprecation.

Learn to configure certificate infrastructure in Configuration Manager. Before you start,

check for any prerequisites that are listed in Prerequisites for certificate profiles.

Use these steps to configure your infrastructure for SCEP, or PFX certificates.

Step 1 - Install and Configure the Network

Device Enrollment Service and Dependencies
(for SCEP certificates only)
You must install and configure the Network Device Enrollment Service role service for
Active Directory Certificate Services (AD CS), change the security permissions on the
certificate templates, deploy a public key infrastructure (PKI) client authentication
certificate, and edit the registry to increase the Internet Information Services (IIS) default
URL size limit. If necessary, you must also configure the issuing certification authority
(CA) to allow a custom validity period.

） Important

Before you configure Configuration Manager to work with the Network Device
Enrollment Service, verify the installation and configuration of the Network Device
Enrollment Service. If these dependencies are not working correctly, you will have
difficulty troubleshooting certificate enrollment by using Configuration Manager.

To install and configure the Network Device Enrollment

Service and dependencies
1. On a server that is running Windows Server 2012 R2, install and configure the
Network Device Enrollment Service role service for the Active Directory Certificate
Services server role. For more information, see Network Device Enrollment Service
Guidance.

2. Check, and if necessary, modify the security permissions for the certificate
templates that the Network Device Enrollment Service is using:

For the account that runs the Configuration Manager console: Read
permission.

This permission is required so that when you run the Create Certificate Profile
Wizard, you can browse to select the certificate template that you want to
use when you create a SCEP settings profile. Selecting a certificate template
means that some settings in the wizard are automatically populated, so there
is less for you to configure and there is less risk of selecting settings that are
not compatible with the certificate templates that the Network Device
Enrollment Service is using.

For the SCEP Service account that the Network Device Enrollment Service
application pool uses: Read and Enroll permissions.

This requirement is not specific to Configuration Manager but is part of

configuring the Network Device Enrollment Service. For more information,
see Network Device Enrollment Service Guidance.

 Tip

To identify which certificate templates the Network Device Enrollment Service

is using, view the following registry key on the server that is running the
Network Device Enrollment Service:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MSCEP.

７ Note

These are the default security permissions that will be appropriate for most
environments. However, you can use an alternative security configuration. For
more information, see Planning for certificate template permissions for
certificate profiles.

3. Deploy to this server a PKI certificate that supports client authentication. You might
already have a suitable certificate installed on the computer that you can use, or
 you might have to (or prefer to) deploy a certificate specifically for this purpose.
For more information about the requirements for this certificate, refer to the
details for Servers running the Configuration Manager Policy Module with the
Network Device Enrollment Service role service in the PKI Certificates for Servers
section in the PKI certificate requirements for Configuration Manager topic.

 Tip

If you need help deploying this certificate, you can use the instructions for
Deploying the Client Certificate for Distribution Points, because the
certificate requirements are the same with one exception:

Do not select the Allow private key to be exported check box on the
Request Handling tab of the properties for the certificate template.

You do not have to export this certificate with the private key because
you will be able to browse to the local Computer store and select it
when you configure the Configuration Manager Policy Module.

4. Locate the root certificate that the client authentication certificate chains to. Then,
export this root CA certificate to a certificate (.cer) file. Save this file to a secured
location that you can securely access when you later install and configure the site
system server for the certificate registration point.

5. On the same server, use the registry editor to increase the IIS default URL size limit
by setting the following registry key DWORD values in
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters:

Set the MaxFieldLength key to 65534.

Set the MaxRequestBytes key to 16777216.

For more information, see Microsoft Support article 820129: Http.sys registry
settings for Windows .

6. On the same server, in Internet Information Services (IIS) Manager, modify the
request-filtering settings for the /certsrv/mscep application, and then restart the
server. In the Edit Request Filtering Settings dialog box, the Request Limits
settings should be as follows:

Maximum allowed content length (Bytes): 30000000

Maximum URL length (Bytes): 65534

 Maximum query string (Bytes): 65534

For more information about these settings and how to configure them, see
IIS Requests Limits.

7. If you want to be able to request a certificate that has a lower validity period than
the certificate template that you are using: This configuration is disabled by default
for an enterprise CA. To enable this option on an enterprise CA, use the Certutil
command-line tool, and then stop and restart the certificate service by using the
following commands:

a. certutil - setreg Policy\EditFlags +EDITF_ATTRIBUTEENDDATE

b. net stop certsvc

c. net start certsvc

For more information, see Certificate services tools and settings.

8. Verify that the Network Device Enrollment Service is working by using the
following link as an example:
https://server.contoso.com/certsrv/mscep/mscep.dll . You should see the built-in

Network Device Enrollment Service webpage. This webpage explains what the
service is and explains that network devices use the URL to submit certificate
requests.

Now that the Network Device Enrollment Service and dependencies are
configured, you are ready to install and configure the certificate registration point.

Step 2 - Install and configure the certificate

registration point.
You must install and configure at least one certificate registration point in the
Configuration Manager hierarchy, and you can install this site system role in the central
administration site or in a primary site.

） Important

Before you install the certificate registration point, see the Site System
Requirements section in the Supported configurations for Configuration
Manager topic for operating system requirements and dependencies for the
certificate registration point.
To install and configure the certificate registration point

1. In the Configuration Manager console, click Administration.

2. In the Administration workspace, expand Site Configuration, click Servers and

Site System Roles, and then select the server that you want to use for the
certificate registration point.

3. On the Home tab, in the Server group, click Add Site System Roles.

4. On the General page, specify the general settings for the site system, and then
click Next.

5. On the Proxy page, click Next. The certificate registration point does not use
Internet proxy settings.

6. On the System Role Selection page, select Certificate registration point from the
list of available roles, and then click Next.

7. On the Certificate Registration Mode page, select whether you want this
certificate registration point to Process SCEP certificate requests, or Process PFX
certificate requests. A certificate registration point cannot process both kinds of
requests, but you can create multiple certificate registration points if you are
working with both certificate types.

If processing PFX certificates, you'll need to choose a certificate authority, either

Microsoft or Entrust.

8. The Certificate Registration Point Settings page varies according to the certificate
type:

If you selected Process SCEP certificate requests, then configure the

following:
Website name, HTTPS port number, and Virtual application name for the
certificate registration point. These fields are filled in automatically with
default values.
URL for the Network Device Enrollment Service and root CA certificate -
Click Add, then in the Add URL and Root CA Certificate dialog box,
specify the following:
URL for the Network Device Enrollment Service: Specify the URL in the
following format: https://<server_FQDN>/certsrv/mscep/mscep.dll. For
example, if the FQDN of your server that is running the Network Device
Enrollment Service is server1.contoso.com, type
https://server1.contoso.com/certsrv/mscep/mscep.dll .
 Root CA Certificate: Browse to and select the certificate (.cer) file that
you created and saved in Step 1: Install and configure the Network
Device Enrollment Service and dependencies. This root CA certificate
allows the certificate registration point to validate the client
authentication certificate that the Configuration Manager Policy Module
will use.

If you selected Process PFX certificate requests, you configure the

connection details and credentials for the selected certificate authority.

To use Microsoft as the certificate authority, click Add then in the Add a
Certificate Authority and Account dialog box, specify the following:

Certificate Authority Server Name - Enter the name of your certificate

authority server.

Certificate Authority Account - Click Set to select, or create the

account that has permissions to enroll in templates on the certification
authority.

Certificate Registration Point Connection Account - Select or create

the account that connects the certificate registration point to the
Configuration Manager database. Alteratively, you can use the local
computer account of the computer hosting the certificate registration
point.

Active Directory Certificate Publishing Account - Select an account, or

create a new account that will be used to publish certificates to user
objects in Active Directory.

In the URL for the Network Device Enrollment and root CA certificate
dialog box, specify the following, and then click OK:

To use Entrust as the certificate authority, specify:

The MDM web service URL

The username and password credentials for the URL.

When using the MDM API to define the Entrust web service URL, be
sure to use at least version 9 of the API, as shown in the following
sample:

https://entrust.contoso.com:19443/mdmws/services/AdminServiceV9
 Earlier versions of the API do not support Entrust.

9. Click Next and complete the wizard.

10. Wait a few minutes to let the installation finish, and then verify that the certificate
registration point was installed successfully by using any of the following methods:

In the Monitoring workspace, expand System Status, click Component

Status, and look for status messages from the
SMS_CERTIFICATE_REGISTRATION_POINT component.

On the site system server, use the <ConfigMgr Installation

Path>\Logs\crpsetup.log file and <ConfigMgr Installation
Path>\Logs\crpmsi.log file. A successful installation will return an exit code of
0.

By using a browser, verify that you can connect to the URL of the certificate
registration point. For example,
https://server1.contoso.com/CMCertificateRegistration . You should see a

Server Error page for the application name, with an HTTP 404 description.

11. Locate the exported certificate file for the root CA that the certificate registration
point automatically created in the following folder on the primary site server
computer: <ConfigMgr Installation Path>\inboxes\certmgr.box. Save this file to a
secured location that you can securely access when you later install the
Configuration Manager Policy Module on the server that is running the Network
Device Enrollment Service.

 Tip

This certificate is not immediately available in this folder. You might need to
wait awhile (for example, half an hour) before Configuration Manager copies
the file to this location.

Step 3 - Install the Configuration Manager

Policy Module (for SCEP certificates only).
You must install and configure the Configuration Manager Policy Module on each server
that you specified in Step 2: Install and configure the certificate registration point as
URL for the Network Device Enrollment Service in the properties for the certificate
registration point.
To install the Policy Module

1. On the server that runs the Network Device Enrollment Service, log on as a domain
administrator and copy the following files from the
<ConfigMgrInstallationMedia>\SMSSETUP\POLICYMODULE\X64 folder on the
Configuration Manager installation media to a temporary folder:

PolicyModule.msi

PolicyModuleSetup.exe

In addition, if you have a LanguagePack folder on the installation media, copy this
folder and its contents.

