Microsoft Case ID: [Case #:24522893] - TrackingID#120121125002133.

While troubleshooting on the case we noticed that Windows Defender was performing 2 WMI queries through SCCM every minute, even when Defender was disabled on the system. These queries generate about 70.000 events (detected via procmon) related to the registry every minute.

The cause of the query is ccmexec.exe
The queries are (detected via procdump):
select * from _instancecreationevent within 60 where targetinstance isa "win32service" and ( targetinstance.name="msmpsvc" or targetinstance.name="windefend")

select * from _instancemodificationevent within 60 where targetinstance isa "win32service" and targetinstance.state="running" and ( targetinstance.name="msmpsvc" or targetinstance.name="windefend")

Antivirus scans those actions (as any Antivirus program does), and as a result the CPU usage caused by these WMI queries was multiplied.
 
These queries cannot be disabled, while it was confirmed by Microsoft that these queries are not required in case an external thirdparty antivirus program is being used.
 
The advised approach was to try to minimize the amplification by Antivirus, which indeed added a positive impact. Detailed tuning of the antivirus policy with a focus in these WMI queries resulted in a reduction of the amplification.

It was agreed that this solution is an acceptable work around. And for the WMI Queries to be disabled, we already have a Design change request in place with SCCM Team to take this into consideration and validate if this could be resolved in upcoming versions. I was advised to raise this issue in the Microsoft User Voice in order to gain support for this Design change request.

See process explorer printscreen:

Currently, internet-based clients are able to receive BitLocker Management Policies via IBCM but are unable to contact the Recovery Service. I have found that this is due to the MBAM Agent looking for the CurrentManagementPoint in WMI at ROOT\ccm:SMS_Authority.Name="SMS:<SiteCode>".

It is possible to trick” the MBAM Agent into using the internet-based MP by adding the IBCM FQDN into the MP property at ROOT\ccm\LocationServices:SMS_MPInformation.MP="<IBCM FQDN>". This allows the agent to successfully find the Recovery Service MP and communicate!

I am aware that there may be more to it than just facilitating this communication but wanted to at least share that achieving this communication is easily done and would make BitLocker Management for internet-based clients available.

Attached is a brief doc which explains why I even care about BL Mgmt w/ IBCM and a brief description on how I came to find the solution for Recovery Service communication.

Currently, when "Suspend BitLocker PIN entry on restart" is set to Always, if the user initiates the restart Bitlocker PIN entry will not be suspended. This makes sense if we assume that the user is sitting at their computer when they trigger the restart. Unfortunately, due to COVID-19, we currently have many users accessing their onprem computers via RDP. If ConfigMgr prompts them to reboot and they click reboot over RDP, there computer will reboot and prompt for PIN entry, requiring the user to physically go in to the office and enter the PIN.

Bitlocker Network Unlock would likely be the best way to address this issue. This option requires additional infrastructure to be built.

One way to address this would be to rename the current "Always" option to "If User Not Present". Then, add a new option that will always suspend PIN entry for reboots initiated by the ConfigMgr client.

Post the Upgrade of SCCM version to 2010, We do not see "Endpoint protection Definition Update Date and Time" / "Antivirus Signature Update Date and Time" option and it is missing in the SCCM Defender Console.
With this option we used to measure our daily compliance, Though we have Signature versions, that it gets multiple release in a single day it is very difficult for us track with SIngature versions, rather we use the date and time of the signature gets downloaded and reported to the endpoints.
Without this option we are totally unable to perform any of our daily/weekly compliance measurements.
Please have this options added/enabled back as it is crucial for our job. Additionally, this option is not available in Intune also. So our SCCM to Intune AV workload migration is put on hold. With SCCM atleast we can manually run the script to download the reports, but with Intune, it is impossible.
Please raise emergency request on this and update this at the earliest as we are o terrible business failure