SCEP exclusions

In SCEP exclusions there is an exclusion pointing to %systemroot%\system32\GroupPolicy\registry.pol
This is written in every SCCM SCEP template.
Should it not point to both registry.pol files where they exists?
Eg. %systemroot%\system32\GroupPolicy\*\registry.pol ?

Hi,
Thank you for your patience and support.
I am trying to involve someone familiar with this topic to further look at this issue. There might be some time delay. Appreciate your patience.
Thank you for your understanding and support.
Best Regards
Quan Gu

Similar Messages

SCEP Exclusions lists limit

Hi all is there a limit to System Center Endpoint Protection with SCCM 2012 R2 exclusions for files, extensions and paths?
I'm looking into creating a global server policy and a global workstation policy which will be aimed to be deployed to 5000 workstations and 600 servers. I'd like to have the policies as minimal as possible so to avoid having to create multiple collections
to target to.
Based on based on our current Symantec environment we have over 150 file extension exclusions 100 folder paths and and under 50 processes that we want to add to exclusions.
Would it be wise to have limited policies? Is there any performance impact if there are soo many exclusions listed under 1 policy?

It depends on how you setup these policies. One good practice could be setup exclusion base on target users. For example you might have several exclusions for PCs targeted to trusted developers while you won't exclude anything when it is target public PC
or security-critical systems.
Before deploy them try run a small testing environment and try apply your policies and monitor their impacts on the system (e.g. performance, scan duration, etc.)

SCEP 2012 Exchange 2013 Exclusions

Hi, I am in need of assistance sorting out the exclusions for Exchange 2013 for SCEP. The problem is that SCEP seems to not like %ExchangeInstallPath%
littered all over the article https://technet.microsoft.com/en-us/library/bb332342(v=exchg.150).aspx
Checking on the exchange servers %ExchangeInstallPath% has a trailing slash (contrary to most other EV's like
%windir% %appdata% etc)
SCEP exclusions however must have a "\" in them otherwise they are not valid. This obviously leads to 2 slashes in the path when expanded out. Will the additional slash just be disregarded? I can obviously just type the full path myself but it
would be easiest to use the EV. Is this a bug?
Thanks

This certainly something to file on connect.microsoft.com or submit via your Microsoft support channels. The only thing I can think of as a way to work-around this is to create your own environment variables on the Exchange servers or use the actual path
with no variable. Neither is elegant necessarily, but I don't think you have much of a choice.
Jason | http://blog.configmgrftw.com | @jasonsandys

SCEP antivirus exclusions when multiple policies applied to collection. Merge or Replace?

Hi,
I'm seeking clarification specifically on exclusions that are applied via
multiple antivirus policies to a device collection. I am finding that the antivirus policy with the highest priority 'wins' and I only see exclusions for this policy. I do not see a 'merge' of the exclusions occurring which I thought was the case according
to the following documentation:
What’s New in System Center 2012 Configuration Manager SP1
Specifically, the section below underlined:
Multiple antimalware policies that are deployed to the same client computer are merged on the client. When two settings are in conflict, the highest priority option is used.
Some settings are also merged, such as exclusion lists from separate antimalware policies. Client-side merge also honors the priority that you configured for each antimalware policy.
As an example, say I have a server with SQL and IIS running. I create PolicyA which contain exclusions for SQL, and PolicyB which contains exclusions for IIS. If I deploy both of these policies to my collection, I am expecting to see
both exclusion lists (i.e. merge) but I only see one exclusion list (the one with the higher priority).
I am aware that I can create a new policy by merging two or more other policies - I was hoping to not do this as I'll end up with many policies for exclusions. I thought I could, for example, target an SQL exception policy to SQL servers,
and if there is an SQL server that needs IIS/other exclusions, I can deploy another AV policy to that collection - saving myself from deploying the custom exceptions to servers that do not need it.
If there is a 'smarter' way of doing this, or if I have got anything mixed up please let me know.
Many thanks for your help.
zxx

What version of ConfigMgr are you running? Check both the site and the client.
If you are running at least SP1, the example you gave should work as you thought. Is it possible that the client is running pre-SP1?
Nash Pherson, Senior Systems Consultant
Now Micro -
My Blog Posts
If you found a bug or want the product to work differently,
share your feedback.
<-- If this post was helpful, please click the up arrow or propose as answer.

Create SQL report from reigstry - Local Forefront exclusions

Hi
We are doing a project moving from Forefront Client to SCEP 2012.
We have a lots of virusscan exclusions done at many servers and I would like to list them, hopefully via SCCM so I can configure SCEP with thoose exclusions.
The exclusions are recorded in the registry here:
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\AM\Exclusions\Extensions]
Unfortunately I dont know how to create a report to list the data under that registry folder. Can somebody please help me?
I have done the configuration in the mof files.
SCCM 2007.
Thanks!