2. From the temporary folder, run PolicyModuleSetup.exe to start the Configuration

Manager Policy Module Setup wizard.

3. On the initial page of the wizard, click Next, accept the license terms, and then
click Next.

4. On the Installation Folder page, accept the default installation folder for the policy
module or specify an alternative folder, and then click Next.

5. On the Certificate Registration Point page, specify the URL of the certificate
registration point by using the FQDN of the site system server and the virtual
application name that is specified in the properties for the certificate registration
point. The default virtual application name is CMCertificateRegistration. For
example, if the site system server has an FQDN of server1.contoso.com and you
used the default virtual application name, specify
https://server1.contoso.com/CMCertificateRegistration .

6. Accept the default port of 443 or specify the alternative port number that the
certificate registration point is using, and then click Next.

7. On the Client Certificate for the Policy Modulepage, browse to and specify the
client authentication certificate that you deployed in Step 1: Install and configure
the Network Device Enrollment Service and dependencies, and then click Next.

8. On the Certificate Registration Point Certificate page, click Browse to select the
exported certificate file for the root CA that you located and saved at the end of
Step 2: Install and configure the certificate registration point.

７ Note
 If you did not previously save this certificate file, it is located in the
<ConfigMgr Installation Path>\inboxes\certmgr.box on the site server
computer.

9. Click Next and complete the wizard.

If you want to uninstall the Configuration Manager Policy Module, use Programs
and Features in Control Panel.

Now that you have completed the configuration steps, you are ready to deploy
certificates to users and devices by creating and deploying certificate profiles. For more
information about how to create certificate profiles, see How to create certificate
profiles.

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Create Wi-Fi profiles
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

） Important

Starting in version 2203, this company resource access feature is no longer

supported. For more information, see Frequently asked questions about resource
access deprecation.

Use Wi-Fi profiles in Configuration Manager to deploy wireless network settings to users
in your organization. By deploying these settings, you make it easier for your users to
connect to Wi-Fi.

For example, you have a Wi-Fi network that you want to enable all Windows laptops to
connect to. Create a Wi-Fi profile containing the settings necessary to connect to the
wireless network. Then, deploy the profile to all users that have Windows laptops in your
hierarchy. Users of these devices see your network in the list of wireless networks and
can readily connect to this network.

You can configure Wi-Fi profiles for the following OS versions:

Windows 8.1 32-bit or 64-bit

Windows RT 8.1

Windows 10 or Windows 10 Mobile

You can also use Configuration Manager to deploy wireless network settings to mobile
devices using on-premises mobile device management (MDM). For more general
information, see What is on-premises MDM.

When you create a Wi-Fi profile, you can include a wide range of security settings. These
settings include certificates for server validation and client authentication that have been
pushed using Configuration Manager certificate profiles. For more information about
certificate profiles, see Certificate profiles.

Create a Wi-Fi profile

1. In the Configuration Manager console, go to the Assets and Compliance
workspace, expand Compliance Settings, expand Company Resource Access, and
 select the Wi-Fi Profiles node.

2. On the Home tab, in the Create group, choose Create Wi-Fi Profile.

3. On the General page of the Create Wi-Fi Profile Wizard, specify the following
information:

Name: Enter a unique name to identify the profile in the console.

Description: Optionally add a description to provide further information for

the Wi-Fi profile.

Import an existing Wi-Fi profile item from a file: Select this option to use
the settings from another Wi-Fi profile. When you select this option, the
remaining pages of the wizard simplify to two pages: Import Wi-Fi Profile
and Supported Platforms.

） Important

Make sure that the Wi-Fi profile you import contains valid XML for a Wi-
Fi profile. When you import the file, Configuration Manager doesn't
validate the profile.

Noncompliance severity for reports: Choose one of the following severity

levels that the device reports if it evaluates the Wi-Fi profile to be
noncompliant. For example, if the installation of the profile fails, it's
noncompliant.

None: Computers that fail this compliance rule don't report a failure
severity for Configuration Manager reports.

Information

Warning

Critical

Critical with event: Computers that fail this compliance rule report a
failure severity of Critical for Configuration Manager reports. Devices also
log the noncompliant state as a Windows event in the application event
log.

4. On the Wi-Fi Profile page of the wizard, specify the following information:
 Network name: Provide the name that devices will display as the network
name.

） Important

Configuration Manager doesn't support using the apostrophe ( ' ) or

comma ( , ) characters in the network name.

SSID: Specify the case-sensitive ID of the wireless network.

Connect automatically when this network is in range

Look for other wireless network while connected to this network

Connect when the network is not broadcasting its name (SSID)

5. On the Security Configuration page, specify the following information:

） Important

If you're creating a Wi-Fi profile for on-premises MDM, the current branch of
Configuration Manager only supports the following Wi-Fi security
configurations:

Security types: WPA2 Enterprise or WPA2 Personal

Encryption types: AES or TKIP
EAP types: Smart Card or other certificate or PEAP

Security type: Select the security protocol that the wireless network uses, or
select No authentication (Open) if the network is unsecured.

Encryption: If the security type supports it, set the encryption method for the
wireless network.

EAP type: Select the authentication protocol for the selected encryption
method.

７ Note

For Windows Phone devices only: the EAP types LEAP and EAP-FAST
aren't supported.
 Select Configure to specify properties for the selected EAP type. This option
isn't available for some selected EAP types.

） Important

The EAP type configuration window is from Windows. Make sure that
you run the Configuration Manager console on a computer that
supports the selected EAP type.

Remember the user credentials at each logon: Select this option to store
user credentials so users don't have to enter wireless network credentials
each time they sign in to Windows.

6. On the Advanced Settings page of the wizard, specify additional settings for the
Wi-Fi profile. Advanced settings might not be available, or might vary, depending
on the options that you select on the Security Configuration page of the wizard.
For example, authentication mode, or single sign-on options.

7. On the Proxy Settings page, if your wireless network uses a proxy server, select the
option to Configure proxy settings for this Wi-Fi profile. Then provide the
configuration information for the proxy.

8. On the Supported Platforms page, select the OS versions where this Wi-Fi profile
is applicable.

9. Complete the wizard.

Next step
How to deploy Wi-Fi profiles

Feedback
Was this page helpful?  Yes  No

Provide product feedback

VPN profiles in Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

） Important

Starting in version 2203, this company resource access feature is no longer

supported. For more information, see Frequently asked questions about resource
access deprecation.

To deploy VPN settings to users in your organization, use VPN profiles in Configuration
Manager. By deploying these settings, you minimize the end-user effort required to
connect to resources on the company network.

For example, you want to configure all Windows 10 devices with the settings required to
connect to a file share on the internal network. Create a VPN profile with the settings
necessary to connect to the internal network. Then deploy this profile to all users that
have devices running Windows 10. These users see the VPN connection in the list of
available networks and can connect with little effort.

When you create a VPN profile, you can include a wide range of security settings. These
settings include certificates for server validation and client authentication that you
provision with Configuration Manager certificate profiles. For more information, see
Certificate profiles.

７ Note

Configuration Manager doesn't enable this optional feature by default. You must
enable this feature before using it. For more information, see Enable optional
features from updates.

Supported platforms
The following table describes the VPN profiles you can configure for various device
platforms.

ﾉ Expand table
 Connection type Windows Windows Windows RT Windows
8.1 RT 8.1 10

Pulse Secure Yes No Yes Yes

F5 Edge Client Yes No Yes Yes

Dell SonicWALL Mobile Yes No Yes Yes

Connect

Check Point Mobile VPN Yes No Yes Yes

Microsoft SSL (SSTP) Yes Yes Yes No

Microsoft Automatic Yes Yes Yes No

IKEv2 Yes Yes Yes No

PPTP Yes Yes Yes No

L2TP Yes Yes Yes No

Next step
How to create VPN profiles

See also
Prerequisites for VPN profiles

Security and privacy for VPN profiles

Feedback
Was this page helpful?  Yes  No

Provide product feedback

How to create VPN profiles in
Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

） Important

Starting in version 2203, this company resource access feature is no longer

supported. For more information, see Frequently asked questions about resource
access deprecation.

Configuration Manager supports multiple VPN connection types. For more information
on the connection types available for the different device platforms, see VPN profiles.

For third-party VPN connections, distribute the VPN app before you deploy the VPN
profile. If you don't deploy the app, users will be prompted to do so when they try to
connect to the VPN. For more information, see Deploy applications.

Create a VPN profile

1. In the Configuration Manager console, go to the Assets and Compliance
workspace, expand Compliance Settings, expand Company Resource Access, and
select the VPN Profiles node.

2. On the Home tab of the ribbon, in the Create group, choose Create VPN Profile.

3. On the General page of the Create VPN Profile Wizard, specify the following
information:

Name: Enter a unique name to identify the VPN profile in the console.

７ Note

Don't use the following characters in the VPN profile name: \/:*?<>|; .
The Windows VPN profile doesn't support these special characters.

Description: Optionally enter a description to provide further information

about the VPN profile.
 VPN profile type: Select the appropriate platform.

If you select the Windows 8.1 platform, you can also Import from file. This
action imports VPN profile information from an XML file. If you select this
option, the rest of the wizard simplifies to the following pages: Supported
Platforms and Import VPN Profile.

4. On the Supported Platforms page, select the OS versions that this VPN profile
supports.

5. On the Connection page, specify the following information:

Connection type: Choose the VPN connection type. For more information on
the supported types, see VPN profiles.

Server list: Add a new server to use for the VPN connection. Depending on
the connection type, you can add one or more VPN servers and specify which
server is the default.

Bypass VPN when connected to company network: Configure clients to not

use the VPN when they're on your internal network. If necessary, specify a
connection-specific DNS name.

6. On the Authentication Method page of the wizard, choose a method that's

supported by the connection type. The settings and available options on this page
vary depending on the selected connection type. For more information, see
Authentication method reference.

7. On the Proxy Settings page, if your VPN uses a proxy server, select one of the
options as appropriate for your environment. Then provide the configuration
information for the proxy.

