When I said they are not configured, I meant turned off. The policy applies fine and has higher priority than default antimalware policy.
I've deselected all of the sources, yet shortly after 2 am, client reaches out to Microsoft Update and grabs latest definitions. I think it's using fallback source defined here: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware\Signature Updates\FallbackOrder
Is it ok to modify that key? Permissions are stripped down on that key and I'm sure it is for a reason.
Policy in SCCM for definition updates is configured as follows:
Client gets updates at 2 am as configured. Because I have to use either interval or fixed time, timing adds up.
I thought that deselecting all sources of updates would prevent the client from getting anything, but it doesn't.
Is there a "nice" way of telling client to stop updating definitions?
Thanks for any feedback.