Hi Garth
Thanks for your answer.
I have used RegKeyToMof before to create inputs to mof files. In this case I dont really know how to use it.
In the article per say:
"You are looking for static keys under: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server\RC"
I'm looking for different exclusions under
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\AM\Exclusions\Paths]. Not static data.
Or, maybe I dont understand how to use the tool.
[EDIT]
Acctually, the local exclusions it the reg. path.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Forefront\Client Security\1.0\AM\Exclusions]
* \Extensions]
* \Paths]
* \Processes]

SCCM Client and SCEP Client Uninstall

Hi, I have below questions with regard to the SCCM client software and the SCEP client software.
Does SCCM client uninstallation removes SCEP client as well? If not, how does the Endpoint Protection get the updates after SCCM client is removed? How to remove/uninstall SCEP client?
If the SCCM client uninstallation removes the SCEP client as well (by running ccmsetup.exe /uninstall), how to make it to NOT uninstall the SCEP client?
Thanks.
NM

Yes, your SCEP client should still be able to update.
If you're installing the ConfigMgr client again, and have manage SCEP client enabled in the ConfigMgr client settings, it does more then just adding the update source. It allows you to manage the SCEP client configuration (like scan settings, exclusions,
etc), perform remote actions (like initiating a scan) and report about them.
My Blog: http://www.petervanderwoude.nl/
Follow me on twitter: pvanderwoude

SCEP - to be installed status when it IS installed already

I have a few servers in a colection of many servers, that show "To be installed" in the Endpoint Protection Deployment State in my console.
However, they already have SCEP installed, and are updating from SCCM every day, and have applied the correct policies (except one, see below) with a set of file and folder exclusions and settings for real time protection and so on, these options are
disabled in the SCEP GUI on ALL the servers. The console even shows the SCEP policies Applied, which are 4 at the moment. All the servers have had days to update it's computer policy, and 95% of the servers in the collection have updated it's policy and
are working fine.
In the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CCM\EPAgent\GeneratedPolicy registry key (The servers that are OK have LastAppliedPolicy instead), all minus one Endpoint Protection policy is shown. The console shows more policies, than the ones applied
on the servers.
How can I fix this? Maybe it is a bug?
Freddy

I've removed the servers from the SCEP manage Collection, then the status in the console showed unmanaged, even though i didn't put these in a Collection that says No in the "manage Endpoint Protection Client on Client computers". I don't
think this will make a difference actually.
I put the servers back in a Collection With a Managed policy, and the status of these servers in the console went back to "To be installed". I also set the "Allow Endpoint Protection Client installation outside maintenance Windows" Client
setting to Yes, but it didnt make a difference, the same info was written in the log as earlier.
This is the EndpointProtectionAgent.log:
Endpoint is triggered by WMI notification. EndpointProtectionAgent 15.09.2014 10:34:42 2380 (0x094C)
start to send State Message with topic type = 2001, state id = 2, and error code = 0x00000000 EndpointProtectionAgent 15.09.2014 10:34:42 2380 (0x094C)
Start to send state message. EndpointProtectionAgent 15.09.2014 10:34:42 2380 (0x094C)
Send state message successfully EndpointProtectionAgent 15.09.2014 10:34:42 2380 (0x094C)
Save new state 2, error code 0, detail message '' to registry SOFTWARE\Microsoft\CCM\EPAgent\State EndpointProtectionAgent 15.09.2014 10:34:42 2380 (0x094C)
Failed to get C:\Windows\ccmsetup\SCEPInstall.exe version. EndpointProtectionAgent 15.09.2014 10:34:42 2380 (0x094C)
Failed to get EP installer version. EndpointProtectionAgent 15.09.2014 10:34:42 2380 (0x094C)
Failed to refresh EP Agent Status with error = 0x80004005. EndpointProtectionAgent 15.09.2014 10:34:42 2380 (0x094C)
Endpoint is triggered by message. EndpointProtectionAgent 15.09.2014 10:34:42 4512 (0x11A0)
Endpoint is triggered by message. EndpointProtectionAgent 15.09.2014 10:34:42 3488 (0x0DA0)
Failed to get C:\Windows\ccmsetup\SCEPInstall.exe version. EndpointProtectionAgent 15.09.2014 10:34:42 4512 (0x11A0)
Failed to get EP installer version. EndpointProtectionAgent 15.09.2014 10:34:42 4512 (0x11A0)
Failed to refresh EP Agent Status with error = 0x80004005. EndpointProtectionAgent 15.09.2014 10:34:42 4512 (0x11A0)
Failed to get C:\Windows\ccmsetup\SCEPInstall.exe version. EndpointProtectionAgent 15.09.2014 10:34:42 3488 (0x0DA0)
Failed to get EP installer version. EndpointProtectionAgent 15.09.2014 10:34:42 3488 (0x0DA0)
Failed to refresh EP Agent Status with error = 0x80004005. EndpointProtectionAgent 15.09.2014 10:34:42 3488 (0x0DA0)