8. The Applications page only applies to Windows 10 profiles. Add desktop and
universal apps that automatically connect to this VPN. The type of app determines
the app identifier:

For a desktop app, provide the file path of the app.

For a universal app, provide the package family name (PFN). To learn how to
find the PFN for an app, see Find a package family name for per-app VPN.

You can also configure an option so that Only the listed apps can use this VPN.

） Important
 Secure all lists of associated apps that you compile for configuring a per-app
VPN. If an unauthorized user changes your list, and you import it to the per-
app VPN app list, you potentially authorize VPN access to apps that shouldn't
have access.

9. The Boundaries page only applies to Windows 10 profiles to configure VPN

boundaries. You can add the following options:

Network traffic rules: Set the protocols, local port, remote port, and address
ranges to enable for the VPN connection.

７ Note

If you don't create a network traffic rule, all protocols, ports, and address
ranges are enabled. After you create a rule, only the protocols, ports,
and address ranges that you specify in that rule or in additional rules are
used by the VPN connection.

DNS names and servers: DNS servers that are used by the VPN connection
after the device establishes the connection.

Routes: Network routes that use the VPN connection. Creation of more than
60 routes may cause the policy to fail.

10. Complete the wizard.

The new VPN profile is displayed in the VPN Profiles node in the Assets and
Compliance workspace.

Authentication method reference

Available VPN authentication methods depend on the connection type:

Certificates
If the client certificate authenticates to a RADIUS server, like a Network Policy Server, set
the Subject Alternative Name in the certificate to the User Principal Name.

Supported connection types:

Pulse Secure
F5 Edge Client
 Dell SonicWALL Mobile Connect
Check Point Mobile VPN

Username and Password

Supported connection types:

Pulse Secure
F5 Edge Client
Dell SonicWALL Mobile Connect
Check Point Mobile VPN

Microsoft EAP-TTLS
Supported connection types:

Microsoft SSL (SSTP)

Microsoft Automatic
PPTP
IKEv2
L2TP

Microsoft protected EAP (PEAP

Supported connection types:

Microsoft SSL (SSTP)

Microsoft Automatic
IKEv2
PPTP
L2TP

Microsoft secured password (EAP-MSCHAP v2)

Supported connection types:

Microsoft SSL (SSTP)

Microsoft Automatic
IKEv2
PPTP
L2TP
Smart Card or other certificate
Supported connection types:

Microsoft SSL (SSTP)

Microsoft Automatic
IKEv2
PPTP
L2TP

MSCHAP v2
Supported connection types:

Microsoft SSL (SSTP)

Microsoft Automatic
IKEv2
PPTP
L2TP

Use machine certificates

Supported connection types:

IKEv2

Additional authentication options

When the Windows client version supports it, the option to Configure the
authentication method is available. This option opens the Windows properties window
to configure the authentication method.

Depending on the selected options, you might be asked to specify more information, for
example:

Remember the user credentials at each logon: User credentials are remembered
so that users don't have to enter them each time they connect.

Select a client certificate for client authentication: Select a previously created

client SCEP certificate profile to authenticate the VPN connection. For more
information, see Create PFX certificate profiles.
Next steps
For third-party VPN connections, distribute the VPN app before you deploy the
VPN profile. If you don't deploy the app, users will be prompted to do so when
they try to connect to the VPN. For more information, see Deploy applications.

Deploy the VPN profile. For more information, see How to deploy profiles.

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Find a package family name (PFN) for
per-app VPN
Article • 01/12/2024

Applies to: Configuration Manager (current branch)

） Important

Starting in version 2203, this company resource access feature is no longer

supported. For more information, see Frequently asked questions about resource
access deprecation.

There are two ways to find a PFN so that you can configure a per-app VPN.

Find a PFN for an app that's installed on a

Windows 10 computer
If the app you're working with is already installed on a Windows 10 computer, you can
use the Get-AppxPackage PowerShell cmdlet to get the PFN.

The syntax for Get-AppxPackage is:

Syntax

Get-AppxPackage [[-Name] <String> ] [[-Publisher] <String> ] [-AllUsers] [-

User <String> ] [ <CommonParameters>]

７ Note

You may have to run PowerShell as an admin in order to retrieve the PFN

For example, to get info on all the universal apps installed on the computer use Get-
AppxPackage .

To get info on an app you know the name of, or part of the name of, use Get-
AppxPackage *<app_name> . Note the use of the wildcard character, particularly helpful if

you're not sure of the full name of the app. For example to get the info for OneNote,
use Get-AppxPackage *OneNote .
Here's the information retrieved for OneNote:

Name : Microsoft.Office.OneNote

Publisher : CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond,

S=Washington, C=US

Architecture : X64

ResourceId :

Version : 17.6769.57631.0

PackageFullName : Microsoft.Office.OneNote_17.6769.57631.0_x64__8wekyb3d8bbwe

InstallLocation : C:\Program Files\WindowsApps

\Microsoft.Office.OneNote_17.6769.57631.0_x64__8wekyb3d8bbwe

IsFramework : False

PackageFamilyName : Microsoft.Office.OneNote_8wekyb3d8bbwe

PublisherId : 8wekyb3d8bbwe

Find a PFN if the app is not installed on a

computer
1. Go to https://www.microsoft.com/store/apps
2. Enter the name of the app in the search bar. In our example, search for OneNote.
3. Click the link to the app. The URL that you access has a series of letters at the end.
In our example, the URL looks like this:
https://www.microsoft.com/store/apps/onenote/9wzdncrfhvjl

4. In a different tab, paste the following URL,

https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/<app

id>/applockerdata , replacing <app id> with the app ID you obtained from

https://www.microsoft.com/store/apps - that series of letters at the end of the

URL in step 3. In our example, example of OneNote, you'd paste:
https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/9wzdncrfhvjl

/applockerdata .

In Microsoft Edge, the information you want is displayed; in Internet Explorer, click Open
to see the information. The PFN value is given on the first line. Here's how the results
look for our example:

JSON

{
"packageFamilyName": "Microsoft.Office.OneNote_8wekyb3d8bbwe",
"packageIdentityName": "Microsoft.Office.OneNote",
"windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d",
"publisherCertificateName": "CN=Microsoft Corporation, O=Microsoft
Corporation, L=Redmond, S=Washington, C=US"
}

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Deploy resource access profiles in
Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

） Important

Starting in version 2203, this company resource access feature is no longer

supported. For more information, see Frequently asked questions about resource
access deprecation.

After you create one of the following resource access profiles, deploy it to one or more
collections:

Wi-Fi
VPN
Certificate

When you deploy these profiles, you specify the target collection, and specify how often
the client evaluates the profile for compliance.

Deploy a profile
1. In the Configuration Manager console, go to the Assets and Compliance
workspace. Expand Compliance Settings, expand Company Resource Access, and
then choose the appropriate profile node. For example, Wi-Fi Profiles.

2. In the list of profiles, select the profile that you want to deploy. Then in the Home
tab of the ribbon, in the Deployment group, select Deploy.

3. In the deploy profile window, specify the following information:

Collection: Select the collection where you want to deploy the profile.

Generate an alert: Enable this option to configure an alert. The site generates
this alert if the profile compliance is less than the specified percentage by the
specified date and time. You can also select whether you want an alert to be
sent to System Center Operations Manager.
 Random delay (hours): For certificate profiles that contain Simple Certificate
Enrollment Protocol (SCEP) settings, specify a delay window to avoid
excessive processing on the Network Device Enrollment Service (NDES). The
default value is 64 hours.

Specify the compliance evaluation schedule for this...profile: Specify how

often the client evaluates compliance for this profile. Select a Simple
schedule or configure a Custom schedule. By default, the simple schedule is
every 12 hours.

4. Select OK to close the window and create the deployment.

Delete a deployment
If you want to delete a deployment, select it from the list. In the details pane, switch to
the Deployments tab. Select the deployment, and then in the Deployment tab of the
ribbon, select Delete.

） Important

When you remove a VPN profile deployment, Configuration Manager doesn't

remove the VPN profile from Windows. If you want to remove the profile from
devices, manually remove it.

Next steps
Monitor Wi-Fi and VPN profiles

Monitor certificate profiles

Feedback
Was this page helpful?  Yes  No

Provide product feedback

What happened to hybrid MDM?
07/21/2025

Applies to: Configuration Manager (current branch)

２ Warning

Microsoft retired the hybrid MDM service offering as of September 1, 2019. Any remaining
hybrid MDM devices won't receive policy, apps, or security updates.

Remove hybrid MDM

If your Configuration Manager site had a Microsoft Intune Subscription, you need to remove it.

1. In the Configuration Manager console, go to the Administration workspace. Expand

Cloud Services, and select the Microsoft Intune Subscription node. Delete your existing
Intune Subscription.

2. In the Remove Microsoft Intune Subscription Wizard, select the option to Remove
Microsoft Intune Subscription from Configuration Manager, and then click Next.

3. Complete the wizard.

Deprecation announcement
The following note is the original deprecation announcement:

７ Note

As of August 14, 2018, hybrid mobile device management is a deprecated feature.

Starting with the 1902 Intune service release, expected at the end of February 2019, new
customers can't create a new hybrid connection.

Since launching on Azure over a year ago, Intune has added hundreds of new customer-
requested and market-leading service capabilities. It now offers far more capabilities than
those offered through hybrid mobile device management (MDM). Intune on Azure
provides a more integrated, streamlined administrative experience for your enterprise
mobility needs.

As a result, most customers choose Intune on Azure over hybrid MDM. The number of
customers using hybrid MDM continues to decrease as more customers move to the
cloud. Therefore, on September 1, 2019, Microsoft will retire the hybrid MDM service
offering.

This change doesn't affect on-premises Configuration Manager or co-management for

Windows 10 devices. If you're unsure whether you're using hybrid MDM, go to the
Administration workspace of the Configuration Manager console, expand Cloud Services,
and select Microsoft Intune Subscriptions. If you have a Microsoft Intune subscription set
up, your tenant is configured for hybrid MDM.

