Re: VMWare OSOT and AMP

Nijkerk · ‎03-31-2021

In our VMware Horizon 8.1 environment with Windows 10 20H2 linked clones we are implementing AMP for Endpoints.

The installation with the Identity Persistence (setup.exe /R /S /goldenimage 1) works fine. Also the Ubuntu Local AMP update server works well.

When I generate a new golden image for our linked clones, the last step is to use the VMwareOSOptimizationTool 2020 (b2001) to finalize it all.

After this finalize and roll out a Horizon Desktop Pool with linked clones, AMP is loaded, the AMP policy's are in place, TETRA is loaded, but the Microsoft Antimalware services is not stopped. If I go to Settings->Update and Security->Windows Security->Virus & Threat Protection there is not the menu/app from Cisco AMP. Everything stays on Microsoft. Does anyone know what are the right settings in VMwareOSOptimizationTool so Microsoft Defender / Antimalware is taken over by AMP?

Troja007 · ‎04-06-2021

Hello,

Cisco Secure Endpoint does not change any settings for the Window Defender product. After the endpoint gets installed and the Signatures are updated, the connectore registers to the Windows Security Center and should be shown there.

To stop the Microsort Antimalware Service you may generate the right GPO settings.

Greetings,
Thorsten

Nijkerk · ‎04-07-2021

Hi Thorsten,

I thought too that was the solution but unfortunately it's not possible with a GPO or local registry settings because of it's own anti-tamper protection.

https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection

and

https://docs.microsoft.com/en-us/windows/release-health/windows-message-center#465

If I don't use the VMWare OSOT tooling then AMP is taken over Microsoft Defender Antivirus, but to roll out a Horizon Desktop (Windows10 20H) without optimisation is a no go.