Custom SCEP Policies not applied

Hi All,
I've got 3 test systems with SCEP installed. They all receive definitions just fine. Unfortunately they are not receiving the custom antimalware policies i've created. I found this blog that tells me a command i can run against the registry
to see what policies are applied:
reg query HKLM\SOFTWARE\Microsoft\CCM\EPAgent\LastAppliedPolicy /f 2 /d
http://www.niallbrady.com/2013/02/17/how-can-i-determine-what-antimalware-policy-is-applied-to-my-scep-2012-sp1-client/
and it returns the following:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CCM\EPAgent\LastAppliedPolicy
    All Windows SCEP Clients Policy (Scan Schedule)    REG_DWORD    0x2
    All Windows SCEP Clients Policy (Threat Default Action)    REG_DWORD    0x2
    Windows Server Scanning Exclusions (Excluded)    REG_DWORD    0x2
    Default Client Antimalware Policy (Excluded)    REG_DWORD    0x2
    All Windows SCEP Clients Policy (Realtime Config)    REG_DWORD    0x2
    All Windows SCEP Clients Policy (Advance Setting)    REG_DWORD    0x2
    All Windows SCEP Clients Policy (Spynet)    REG_DWORD    0x2
    All Windows SCEP Clients Policy (Signature Update)    REG_DWORD    0x2
    All Windows SCEP Clients Policy (Scan)    REG_DWORD    0x2
End of search: 9 match(es) found.
The way I read that means that the "All Windows SCEP Clients Policy" settings are all applied. The "Windows Server Exclusions" policy is excluded for some reason.
My custom policies set scan times different than the default and i have some exclusions. When I launch the SCEP client on the local computer, i don't see the set scan times, just the default scan times. I also don't see the exclusions.
I see in that req query command that the Exclusions are (Excluded), but the scan schedule should apply. The priorities on the applied AMP (antimalware policies) are:
Default Client AntimMalware Policy 10000
All Windows SCEP Clients Policy 21
Windows Server Scanning Exclusions 5
These policies are applied to appropriate collections. When I click on the system in question in the console and look at the antimalware policies, it lists those three.
I cannot for the life of me get these policies to apply even though they have what i think are the right priorities. The way i understand it, the policies stack for most of the settings. So the default settings get set by the default policy.
Then the "All Windows SCEP Policy" settings would override or merge with any settings in the default policy. Then the "Windows Server Scanning Exclusions" policy would override or merge with any of the previous two policies.
Am I misinterpreting things here?

Hi,
I don't know if you managed to resolve this. But I had similar issues and after some detective work this was being caused by Group policy preventing the processing of local group policies. Specifically, the offending setting and explanation is listed below:
Setting Path:
Computer Configuration/Administrative Templates/System/Group Policy
Setting: Turn off Local Group Policy objects processing: Enabled
Explanation
This policy setting prevents Local Group Policy objects (Local GPOs) from being applied.
By default, the policy settings in Local GPOs are applied before any domain-based GPO policy settings. These policy settings can apply to both users and the local computer. You can disable the processing and application of all Local GPOs to ensure that only
domain-based GPOs are applied.
If you enable this policy setting, the system will not process and apply any Local GPOs.
If you disable or do not configure this policy setting, Local GPOs will continue to be applied.
Note: For computers joined to a domain, it is strongly recommended that you only configure this policy setting in domain-based GPOs. This setting will be ignored on computers that are joined to a workgroup.
Make sure the setting is either set to disable or not configured.
The image below shows a RSoP on a computer where policies are applying successfully. As you can see, antimalware settings are being applied as local group policy settings

SCEP install and policy issue (after migration SCCM 2007 to 2012)