How does this affect me?

Microsoft will support your hybrid MDM usage for the next year. The feature will
continue to receive major bug fixes. Microsoft will support existing functionality on
new OS versions, such as enrollment on iOS 12. There will be no new features for
hybrid MDM.

If you migrate to Intune on Azure before the end of the hybrid MDM offering, there
should be no end user impact.

On September 1, 2019, any remaining hybrid MDM devices will no longer receive
policy, apps, or security updates.

Licensing remains the same. Intune on Azure licenses are included with hybrid MDM.

The on-premises MDM feature in Configuration Manager isn't deprecated. Starting

in Configuration Manager version 1810, you can use on-premises MDM without an
Intune connection. For more information, see An Intune connection is no longer
required for new on-premises MDM deployments.

The on-premises Conditional Access feature of Configuration Manager is also

deprecated with hybrid MDM. If you use Conditional Access on devices managed
with the Configuration Manager client, make sure they are protected before you
migrate.

1. Set up Conditional Access policies in Azure

2. Set up compliance policies in Intune portal
3. Finish hybrid migration, and set the MDM authority to Intune
4. Enable co-management
5. Move the compliance policies co-management workload to Intune

For more information, see Conditional Access with co-management.

 What do I need to do to prepare for this change?

Start planning your migration for MDM from the ConfigMgr console to Azure. Many
customers, including Microsoft IT, have gone through this process.

Contact your partner of record or FastTrack for assistance. FastTrack for Microsoft
365 can assist in your migration from hybrid MDM to Intune on Azure.

For more information, see the Intune support blog post .

Next steps
For more information on supported features for managing MDM devices, see the following
articles:

What is Microsoft Intune?

What is on-premises MDM?
Device management with Exchange
Monitor Email, Wi-Fi and VPN profiles in
Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

） Important

Starting in version 2203, this company resource access feature is no longer

supported. For more information, see Frequently asked questions about resource
access deprecation.

After you have deployed Configuration Manager Email, Wi-Fi or VPN profiles to users in
your hierarchy, you can use the following procedures to monitor the compliance status
of the profile:

How to View Compliance Results in the Configuration Manager Console

How to View Compliance Results by Using Reports

How to View Compliance Results in the

Configuration Manager Console
Use this procedure to view details about the compliance of deployed profiles in the
Configuration Manager console.

To view compliance results in the Configuration Manager console

1. In the Configuration Manager console, click Monitoring.

2. In the Monitoring workspace, click Deployments.

3. In the Deployments list, select the profile deployment for which you want to
review compliance information.

4. You can review summary information about the compliance of the profile
deployment on the main page. To view more detailed information, select the
profile deployment, and then, on the Home tab, in the Deployment group, click
View Status to open the Deployment Status page.
 The Deployment Status page contains the following tabs:

Compliant: Displays the compliance of the profile that is based on the

number of affected assets. You can double-click a rule to create a temporary
node under the Users node in the Assets and Compliance workspace, which
contains all users that are compliant with this profile. The Asset Details pane
displays the users that are compliant with the profile. Double-click a user in
the list to display additional information.

） Important

A profile is not evaluated if it is not applicable on a client device;

however, it is returned as compliant.

Error: Displays a list of all errors for the selected profile deployment that is
based on the number of affected assets. You can double-click a rule to create
a temporary node under the Users node of the Assets and Compliance
workspace, which contains all users that generated errors with this profile.
When you select a user, the Asset Details pane displays the users that are
affected by the selected issue. Double-click a user in the list to display
additional information about the issue.

Non-Compliant: Displays a list of all noncompliant rules within the profile

that is based on the number of affected assets. You can double-click a rule to
create a temporary node under the Users node of the Assets and
Compliance workspace, which contains all users that are not compliant with
this profile. When you select a user, the Asset Details pane displays the users
that are affected by the selected issue. Double-click a user in the list to
display further information about the issue.

Unknown: Displays a list of all users that did not report compliance for the
selected profile deployment together with the current client status of the
devices.

5. On the Deployment Status page, you can review detailed information about the
compliance of the deployed profile. A temporary node is created under the
Deployments node that helps you find this information again quickly.

How to View Compliance Results by Using

Reports
Compliance settings, which include profiles in Configuration Manager, also includes a
number of built-in reports that let you monitor information about profiles. These reports
have the report category of Compliance and Settings Management.

） Important

You must use a wildcard (%) character when you use the parameters Device filter
and User filter in the compliance settings reports.

For more information about how to configure reporting in Configuration Manager, see
Introduction to reporting.

Feedback
Was this page helpful?  Yes  No

Provide product feedback

How to monitor certificate profiles in
Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

） Important

Starting in version 2203, this company resource access feature is no longer

supported. For more information, see Frequently asked questions about resource
access deprecation.

View Compliance Results in the Configuration

Manager Console
To monitor SCEP certificate compliance do not use the console, rather, use reports.

1. In the Configuration Manager console, choose Monitoring> Deployments.

2. Select the certificate profile deployment of interest.

3. Review summary certificate compliance information on the main page. For more
detailed information, select the certificate profile, and then on the Home tab, in
the Deployment group, choose View Status to open the Deployment Status page.

The Deployment Status page contains the following tabs:

Compliant: Displays the compliance of the certificate profile based on the

number of assets that are affected. You can double-click a rule to create a
temporary node under the Users node in the Assets and Compliance
workspace. This node contains all users that are compliant with the certificate
profile. The Asset Details pane also displays the users that are compliant with
this profile. Double-click a user in the list for more information.

） Important

A certificate profile is not evaluated if it is not applicable on a client

device. However, it is returned as compliant.
 Error: Displays a list of all errors for the selected certificate profile
deployment based on the number of assets that are affected. You can
double-click a rule to create a temporary node under the Users node of the
Assets and Compliance workspace. This node contains all users that
generated errors with this profile. When you select a user, the Asset Details
pane displays the users that are affected by the selected issue. Double-click a
user in the list to display for more information.

Non-Compliant: Displays a list of all noncompliant rules within the certificate

profile based on the number of assets that are affected. You can double-click
a rule to create a temporary node under the Users node of the Assets and
Compliance workspace. This node contains all users that are not compliant
with this profile. When you select a user, the Asset Details pane displays the
users that are affected by the selected issue. Double-click a user in the list to
display further information about the issue.

Unknown: Displays a list of all users that did not report compliance for the
selected certificate profile deployment together with the current client status
of the devices.

4. On the Deployment Status page, review detailed information about the

compliance of the deployed certificate profile. A temporary node is created under
the Deployments node that helps you find this information again quickly.

The enrollment status of the certificate is displayed as a number. Use the following
table to understand what each number means:

ﾉ Expand table

Enrollment Description
status

0x00000001 The enrollment succeeded, and the certificate has been issued.

0x00000002 The request has been submitted and the enrollment is pending, or the
request has been issued out of band.

0x00000004 Enrollment must be deferred.

0x00000010 An error occurred.

0x00000020 The enrollment status is unknown.

0x00000040 The status information has been skipped. This can occur if a HYPERLINK
"https://msdn.microsoft.com/windows/ms721572 " \l
 Enrollment Description
status

"_security_certification_authority_gly" certification authority is not valid or

has not been selected for monitoring.

0x00000100 Enrollment has been denied.

View Compliance Results by Using Reports

Compliance settings in Configuration Manager include built-in reports that you can use
to monitor information about certificate profiles. These reports have the report category
of Compliance and Settings Management.

） Important

You must use a wildcard (%) character when you use the parameters Device filter
and User filter in the reports for compliance settings.

To monitor SCEP certificate compliance use these certificate reports under the report
node Company Resource Access:

Certificate issuance history

List of assets with certificates nearing expiry
List of assets by certificate issuance status

For more information about how to configure reporting in Configuration Manager, see
Introduction to reporting.

Feedback
Was this page helpful?  Yes  No

Provide product feedback

How to monitor Endpoint Protection
status
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

You can monitor Endpoint Protection in your Microsoft Configuration Manager hierarchy
by using the Endpoint Protection Status node under Security in the Monitoring
workspace, the Endpoint Protection node in the Assets and Compliance workspace,
and by using reports.

How to Monitor Endpoint Protection by Using

the Endpoint Protection Status Node
1. In the Configuration Manager console, click Monitoring.

2. In the Monitoring workspace, expand Security and then click Endpoint Protection
Status.

3. In the Collection list, select the collection for which you want to view status
information.

） Important

Collections are available for selection in the following cases:

When you select View this collection in the Endpoint Protection

dashboard on the Alerts tab of the <collection name>Properties dialog
box.
When you deploy an Endpoint Protection antimalware policy to the
collection.
When you enable and deploy Endpoint Protection client settings to
the collection.

4. Review the information that is displayed in the Security State and Operational
State sections. You can click any status link to create a temporary collection in the
Devices node in the Assets and Compliance workspace. The temporary collection
contains the computers with the selected status.
 ） Important

Information that is displayed in the Endpoint Protection Status node is based

on the last data that was summarized from the Configuration Manager
database and might not be current. If you want to retrieve the latest data, on
the Home tab, click Run Summarization, or click Schedule Summarization to
adjust the summarization interval.

How to Monitor Endpoint Protection in the

Assets and Compliance Workspace
1. In the Configuration Manager console, click Assets and Compliance.

2. In the Assets and Compliance workspace, perform one of the following actions:

Click Devices. In the Devices list, select a computer, and then click the
Malware Detail tab.

Click Device Collections. In the Device Collections list, select the collection
that contains the computer you want to monitor and then, on the Home tab,
in the Collection group, click Show Members.

3. In the <collection name> list, select a computer, and then click the Malware Detail
tab.

How to Monitor Endpoint Protection by Using

Reports
Use the following reports to help you view information about Endpoint Protection in
your hierarchy. You can also use these reports to help troubleshoot any Endpoint
Protection problems. For more information about how to configure reporting in
Configuration Manager, see Introduction to reporting and Log files. The Endpoint
Protection reports are in the Endpoint Protection folder.

