Solved

Why is System Center Endpoint Protection 2012 SP1 inconsistent in applying antimalware policies?

Posted on 2013-06-14
9
2,434 Views
Last Modified: 2013-07-13
Folks -

I've recently created a new Client Settings Profile and Antimalware Policy within SCCM 2012 SP1.  I've created a collection with test machines (including some XP clients and some Windows 7 clients).  I deployed the Client Settings and Antimalware Policy to that collection.  My old antivirus software (Forefront Client Security) was removed and SCEP 2012 SP1 was layed down in its place.

The installation went fine on all my test machines, however, I'm noticing significant inconsistencies in the application of the antimalware policy.

Here are some bullet points of inconsistency:
- SCEP on Windows 7 machines do not receive the file extension or file path exclusion lists.

- The "Disable the client user interface" setting does not dynamically apply.  Only the setting that existed upon the client's first install takes effect.  If you change this later in the antimalware policy, the client UI will not reappear/disappear.

- If real-time protection is turned off by an administrator on the client (by unchecking it and providing a credential through the UAC prompt), it will never get reenabled even though it is required by the Antimalware Policy.

Has anyone else seen this?  Am I looking at an extremely buggy client?  Or am I missing something?  There's more to the list but these are some examples I found within only 30 minutes of testing.

The latest April 2013 update for the client (KB 2831316) has been distributed via our WSUS infrastructure and makes no difference to these items.
0
Comment
Question by:amendala
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 2
9 Comments
 
LVL 4

Expert Comment

by:TechOps07
ID: 39248599
I came across this as well during my lab testing of SCCM 2012 with EndPoint. I realized that the policy will take affect within 24hrs unless you force a policy update via the Configuration Manager option in Control Panel on target machine.

If you think about it that would be normal as you make the changes on the Server for the said policy it will take a while for all the clients to report to the SCCM for any changes in policies.
0
 

Author Comment

by:amendala
ID: 39248772
Unfortunately, that isn't my experience.  The SCEP clients I've deployed have been active for over a week.

I know policy is updating as some features work, but the fact that some work and some don't bothers me.  I'm very close to opening a Premiere case with Microsoft.

It just doesn't make sense that some policy attributes work, some don't, and of all things, some don't work on Windows 7 but they work on XP.  Wow.  :)
0
 
LVL 4

Expert Comment

by:TechOps07
ID: 39248937
That is very odd needless to day. I wish I had an answer for you in this case but the only thing I can think of is conflicting policies but they are labeled by priority so that cannot be the case.

If you find a solution please post back on here because I am very curious on why and how this occurred.
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 

Author Comment

by:amendala
ID: 39249105
I'll post back when I know something.  These machines had FCS on them before which obtains its settings via GPO.  I'm wondering if tatoo'd GPO settings from the prior AV client, which obviously carries the same executable name (msmpeng.exe), implying significant similarity, are part of the problem.

I denied application of the FCS GPO to my workstation and allowed numerous SCCM policy refresh cycles to pass with no difference in behavior.
0
 
LVL 59

Expert Comment

by:LeeTutor
ID: 39308000
I've requested that this question be deleted for the following reason:

Not enough information to confirm an answer.
0
 

Author Comment

by:amendala
ID: 39307996
I have determined the cause of this problem.

SCEP relies on Local Group Policy Processing in order to apply its policy settings.  In organizations that have deployed a domain-global GPO to disable Local Group Policy Processing, such as my own, SCEP policy settings cannot be properly compiled and applied.

Upon removing this global GPO setting from all computers in my domain, SCEP began accurately and consistently applying policy.
0
 

Accepted Solution

by:
amendala earned 0 total points
ID: 39308001
I have determined the cause of this problem.

SCEP relies on Local Group Policy Processing in order to apply its policy settings.  In organizations that have deployed a domain-global GPO to disable Local Group Policy Processing, such as my own, SCEP policy settings cannot be properly compiled and applied.

Upon removing this global GPO setting from all computers in my domain, SCEP began accurately and consistently applying policy.
0
 

Author Closing Comment

by:amendala
ID: 39323033
I determined the problem and fixed it.
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Microsoft has released remote PowerShell capabilities to all commercial Office 365 customers. So you can be controlled via PowerShell and not from the Office 365 admin center Download Windows PowerShell Module for Lync Online http://www.micros…
Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
This Micro Tutorial will give you a basic overview of Windows Live Photo Gallery and show you various editing filters and touches to photos you can apply. This will be demonstrated using Windows Live Photo Gallery on Windows 7 operating system.

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question