Hi,
We have some terminal services which were connected to SCCM 2007.
I migrated 3 of them (via "install client" in SCCM 2012), what worked fine. Since they become member of the Windows server group + terminal services group, they get the scep-client as well as a specific policy.
Now we have 1 terminal server which did not install the scep client.
Logfile:
Failed to get EP event code under registry key SOFTWARE\Microsoft\CCM\EPAgent   EndpointProtectionAgent   21/08/2014 11:19:42   43640 (0xAA78)
Failed to get EP event message under registry key SOFTWARE\Microsoft\CCM\EPAgent   EndpointProtectionAgent   21/08/2014 11:19:42   43640 (0xAA78)
State 1, error code 0 and detail message are not changed, skip updating registry value   EndpointProtectionAgent   21/08/2014 11:19:42   43640 (0xAA78)
File C:\Windows\ccmsetup\SCEPInstall.exe version is 4.5.216.0.   EndpointProtectionAgent   21/08/2014 11:19:42   43640 (0xAA78)
Sleep 10 seconds and retry read ProductName of the AM solution   EndpointProtectionAgent   21/08/2014 11:19:42   43640 (0xAA78)
Sleep 10 seconds and retry read ProductName of the AM solution   EndpointProtectionAgent   21/08/2014 11:19:52   43640 (0xAA78)
Sleep 10 seconds and retry read ProductName of the AM solution   EndpointProtectionAgent   21/08/2014 11:20:02   43640 (0xAA78)
Sleep 10 seconds and retry read ProductName of the AM solution   EndpointProtectionAgent   21/08/2014 11:20:12   43640 (0xAA78)
Sleep 10 seconds and retry read ProductName of the AM solution   EndpointProtectionAgent   21/08/2014 11:20:22   43640 (0xAA78)
Unable to query registry value (ProductName), return (0x80070002) means EP client is NOT installed successfully.   EndpointProtectionAgent   21/08/2014 11:20:32   43640 (0xAA78)
So I installed the client manually via "SCEPInstall.exe /policy z:\client\ep_defaultpolicy.xml" (after a pushd \\sccmserver\c$\...client\).
2 things:
1.any idea why it wouldn't install "failed to get EP event code under reigstry key" ..?
2.specific scep terminal server policy will be applied afterwards (file exclusions etc), right (don't see it yet and refreshed policy several times)?
J.
Jan Hoedt

Hi,
I have seen a temporary solution, created a package with the command line: REG add “HKLM\SOFTWARE\Microsoft\Microsoft Security Client” and deployed this program to the Client.
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place.

Method to view what files or processes SCEP is scanning in Realtime?

In the last few days SCEP has started using up 20-40% CPU on a computer constantly. I have been having trouble identifying what program the real-time scanning is interacting with to cause this unexpected behavior. Does anyone know of a log or other method
to view the processes being scanned by the real-time protection for the purpose of identifying whether an exclusion needs to be made?
Normally I will look through task manager for another process that is taking up a lot of CPU or performing a significant amount of disk activity to see if a correlation becomes obvious, but in this case I can't find anything other than SCEP itself.

Hi,
That is the best way, there is no builtin tool/log to view the current activity.
Regards,
Jörgen
-- My System Center blog ccmexec.com -- Twitter
@ccmexec

SCEP and %DRIVE%

I have a client who has had McAfee antivirus and now switch to SCEP 2012. They have had except for some files no matter what drive they are on, for example **\*\pictures\img*.jpg (starting with two * meaning any drive letter)
I was informed that they could use the %DRIVE% to replace any drive but cannot find any documentation on this.
I have read http://support.microsoft.com/kb/2962341 and it tells that you can NOT use * or ? for drive letters.
Works %DRIVE%? If so, where is the documentation?

> for example
Can you post the exact rules they had in McAfee?
> I was informed that they could use the %DRIVE%
I've never heard of %DRIVE% as part of an exclusion rule and its not in any documentation that I've seen. Who was pointing you to it?
Nash Pherson, Senior Systems Consultant
Now Micro -
My Blog Posts
If you found a bug or want the product to work differently,
share your feedback.
<-- If this post was helpful, please click the up arrow or propose as answer.

Temporarily stopping the SCEP Microsoft Antimalware Service

I know that Microsoft has made the MsMpSvc service tamper proof as per this article:
http://blogs.technet.com/b/mspfe/archive/2013/02/19/anti-tampering-for-the-antimalware-service-in-system-center-endpoint-protection-2012-sp1.aspx
Then I read this forum post here about using PSExec to temporarily disable it:
https://social.technet.microsoft.com/Forums/forefront/en-US/f4347d13-5c9a-4395-b070-9aa53d613f68/is-there-a-way-to-restart-the-microsoft-antimalware-service?forum=FCSNext
But, I want to know if there is ANYWAY possible to automate this process using a script, PowerShell preferably?
Thanks

Because I am an evil scientist wanting to take over the world.
LOL
Well my manager asked me to look into this because there are steps in troubleshooting certain issues with some applications used in our environment and one of those steps is to temporarily disable the AV\Antimalware service.
I know Symantec Endpoint Protection offered something like this, but there is nothing I can find for SCEP.
This may be a deal breaker here to use SCEP if I can't find a way to do this and we may have to use SEP rather than SCEP, but this is not what we want.
Also, it's not always easy to be privy to which exclusions to create for certain software products, so having the ability of temporarily stop it to see if it is the culprit regarding issues is much more convenient.