ﾉ Expand table

Report name Description

Antimalware Activity Displays an overview of antimalware activity for a specified

Report collection.
 Report name Description

Infected Computers Displays a list of computers on which a specified threat is detected.

Top Users By Threats Displays a list of users with the most number of detected threats.

User Threat List Displays a list of threats that were found for a specified user
account.

Malware Alert Levels

Use the following table to identify the different Endpoint Protection alert levels that
might be displayed in reports, or in the Configuration Manager console.

ﾉ Expand table

Alert level Description

Failed Endpoint Protection failed to remediate the malware. Check your logs for details
of the error.

Note: For a list of Configuration Manager and Endpoint Protection log files, see
the "Endpoint Protection" section in the Log files topic.

Removed Endpoint Protection successfully removed the malware.

Quarantined Endpoint Protection moved the malware to a secure location and prevented it
from running until you remove it or allow it to run.

Cleaned The malware was cleaned from the infected file.

Allowed An administrative user selected to allow the software that contains the malware to
run.

No Action Endpoint Protection took no action on the malware. This might occur if the
computer is restarted after malware is detected and the malware is no longer
detected; for instance, if a mapped network drive on which malware is detected is
not reconnected when the computer restarts.

Blocked Endpoint Protection blocked the malware from running. This might occur if a
process on the computer is found to contain malware.

Feedback
Was this page helpful?  Yes  No
Provide product feedback
BitLocker settings reference
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

BitLocker management policies in Configuration Manager contain the following policy

groups:

Setup
Operating system drive
Fixed drive
Removable drive
Client management

The following sections describe and suggest configurations for the settings in each
group.

Setup
The settings on this page configure global BitLocker encryption options.

Drive encryption method and cipher strength

Suggested configuration: Enabled with the default or greater encryption method.

７ Note

The Setup properties page includes two groups of settings for different versions of
Windows. This section describes them both.

Windows 8.1 devices

For Windows 8.1 devices, enable the option for Drive encryption method and cipher
strength, and select one of the following encryption methods:

AES 128-bit with Diffuser

AES 256-bit with Diffuser
AES 128-bit (default)
AES 256-bit
For more information on how to create this policy with Windows PowerShell, see New-
CMBLEncryptionMethodPolicy.

Windows 10 or later devices

For Windows 10 or later devices, enable the option for Drive encryption method and
cipher strength (Windows 10 or later). Then individually select one of the following
encryption methods for OS drives, fixed data drives, and removable data drives:

AES-CBC 128-bit
AES-CBC 256-bit
XTS-AES 128-bit (default)
XTS-AES 256-bit

 Tip

BitLocker uses Advanced Encryption Standard (AES) as its encryption algorithm with
configurable key lengths of 128 or 256 bits. On Windows 10 or later devices, the
AES encryption supports cipher block chaining (CBC) or ciphertext stealing (XTS).

If you need to use a removable drive on devices that don't run Windows 10, use
AES-CBC.

For more information on how to create this policy with Windows PowerShell, see New-
CMBLEncryptionMethodWithXts.

General usage notes for drive encryption and cipher strength

If you disable or don't configure these settings, BitLocker uses the default
encryption method.

Configuration Manager applies these settings when you turn on BitLocker.

If the drive is already encrypted or is in progress, any change to these policy

settings doesn't change the drive encryption on the device.

If you use the default value, the BitLocker Computer Compliance report may
display the cipher strength as unknown. To work around this issue, enable this
setting and set an explicit value for cipher strength.

Prevent memory overwrite on restart

Suggested configuration: Not configured

Configure this policy to improve restart performance without overwriting BitLocker

secrets in memory on restart.

When you don't configure this policy, BitLocker removes its secrets from memory when
the computer restarts.

For more information on how to create this policy with Windows PowerShell, see New-
CMNoOverwritePolicy.

Validate smart card certificate usage rule compliance

Suggested configuration: Not configured

Configure this policy to use smartcard certificate-based BitLocker protection. Then

specify the certificate Object identifier.

When you don't configure this policy, BitLocker uses the default object identifier
1.3.6.1.4.1.311.67.1.1 to specify a certificate.

For more information on how to create this policy with Windows PowerShell, see New-
CMScCompliancePolicy.

Organization unique identifiers

Suggested configuration: Not configured

Configure this policy to use a certificate-based data recovery agent or the BitLocker To
Go reader.

When you don't configure this policy, BitLocker doesn't use the Identification field.

If your organization requires higher security measurements, configure the Identification

field. Set this field on all targeted USB devices, and align it with this setting.

For more information on how to create this policy with Windows PowerShell, see New-
CMUidPolicy.

OS drive
The settings on this page configure the encryption settings for the drive on which
Windows is installed.
Operating system drive encryption settings
Suggested configuration: Enabled

If you enable this setting, the user has to protect the OS drive, and BitLocker encrypts
the drive. If you disable it, the user can't protect the drive. If you don't configure this
policy, BitLocker protection isn't required on the OS drive.

７ Note

If the drive is already encrypted, and you disable this setting, BitLocker decrypts the
drive.

If you have devices without a Trusted Platform Module (TPM), use the option to Allow
BitLocker without a compatible TPM (requires a password). This setting allows
BitLocker to encrypt the OS drive, even if the device doesn't have a TPM. If you allow
this option, Windows prompts the user to specify a BitLocker password.

On devices with a compatible TPM, two types of authentication methods can be used at
startup to provide added protection for encrypted data. When the computer starts, it
can use only the TPM for authentication, or it can also require the entry of a personal
identification number (PIN). Configure the following settings:

Select protector for operating system drive: Configure it to use a TPM and PIN, or
just the TPM.

Configure minimum PIN length for startup: If you require a PIN, this value is the
shortest length the user can specify. The user enters this PIN when the computer
boots to unlock the drive. By default, the minimum PIN length is 4 .

 Tip

For higher security, when you enable devices with TPM + PIN protector, consider
disabling the following group policy settings in System > Power Management >
Sleep Settings:

Allow Standby States (S1-S3) When Sleeping (Plugged In)

Allow Standby States (S1-S3) When Sleeping (On Battery)

For more information on how to create this policy with Windows PowerShell, see New-
CMBMSOSDEncryptionPolicy.
Allow enhanced PINs for startup
Suggested configuration: Not configured

Configure BitLocker to use enhanced startup PINs. These PINs permit the use of more
characters such as uppercase and lowercase letters, symbols, numbers, and spaces. This
setting applies when you turn on BitLocker.

） Important

Not all computers can support enhanced PINs in the pre-boot environment. Before
you enable its use, evaluate whether your devices are compatible with this feature.

If you enable this setting, all new BitLocker startup PINs allow the user to create
enhanced PINs.

Require ASCII-only PINs: Help make enhanced PINs more compatible with
computers that limit the type or number of characters that you can enter in the
pre-boot environment.

If you disable or don't configure this policy setting, BitLocker doesn't use enhanced
PINs.

For more information on how to create this policy with Windows PowerShell, see New-
CMEnhancedPIN.

Operating system drive password policy

Suggested configuration: Not configured

Use these settings to set the constraints for passwords to unlock BitLocker-protected OS
drives. If you allow non-TPM protectors on OS drives, configure the following settings:

Configure password complexity for operating system drives: To enforce

complexity requirements on the password, select Require password complexity.

Minimum password length for operating system drive: By default, the minimum
length is 8 .

Require ASCII-only passwords for removable OS drives

If you enable this policy setting, users can configure a password that meets the
requirements that you define.
For more information on how to create this policy with Windows PowerShell, see New-
CMOSPassphrase.

General usage notes for OS drive password policy

For these complexity requirement settings to be effective, also enable the group
policy setting Password must meet complexity requirements in Computer
Configuration > Windows Settings > Security Settings > Account Policies >
Password Policy.

BitLocker enforces these settings when you turn it on, not when you unlock a
volume. BitLocker lets you unlock a drive with any of the protectors that are
available on the drive.

If you use group policy to enable FIPS-compliant algorithms for encryption,

hashing, and signing, you can't allow passwords as a BitLocker protector.

Reset platform validation data after BitLocker recovery

Suggested configuration: Not configured

Control whether Windows refreshes platform validation data when it starts after
BitLocker recovery.

If you enable or don't configure this setting, Windows refreshes platform validation data
in this situation.

If you disable this policy setting, Windows doesn't refresh platform validation data in
this situation.

For more information on how to create this policy with Windows PowerShell, see New-
CMTpmAutoResealPolicy.

Pre-boot recovery message and URL

Suggested configuration: Not configured

When BitLocker locks the OS drive, use this setting to display a custom recovery
message or a URL on the pre-boot BitLocker recovery screen. This setting only applies to
Windows 10 or later devices.

When you enable this setting, select one of the following options for the pre-boot
recovery message:
 Use default recovery message and URL: Display the default BitLocker recovery
message and URL in the pre-boot BitLocker recovery screen. If you previously
configured a custom recovery message or URL, use this option to revert to the
default message.

Use custom recovery message: Include a custom message in the pre-boot

BitLocker recovery screen.
Custom recovery message option: Type the custom message to display. If you
also want to specify a recovery URL, include it as part of this custom recovery
message. The maximum string length is 32,768 characters.

Use custom recovery URL: Replace the default URL displayed in the pre-boot
BitLocker recovery screen.
Custom recovery URL option: Type the URL to display. The maximum string
length is 32,768 characters.

７ Note

Not all characters and languages are supported in pre-boot. First test your custom
message or URL to make sure it appears correctly on the pre-boot BitLocker
recovery screen.

For more information on how to create this policy with Windows PowerShell, see New-
CMPrebootRecoveryInfo.

Encryption policy enforcement settings (OS drive)

Suggested configuration: Enabled

Configure the number of days that users can postpone BitLocker compliance for the OS
drive. The Noncompliance grace period begins when Configuration Manager first
detects it as noncompliant. After this grace period expires, users can't postpone the
required action or request an exemption.

