Automatically Revert Real-Time Protection Settings (Endpoint Protection)

Version: SCCM 2012 R2 CU2

Endpoint Protection policies offers “Real-time Protection Settings” in the client user interface. These settings can be locked down under using the option “Allow users on client computers to configure real-time protection setting“. If set to “Yes”, the user is allowed to change the configuration. Alternatively, setting this to “No” prevents any changes.

Real-time Protection Settings

EP1

EP2

When allowing users to change the configuration, these settings can remain permanent. Unfortunately, Endpoint Protection policies do not allow the flexibility to temporarily allow the user to alter real-time protection settings and later revert back to a desired configuration state or a baseline after some time. There is no policy that can revert the settings back to the original configuration. This is where Compliance Settings can be helpful.

Before leveraging Compliance Settings, it’s important to first identify the registry values that make up these real-time protection settings for EndPoint Protection clients.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware\Real-Time Protection

The following maps registry DWORD values to settings in the client interface.

DisableRealtimeMonitoring – Turn on real-time protection.
DisableIOAVProtection – Scan All Downloads
DisableOnAccessProtection – Monitor file and program activity on your computer
RealTimeScanDirection – (Dropdown menu)
DisableBehaviorMonitoring – Enable Behavior Monitoring
DisableIntrusionPreventionSystem – Enable Network Inspection System

Note: These registry values may be missing initially on client machines if the settings are configured to the default and never been modified. Once the baseline is enforced using Compliance Settings, these registry values will be created.

Creating Configuration Items

Using Compliance Settings, the idea is to create a Configuration Item for each registry value. The following illustrate one example for “DisableRealtimeMonitoring”. Create a configuration item for each registry value.

EP3

EP4

EP5

EP6

EP7

EP8EP9

After Configuration Items are created for all 6 registry values, a Baseline should be created to include them. The Baseline is then deployed to a collection consisting of EndPoint Protection clients.

Please note, the deployment will have an option to remediate the registry values along with specifying a schedule for remediation.