Free goods - Exclusive - Quantity of free goods

I want to give free goods by the condition record I have made at the tcode VBN1. Free godds will be given by the exclusive technique. The material code of the main material with active prcing is 100005 and the material that I will give as free good is 700001. For every 4 pieces of 100005 I will give 1 piece of 700001. I have entered 100005 at the "Material" column, 4 at the "Min. qty" column, 4 at the "For" column st at the "Unit" column, 1 at the "add. FG" column, ST at the "AddQTYUnit" column, 1 at the "Calc.Rule" column, 2 at the "FreeGoods" column, 700001 at the AddMatFrGd" column. The system gives 2 free goods (700001) for 6 priced material (100005) or 4 pieces of 700001 for 14 pieces of 100005. On the other hand I want the system to give free goods for the exactly enough piece of price material. I mean: 2 pieces of 700001 for 8 or 9 or 10 or 11 pieces of 100005; not 2 pieces of 700001 for 6 or 7 pieces of 100005 but the system behaves this way. can anybody help me abput this subject?
Thanks in advance for the answers....

Hi Yasar,
You need to create a new routine for calculate type.
Do as below:
1. Go to VOFM>Formulas>calc.rule Rebate InKd to create a new routine for calculate type. for example 601.
2. add the following code in this routine 601 and then save.
USING L_FRM STRUCTURE KONDN_FRM.
DATA: VORKOMMA LIKE KONDN-KNRMM,
NACHKOMMA LIKE KONDN-KNRMM.
L_FRM-NRMENGE = 0.
L_FRM-NRRUND = 0.
L_FRM-NRMENGE = ( L_FRM-MGLME / L_FRM-KNRNM * L_FRM-KNRZM ).
business rounding
VORKOMMA = FLOOR( L_FRM-NRMENGE ).
L_FRM-NRRUND = L_FRM-NRMENGE - VORKOMMA.
L_FRM-NRMENGE = VORKOMMA.
3. Select routine 601 in field "Calc.Rule" when you create free goods condition record.
Hope it helps.

Free Goods (Use of Inclusive & Exclusive at the same time)

Hi Gurrus,
i have a scenario and i need your help.
my company has started given free goods to the customers.
Example,
if a customer buy 4 PAC of material "A", He should get 1 PAC of Material "A" and also 8 PAC of Material "B".
That means I have to use Inclusive and Exclusive at the same time in one order for Material A.
My requiremet is if the order booker enters 4 PAC of Material in an order so system should generate two sub item lines,
1 PAC of Material "A" as "TANN" &
8 PAC of Material "B" as "TANN".
I have tried to capture this through VBN1 but system is only allowing me to enter either inclusive or exclusive condition record for one material.

hi,
ya, it is possible to create free goods for 1:n material for inclusive & exclusive for 2 materials.
create a sale order 2 material with diff qty.& free goods for 2 diff qty for inclusive & exclusive
Regards,
A.sithanandan

Free Goods Determination - Exclusive

Hi All,
Am trying to enable Free Goods determination (exclusive). I have set up the free goods determination procedure and the condition record. However, when I create my sales Order for the original material, a new line is generated with the material that should be given away for free however the quantity field is not populated. Any idea as to what I may be doing wrong ?
Condition Record is as follows (VBN1)
Material - Material A (This is the material for which the SO is raised)
Min Qty - 2
From - 2
UnitFG - EA
add FG - 1
AddQtyUnit - 1
in % = 33 % (this is an auto field that is calculated)
Calc Rule - 3
Free Goods - 2
AddMatFrGd - Material B (This is the material that should be provided for free)
FGDelyCont - B
Your help is immensely appreciated.
Thanks in advance,
Imran

Hi Ramesh,
Thanks for your input. I did try your suggestion out, Calculation Rule 2, but it still does not work. I have attached the procedure to my document type.
When the SO is being created, an additional line item is generated with the free good material but without a quantity. how do i get it such that the quantity is also proposed on the new line item generated for the free good based on what has been defined in the condition record.
Regards,
Imran

SCEP exclusions

Similar Messages

Maybe you are looking for