If the encryption process requires user input, a dialog box appears in Windows that the
user can't close until they provide the required information. Future notifications for
errors or status won't have this restriction.

If BitLocker doesn't require user interaction to add a protector, after the grace period
expires, BitLocker starts encryption in the background.
If you disable or don't configure this setting, Configuration Manager doesn't require
users to comply with BitLocker policies.

To enforce the policy immediately, set a grace period of 0 .

For more information on how to create this policy with Windows PowerShell, see New-
CMUseOsEnforcePolicy.

Fixed drive
The settings on this page configure encryption for other data drives in a device.

Fixed data drive encryption

Suggested configuration: Enabled

Manage your requirement for encryption of fixed data drives. If you enable this setting,
BitLocker requires users to put all fixed data drives under protection. It then encrypts the
data drives.

When you enable this policy, either enable auto-unlock or the settings for Fixed data
drive password policy.

Configure auto-unlock for fixed data drive: Allow or require BitLocker to

automatically unlock any encrypted data drive. To use auto-unlock, also require
BitLocker to encrypt the OS drive.

If you don't configure this setting, BitLocker doesn't require users to put fixed data
drives under protection.

If you disable this setting, users can't put their fixed data drives under BitLocker
protection. If you disable this policy after BitLocker encrypts fixed data drives, BitLocker
decrypts the fixed data drives.

For more information on how to create this policy with Windows PowerShell, see New-
CMBMSFDVEncryptionPolicy.

Deny write access to fixed drives not protected by

BitLocker
Suggested configuration: Not configured
Require BitLocker protection for Windows to write data to fixed drives on the device.
BitLocker applies this policy when you turn it on.

When you enable this setting:

If BitLocker protects a fixed data drive, Windows mounts it with read and write
access.

For any fixed data drive that BitLocker doesn't protect, Windows mounts it as read-
only.

When you don't configure this setting, Windows mounts all fixed data drives with read
and write access.

For more information on how to create this policy with Windows PowerShell, see New-
CMFDVDenyWriteAccessPolicy.

Fixed data drive password policy

Suggested configuration: Not configured

Use these settings to set the constraints for passwords to unlock BitLocker-protected
fixed data drives.

If you enable this setting, users can configure a password that meets your defined
requirements.

For higher security, enable this setting, and then configure the following settings:

Require password for fixed data drive: Users have to specify a password to unlock
a BitLocker-protected fixed data drive.

Configure password complexity for fixed data drives: To enforce complexity

requirements on the password, select Require password complexity.

Minimum password length for fixed data drive: By default, the minimum length is
8.

If you disable this setting, users can't configure a password.

When the policy isn't configured, BitLocker supports passwords with the default settings.
The default settings don't include password complexity requirements, and require only
eight characters.

For more information on how to create this policy with Windows PowerShell, see New-
CMFDVPassPhrasePolicy.
General usage notes for fixed data drive password policy
For these complexity requirement settings to be effective, also enable the group
policy setting Password must meet complexity requirements in Computer
Configuration > Windows Settings > Security Settings > Account Policies >
Password Policy.

BitLocker enforces these settings when you turn it on, not when you unlock a
volume. BitLocker lets you unlock a drive with any of the protectors that are
available on the drive.

If you use group policy to enable FIPS-compliant algorithms for encryption,

hashing, and signing, you can't allow passwords as a BitLocker protector.

Encryption policy enforcement settings (fixed data drive)

Suggested configuration: Enabled

Configure the number of days that users can postpone BitLocker compliance for fixed
data drives. The Noncompliance grace period begins when Configuration Manager first
detects the fixed data drive as noncompliant. It doesn't enforce the fixed data drive
policy until the OS drive is compliant. After the grace period expires, users can't
postpone the required action or request an exemption.

If the encryption process requires user input, a dialog box appears in Windows that the
user can't close until they provide the required information. Future notifications for
errors or status won't have this restriction.

If BitLocker doesn't require user interaction to add a protector, after the grace period
expires, BitLocker starts encryption in the background.

If you disable or don't configure this setting, Configuration Manager doesn't require
users to comply with BitLocker policies.

To enforce the policy immediately, set a grace period of 0 .

For more information on how to create this policy with Windows PowerShell, see New-
CMUseFddEnforcePolicy.

Removable drive
The settings on this page configure encryption for removable drives, such as USB keys.
Removable data drive encryption
Suggested configuration: Enabled

This setting controls the use of BitLocker on removable drives.

Allow users to apply BitLocker protection on removable data drives: Users can
turn on BitLocker protection for a removable drive.

Allow users to suspend and decrypt BitLocker on removable data drives: Users
can remove or temporarily suspend BitLocker drive encryption from a removable
drive.

When you enable this setting, and allow users to apply BitLocker protection, the
Configuration Manager client saves recovery information about removable drives to the
recovery service on the management point. This behavior allows users to recover the
drive if they forget or lose the protector (password).

When you enable this setting:

Enable the settings for Removable data drive password policy

Disable the following group policy settings in System > Removable Storage
Access for both user & computer configurations:
All removable storage classes: Deny all access
Removable disks: Deny write access
Removable disks: Deny read access

If you disable this setting, users can't use BitLocker on removable drives.

For more information on how to create this policy with Windows PowerShell, see New-
CMRDVConfigureBDEPolicy.

Deny write access to removable drives not protected by

BitLocker
Suggested configuration: Not configured

Require BitLocker protection for Windows to write data to removable drives on the
device. BitLocker applies this policy when you turn it on.

When you enable this setting:

If BitLocker protects a removable drive, Windows mounts it with read and write
access.
 For any removable drive that BitLocker doesn't protect, Windows mounts it as
read-only.

If you enable the option to Deny write access to devices configured in another
organization, BitLocker only gives write access to removable drives with
identification fields that match the allowed identification fields. Define these fields
with the Organization unique identifiers global settings on the Setup page.

When you disable or don't configure this setting, Windows mounts all removable drives
with read and write access.

７ Note

You can override this setting with the group policy settings in System > Removable
Storage Access. If you enable the group policy setting Removable disks: Deny
write access, then BitLocker ignores this Configuration Manager setting.

For more information on how to create this policy with Windows PowerShell, see New-
CMRDVDenyWriteAccessPolicy.

Removable data drive password policy

Suggested configuration: Enabled

Use these settings to set the constraints for passwords to unlock BitLocker-protected
removable drives.

If you enable this setting, users can configure a password that meets your defined
requirements.

For higher security, enable this setting, and then configure the following settings:

Require password for removable data drive: Users have to specify a password to
unlock a BitLocker-protected removable drive.

Configure password complexity for removable data drives: To enforce complexity

requirements on the password, select Require password complexity.

Minimum password length for removable data drive: By default, the minimum
length is 8 .

If you disable this setting, users can't configure a password.

When the policy isn't configured, BitLocker supports passwords with the default settings.
The default settings don't include password complexity requirements, and require only
eight characters.

For more information on how to create this policy with Windows PowerShell, see New-
CMRDVPassPhrasePolicy.

General usage notes for removable data drive password policy

For these complexity requirement settings to be effective, also enable the group
policy setting Password must meet complexity requirements in Computer
Configuration > Windows Settings > Security Settings > Account Policies >
Password Policy.

BitLocker enforces these settings when you turn it on, not when you unlock a
volume. BitLocker lets you unlock a drive with any of the protectors that are
available on the drive.

If you use group policy to enable FIPS-compliant algorithms for encryption,

hashing, and signing, you can't allow passwords as a BitLocker protector.

Client management
The settings on this page configure BitLocker management services and clients.

BitLocker Management Services

Suggested configuration: Enabled

When you enable this setting, Configuration Manager automatically and silently backs
up key recovery information in the site database. If you disable or don't configure this
setting, Configuration Manager doesn't save key recovery information.

Select BitLocker recovery information to store: Configure the key recovery service
to back up BitLocker recovery information. It provides an administrative method of
recovering data encrypted by BitLocker, which helps prevent data loss because of
the lack of key information.

Allow recovery information to be stored in plain text: Without a BitLocker

management encryption certificate for SQL Server, Configuration Manager stores
the key recovery information in plain text. For more information, see Encrypt
recovery data in the database.
 Client checking status frequency (minutes): At the configured frequency, the
client checks the BitLocker protection policies and status on the computer and also
backs up the client recovery key. By default, the Configuration Manager client
checks BitLocker status every 90 minutes.

） Important

Don't set this value to less than 60. A smaller frequency value may cause the
client to briefly report inaccurate compliance states.

For more information on how to create these policies with Windows PowerShell, see:

Set-CMBlmPlaintextStorage
New-CMBMSClientConfigureCheckIntervalPolicy

User exemption policy

Suggested configuration: Not configured

Configure a contact method for users to request an exemption from BitLocker

encryption.

If you enable this policy setting, provide the following information:

Maximum days to postpone: How many days the user can postpone an enforced
policy. By default, this value is 7 days (one week).

Contact method: Specify how users can request an exemption: URL, email address,
or phone number.

Contact: Specify the URL, email address, or phone number. When a user requests
an exemption from BitLocker protection, they see a Windows dialog box with
instructions on how to apply. Configuration Manager doesn't validate the
information you enter.

URL: Use the standard URL format, https://website.domain.tld . Windows

displays the URL as a hyperlink.

Email address: Use the standard email address format, [email protected] .

Windows displays the address as the following hyperlink:
mailto:[email protected]?subject=Request exemption from BitLocker protection .
 Phone number: Specify the number you want your users to call. Windows
displays the number with the following description: Please call <your number>
for applying exemption .

If you disable or don't configure this setting, Windows doesn't display the exemption
request instructions to users.

７ Note

BitLocker manages exemptions per user, not per computer. If multiple users sign in
to the same computer, and any one user isn't exempt, BitLocker encrypts the
computer.

For more information on how to create this policy with Windows PowerShell, see New-
CMBMSUserExemptionPolicy.

