Microsoft Case ID: [Case #:24522893] - TrackingID#120121125002133.

While troubleshooting on the case we noticed that Windows Defender was performing 2 WMI queries through SCCM every minute, even when Defender was disabled on the system. These queries generate about 70.000 events (detected via procmon) related to the registry every minute.

The cause of the query is ccmexec.exe
The queries are (detected via procdump):
select * from _instancecreationevent within 60 where targetinstance isa "win32service" and ( targetinstance.name="msmpsvc" or targetinstance.name="windefend")

select * from _instancemodificationevent within 60 where targetinstance isa "win32service" and targetinstance.state="running" and ( targetinstance.name="msmpsvc" or targetinstance.name="windefend")

Antivirus scans those actions (as any Antivirus program does), and as a result the CPU usage caused by these WMI queries was multiplied.
 
These queries cannot be disabled, while it was confirmed by Microsoft that these queries are not required in case an external thirdparty antivirus program is being used.
 
The advised approach was to try to minimize the amplification by Antivirus, which indeed added a positive impact. Detailed tuning of the antivirus policy with a focus in these WMI queries resulted in a reduction of the amplification.

It was agreed that this solution is an acceptable work around. And for the WMI Queries to be disabled, we already have a Design change request in place with SCCM Team to take this into consideration and validate if this could be resolved in upcoming versions. I was advised to raise this issue in the Microsoft User Voice in order to gain support for this Design change request.

See process explorer printscreen:

Post the Upgrade of SCCM version to 2010, We do not see "Endpoint protection Definition Update Date and Time" / "Antivirus Signature Update Date and Time" option and it is missing in the SCCM Defender Console.
With this option we used to measure our daily compliance, Though we have Signature versions, that it gets multiple release in a single day it is very difficult for us track with SIngature versions, rather we use the date and time of the signature gets downloaded and reported to the endpoints.
Without this option we are totally unable to perform any of our daily/weekly compliance measurements.
Please have this options added/enabled back as it is crucial for our job. Additionally, this option is not available in Intune also. So our SCCM to Intune AV workload migration is put on hold. With SCCM atleast we can manually run the script to download the reports, but with Intune, it is impossible.
Please raise emergency request on this and update this at the earliest as we are o terrible business failure

Currently with MBAM integration, the only exception is for the whole device to be excluded. We have certain USB devices (scanners/cameras/medical equipment) that is seen as USB mass storage and therefore encryption is required along with some users who have legitimit business reasons to not need to encrypt USB devices. We still require the HDD to be encrypted but allow the USB to be excluded.
We have our current GPO based bitlocker set with the USB encryption in a seperate policy so it can be excluded by devices in an AD group to allow these scenarios. Currently this prohibits moving to SCCM/MBAM as we cannot allow these devices to work.

Currently, internet-based clients are able to receive BitLocker Management Policies via IBCM but are unable to contact the Recovery Service. I have found that this is due to the MBAM Agent looking for the CurrentManagementPoint in WMI at ROOT\ccm:SMS_Authority.Name="SMS:<SiteCode>".

It is possible to trick” the MBAM Agent into using the internet-based MP by adding the IBCM FQDN into the MP property at ROOT\ccm\LocationServices:SMS_MPInformation.MP="<IBCM FQDN>". This allows the agent to successfully find the Recovery Service MP and communicate!

I am aware that there may be more to it than just facilitating this communication but wanted to at least share that achieving this communication is easily done and would make BitLocker Management for internet-based clients available.

Attached is a brief doc which explains why I even care about BL Mgmt w/ IBCM and a brief description on how I came to find the solution for Recovery Service communication.