URL for the security policy link

Suggested configuration: Enabled

Specify a URL to display to users as the Company Security Policy in Windows. Use this
link to provide users with information about encryption requirements. It shows when
BitLocker prompts the user to encrypt a drive.

If you enable this setting, configure the security policy link URL.

If you disable or don't configure this setting, BitLocker doesn't show the security policy
link.

For more information on how to create this policy with Windows PowerShell, see New-
CMMoreInfoUrlPolicy.

Next steps
If you use Windows PowerShell to create these policy objects, then use the New-
CMBlmSetting cmdlet. This cmdlet creates a BitLocker management policy settings
object that contains all of the specified policies. To deploy the policy settings to a
collection, use the New-CMSettingDeployment cmdlet.

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Troubleshoot BitLocker
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Use the information in this article to help you troubleshoot issues with BitLocker
management in Configuration Manager.

Server error in self-service

When trying to open the self-service portal
( https://webserver.contoso.com/SelfService ) for the first time, you see the following
error message:

error

Configuration Error - Server Error in '/SelfService' Application

Description: An error occurred during the processing of a configuration file

required to service this request. Please review the specific error details
below and modify your configuration file appropriately.

Parser Error Message: Could not load file or assembly 'System.Web.Mvc,

Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35' or one of
its dependencies. The system cannot find the file specified.

To fix this issue, make sure you installed the prerequisite for Microsoft ASP.NET MVC 4.0
on the web server.

See also
For more information about using BitLocker event logs, see BitLocker event logs.

For a list of known errors and possible causes for event log entries, see the following
articles:

Client event logs

Server event logs

To understand why clients are reporting not compliant with the BitLocker management
policy, see Non-compliance codes.
Feedback
Was this page helpful?  Yes  No

Provide product feedback

BitLocker event logs
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

The BitLocker management agent and web services use Windows event logs to record
messages. In the Event Viewer, go to Applications and Services Logs, Microsoft,
Windows. The log channel (node) varies depending upon the computer and the
component:

MBAM: BitLocker management agent on a client computer

MBAM-Web:
Recovery service on the management point
Self-service portal
Administration and monitoring website

For more information about specific messages in these logs, see the following articles:

Client event logs

Server event logs

In each node, by default you'll see two log channels: Admin and Operational. For more
detailed troubleshooting information, you can also show analytics and debug logs.

Log properties
In Windows Event Viewer, select a specific log. For example, Admin. Go to the Action
menu, and select Properties. Configure the following settings:

Maximum log size (KB): by default, this setting is 1028 (1 MB) for all logs.
When maximum event log size is reached: by default, the Admin and Operational
logs are set to Overwrite events as needed (oldest events first).

Analytic and debug logs

You can enable more detailed logs for troubleshooting purposes. In Event Viewer, go to
the View menu, and select Show Analytic and Debug Logs. Now when you browse to
the log channel, you'll see two additional logs: Analytic and Debug.

 Tip
 By default, these logs have the following properties:

Maximum log size (KB): 1028 (1 MB)

Do not overwrite events (Clear logs manually)

Export logs to text

Especially with the analytic and debug logs, you may find it easier to review the logs
entries in a single text file. Use the following PowerShell commands to export the event
log entries to text files:

PowerShell

# Out-String with a larger -Width does a better job compared to using Out-
File with -Width. -Oldest is only required with debug/analytic logs.

# Debug log
Get-WinEvent -LogName Microsoft-Windows-MBAM/Debug -Oldest | Format-Table -
AutoSize | Out-String -Width 4096 | Out-File C:\Temp\MBAM_Log_Debug.txt

# Analytic log
Get-WinEvent -LogName Microsoft-Windows-MBAM/Analytic -Oldest | Format-Table
-AutoSize | Out-String -Width 4096 | Out-File C:\Temp\MBAM_Log_Analytic.txt

# Admin log
# The above command truncates the output from the admin log, this sample
reformats the strings
Get-WinEvent -LogName Microsoft-Windows-MBAM/Admin |
Select TimeCreated, LevelDisplayName, TaskDisplayName, @{n='Message';e=
{$_.Message.trim()}} |
Format-Table -AutoSize -Wrap | Out-String -Width 4096 |
Out-File -FilePath C:\Temp\MBAM_Log_Admin.txt

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Client event logs
Article • 01/12/2024

Applies to: Configuration Manager (current branch)

On a Configuration Manager client to which you deploy a BitLocker management policy,

use the Windows Event Viewer to view BitLocker client event logs. Go to Applications
and Services Logs, Microsoft, Windows, MBAM for both Admin and Operational event
logs.

Admin

2: VolumeEnactmentFailed
An error occurred while applying MBAM policies.

Error code: -2144272219

Details: BitLocker Drive Encryption only supports Used Space Only encryption on thin
provisioned storage.

This error occurs if you try to use BitLocker to encrypt a virtual machine that's running
Windows 10 version 1803 or earlier. Earlier versions of Windows 10 don't support full
disk encryption. BitLocker management policies enforce full disk encryption.

Error code: -2147024774

Details: The data area passed to a system call is too small.

To resolve this issue, restart the computer.

4: TransferStatusDataFailed
An error occurred while sending encryption status data.

8: SystemVolumeNotFound
The system volume is missing. SystemVolume is needed to encrypt the operating system
drive.
9: TPMNotFound
The TPM hardware is missing. TPM is needed to encrypt the operating system drive with
any TPM protector.

10: MachineHWExempted
The computer is exempted from Encryption. Machine's hardware status: Exempted

11: MachineHWUnknown
The computer is exempted from encryption. Machine's hardware status: Unknown

12: HWCheckFailed
Hardware exemption check failed.

13: UserIsExempted
The user is exempt from encryption.

14: UserIsWaiting
The user requested an exemption.

15: UserExemptionCheckFailed
User exemption check failed.

16: UserPostponed
The user postponed the encryption process.

17: TPMInitializationFailed
TPM initialization failed. The user rejected the BIOS changes.

18: CoreServiceDown
Unable to connect to the MBAM Recovery and Hardware service.
Error code: -2147024809
Details: The parameter is incorrect.

This error occurs if the website isn't HTTPS, or the client doesn't have a PKI cert.

20: PolicyMismatch
The BitLocker management policy is in conflict or corrupt.

21: ConflictingOSVolumePolicies
Detected OS volume encryption policies conflict. Check BitLocker policies related to OS
drive protectors.

22: ConflictingFDDVolumePolicies
Detected fixed data drive volume encryption policies conflict. Check BitLocker policies
related to fixed data drive protectors.

27: EncryptionFailedNoDra
An error occurred while encrypting. A data recovery agent (DRA) protector is required in
FIPS mode for pre-Windows 8.1 machines.

34: TpmLockOutResetFailed
Failed to reset TPM lockout.

36: TpmOwnerAuthRetrievalFailed
Failed to retrieve TPM OwnerAuth from MBAM services.

37: WmiProviderDllSearchPathUpdateFailed
Failed to update the DLL search path for WMI provider.

38: TimedOutWaitingForWmiProvider
Agent stopping. Timed-out waiting for MBAM WMI provider instance.
Operational

1: VolumeEnactmentSuccessful
The BitLocker management policies were applied successfully.

3: TransferStatusDataSuccessful
The encryption status data was sent successfully.

19: CoreServiceUp
Successfully connected to the MBAM Recovery and Hardware service.

28: TpmOwnerAuthEscrowed
The TPM OwnerAuth is escrowed.

29: RecoveryKeyEscrowed
The BitLocker recovery key for the volume is escrowed.

30: RecoveryKeyReset
The BitLocker recovery key for the volume is updated.

31: EnforcePolicyDateSet
The enforce policy date...is set for the volume

32: EnforcePolicyDateCleared
The enforce policy date...has been cleared for the volume.

33: TpmLockOutResetSucceeded
Successfully reset TPM lockout.

35: TpmOwnerAuthRetrievalSucceeded
Successfully retrieved TPM OwnerAuth from MBAM services.

39: RemovableDriveMounted
Removable drive was mounted.

40: RemovableDriveDismounted
Removable drive was unmounted.

41: FailedToEnactEndpointUnreachable
Failure to connect to the MBAM Recovery and Hardware service prevented BitLocker
management policies from being applied successfully to the volume.

42: FailedToEnactLockedVolume
Locked volume state prevented BitLocker management policies from being applied
successfully to the volume.

43: TransferStatusDataFailedEndpointUnreachable
Failure to connect to the MBAM Compliance and Status service prevented the transfer of
encryption status data.

See also
For more information on using these logs, see BitLocker event logs.

For more troubleshooting information, see Troubleshoot BitLocker.

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Server event logs
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Use the Windows Event Viewer to view event logs for the following BitLocker
management server components in Configuration Manager:

Recovery service on the management point

Self-service portal
Administration and monitoring website

On a server hosting one or more of these components, open the Event Viewer. Then go
to Applications and Services Logs, Microsoft, Windows, and expand MBAM-Web. By
default, there are Admin and Operational event logs.

The following sections contain messages and troubleshooting information for event IDs
that can occur with the BitLocker management server components.

Admin

1: WebAppSpnError
Application: {SiteName}{VirtualDirectory} is missing the following Service Principal
Names (SPNs):{ListOfSpns} Register the required SPNs on the account:
{ExecutionAccount}.

For integrated Windows Authentication to succeed, necessary SPNs need to be in place.

This message indicates that the SPN required for the application isn't correctly
configured. Details contained in this event should provide more information.

100: AdminServiceRecoveryDbError
Possible error messages:

GetMachineUsers: An error occurred while getting user information from the

database.
GetRecoveryKey: an error occurred while getting recovery key from the database.
GetRecoveryKey: an error occurred while getting user information from the
database.
 GetRecoveryKeyIds: an error occurred while getting recovery key Ids from the
database.
GetTpmHashForUser: An error occurred while getting TPM hash data from the
recovery database.
GetTpmHashForUser: An error occurred while getting TPM hash data from the
recovery database.
QueryDriveRecoveryData: An error occurred while getting drive recovery data from
the database.
QueryRecoveryKeyIdsForUser: An error occurred while getting recovery key Ids
from the database.
QueryVolumeUsers: An error occurred while getting user information from the
database.

This message is logged whenever there's an exception while communicating with the
recovery database. Read through the information contained in the trace to get specific
details about the exception.

101: AdminServiceComplianceDbError
Possible error messages:

GetRecoveryKey: An error occurred while logging an audit event to the compliance

database.
GetRecoveryKeyIds: An error occurred while logging an audit event to the
compliance database.
GetTpmHashForUser: An error occurred while logging an audit event to the
compliance database.
QueryRecoveryKeyIdsForUser: An error occurred while logging an audit event to
the compliance database.
QueryDriveRecoveryData: An error occurred while logging an audit event to the
compliance database.

This message is logged whenever there's an exception while communicating with the
compliance database. Read through the information contained in the trace to get
specific details about the exception.

102: AgentServiceRecoveryDbError
This message indicates an exception when the service tries to communicate with the
recovery database. Read through the message contained in the event to get specific
information about the exception.
Verify that the MBAM app pool account has required permissions to connect to the
recovery database.

103: AgentServiceError
Possible error messages:

Unable to detect client machine account or data migration user account.

Whenever a call is made to the PostKeyRecoveryInfo , IsRecoveryKeyResetRequired ,

CommitRecoveryKeyRest , or GetTpmHash web methods, it retrieves the caller context
to obtain caller credentials. If the caller context is null or empty, the service logs
this message.

Account verification failed for caller identity.

This message is logged if the web method is expecting the caller to be a computer
account and it's not. It can also be caused if the web method is expecting the caller
to be a user account, and it's not a user account or a member of a data migration
group account.

104: StatusServiceComplianceDbConfigError
The compliance database connection string in the registry is empty.

This message is logged whenever the compliance db connection string is invalid. Verify
the value at the registry key HKLM\Software\Microsoft\MBAM
Server\Web\ComplianceDBConnectionString .

105: StatusServiceComplianceDbError
This error indicates that the websites or web services were unable to connect to the
compliance database. Verify that the IIS app pool account can connect to the database.

106: HelpdeskError
Known errors and possible causes:

The request to URL caused an internal error.

An unhandled exception was raised in the application for the administration and
monitoring website (helpdesk). Review the log entries in the Admin event log to
find the specific exception.
 An error occurred while obtaining execution context information. Unable to verify
Service Principal Name (SPN) registration.

During the initial helpdesk website load operation, it checks the SPN. To verify the
SPN, it requires account information, IIS Sitename, and ApplicationVirtualPath
corresponding to the helpdesk website. It logs this error message when one or
more of these attributes are invalid or missing.

An error occurred while verifying Service Principal Name (SPN) registration.

This message indicates that a security exception is thrown when verifying the SPN.
Refer to the exception contained in the event details.

107: SelfServicePortalError
Known errors and possible causes:

An error occurred while getting recovery key for a user

Indicates that an unexpected exception was thrown when a request was made to
retrieve a recovery key. Refer to the exception message in the event details. If
tracing is enabled on the helpdesk app, refer to trace data to obtain detailed
exception messages.

An error occurred while obtaining execution context information. Unable to verify

Service Principal Name (SPN) registration

During an initial load operation, the self-service portal retrieves account

information, IIS Sitename, and ApplicationVirtualPath for the self-service website to
verify the SPN. This error message is logged when one or more of these attributes
are invalid.

An error occurred while verifying Service Principal Name (SPN) registration.

EventDetails:{ExceptionMessage}

This message indicates that a security exception was thrown while verifying the
SPN. Refer to the exception contained in the event details.

108: DomainControllerError
Known errors and possible causes:

An error occurred while resolving domain name {DomainName}, a memory

allocation failure occurred.
 To resolve domain name, it calls the DsGetDcName Windows API. This message is
logged when this API returns ERROR_NOT_ENOUGH_MEMORY , which indicates a memory
allocation failure.

Could not invoke DsGetDcName method

This message indicates that the DsGetDcName API is unavailable on the host.

109: WebAppRecoveryDbError
Known errors and possible causes:

An error occurred while reading the configuration of the Recovery database. The
connection string to the Recovery database is not configured.

This message indicates that recovery database connection string information at

HKLM\Software\Microsoft\MBAM Server\Web\RecoveryDBConnectionString is invalid.

Verify the given registry key value.

If you see any of the following messages, verify whether the app pool credentials from
the IIS server can make a connection to the recovery database:

DoesUserHaveMatchingRecoveryKey: an error occurred while getting recovery key

Ids for a user.
QueryDriveRecoveryData: an error occurred while getting drive recovery data.
QueryRecoveryKeyIdsForUser: an error occurred while getting recovery key Ids for
a user.
An error occurred while getting TPM password hash from the Recovery database.

110: WebAppComplianceDbError
Known errors and possible causes:

An error occurred while reading the configuration of the Compliance database. The
connection string to the Compliance database is not configured.

This message indicates that compliance database connection string information at

HKLM\Software\Microsoft\MBAM Server\Web\ComplianceDBConnectionString is invalid.

Verify the value of this registry key.

If you see any of the following messages, verify whether the app pool credentials from
the IIS server can make a connection to the compliance database:
 GetRecoveryKeyForCurrentUser: an error occurred while logging an audit event to
the Compliance database.
QueryRecoveryKeyIdsForUser: an error occurred while logging an audit event to
the Compliance database.
QueryRecoveryKeyIdsForUser: an error occurred while logging an audit event to
the compliance database.

111: WebAppDbError
These errors indicate one of the following two conditions

MBAM websites/webservices were unable to either connect to compliance or

recovery database
MBAM websites/webservices execution account (app pool account) could not run
the GetVersion stored procedure on compliance or recovery database

The message contained in the event provides more details about the exception.

Verify that the app pool account can connect to the compliance or recovery databases.
Confirm that it has permissions to run the GetVersion stored procedure.

112: WebAppError
An error occurred while verifying Service Principal Name (SPN) registration.

To verify the SPN, it queries Active Directory to retrieve a list of SPNs mapped execution
account. It also queries the ApplicationHost.config to get the website bindings. This
error message indicates that it couldn't communicate with Active Directory, or it couldn't
load the ApplicationHost.config file.

Verify that the app pool account has permissions to query Active Directory or the
ApplicationHost.config file. Also verify the site binding entries in the

ApplicationHost.config file.

Operational

4: PerformanceCounterError
An error occurred while retrieving a performance counter.
The trace message contains the actual exception message, some of which are listed
here:

ArgumentNullException: This exception is thrown if the category, counter, or

instance of requested Performance counter is invalid.
System.InvalidOperationException: categoryName is an empty string ("").
counterName is an empty string("").
The read/write permission setting requested is invalid for this counter.
The category specified does not exist (if readOnly is true).
The category specified is not a .NET Framework custom category (if readOnly is
false).
The category specified is marked as multi-instance and requires the performance
counter to be created with an instance name.
instanceName is longer than 127 characters.
categoryName and counterName have been localized into different languages.
System.ComponentModel.Win32Exception: An error occurred when accessing a
system API.
System.UnauthorizedAccessException: Code that is executing without
administrative privileges attempted to read a performance counter.

The message in the event provides more details on the exception.

For the System.UnauthorizedAccessException , verify that the app pool account has
access to performance counter APIs.

200: HelpDeskInformation
The administration website application successfully found and connected to a supported
version of the recovery/compliance database.

Indicates successful connection to the recovery or compliance database from the

helpdesk website.

201: SelfServicePortalInformation
The self-service portal application successfully found and connected to a supported
version of the recovery/compliance database.

Indicates successful connection to the recovery or compliance database from the self-
service portal.

202: WebAppInformation
Application has its SPNs registered correctly.

Indicates that the SPNs required for the helpdesk website are correctly registered
against the executing account.

See also
For more information on using these logs, see BitLocker event logs.

For more troubleshooting information, see Troubleshoot BitLocker.

For more information on installing these websites, see Set up BitLocker reports and
portals.

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Non-compliance codes
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

WMI on the client provides the following non-compliance codes. It also describes the
reasons why a particular device reports as non-compliant.

There are various methods to view WMI. For example, use the following PowerShell
command:

PowerShell

(Get-WmiObject -Class mbam_Volume -Namespace

root\microsoft\mbam).ReasonsForNoncompliance

 Tip

If the device is compliant, this command doesn't return anything.

You can also check the Compliant attribute of this class, which is 1 if the device is
compliant.

ﾉ Expand table

Non-compliance Reason for non-compliance

code

0 Cipher strength not AES 256.

1 BitLocker policy requires this volume to be encrypted, but it isn't.

2 BitLocker policy requires this volume to not be encrypted, but it is.

3 BitLocker policy requires this volume use a TPM protector, but it doesn't.

4 BitLocker policy requires this volume use a TPM+PIN protector, but it

doesn't.

5 BitLocker policy doesn't allow non-TPM machines to report as compliant.

6 Volume has a TPM protector, but the TPM isn't visible.

7 BitLocker policy requires this volume use a password protector, but it

doesn't have one.
 Non-compliance Reason for non-compliance
code

8 BitLocker policy requires this volume not use a password protector, but it
has one.

9 BitLocker policy requires this volume use an auto-unlock protector, but it

doesn't have one.

10 BitLocker policy requires this volume not use an auto-unlock protector, but
it has one.

11 BitLocker detects a policy conflict, which prevents it from reporting this

volume as compliant.

12 A system volume is needed to encrypt the OS volume, but it isn't present.

13 Protection is suspended for the volume.

14 Auto-unlock protector is unsafe unless the OS volume is encrypted.

15 Policy requires minimum cypher strength is XTS-AES-128 bit, actual cypher

strength is weaker.

16 Policy requires minimum cypher strength is XTS-AES-256 bit, actual cypher

strength is weaker.

Feedback
Was this page helpful?  Yes  No

Provide product feedback