Hi All,

I've got 3 test systems with SCEP installed.  They all receive definitions just fine.  Unfortunately they are not receiving the custom antimalware policies i've created.  I found this blog that tells me a command i can run against the registry to see what policies are applied:

reg query HKLM\SOFTWARE\Microsoft\CCM\EPAgent\LastAppliedPolicy /f 2 /d

http://www.niallbrady.com/2013/02/17/how-can-i-determine-what-antimalware-policy-is-applied-to-my-scep-2012-sp1-client/

and it returns the following:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CCM\EPAgent\LastAppliedPolicy
    All Windows SCEP Clients Policy (Scan Schedule)    REG_DWORD    0x2
    All Windows SCEP Clients Policy (Threat Default Action)    REG_DWORD    0x2
    Windows Server Scanning Exclusions (Excluded)    REG_DWORD    0x2
    Default Client Antimalware Policy (Excluded)    REG_DWORD    0x2
    All Windows SCEP Clients Policy (Realtime Config)    REG_DWORD    0x2
    All Windows SCEP Clients Policy (Advance Setting)    REG_DWORD    0x2
    All Windows SCEP Clients Policy (Spynet)    REG_DWORD    0x2
    All Windows SCEP Clients Policy (Signature Update)    REG_DWORD    0x2
    All Windows SCEP Clients Policy (Scan)    REG_DWORD    0x2

End of search: 9 match(es) found.

The way I read that means that the "All Windows SCEP Clients Policy" settings are all applied.  The "Windows Server Exclusions" policy is excluded for some reason. 

My custom policies set scan times different than the default and i have some exclusions.  When I launch the SCEP client on the local computer, i don't see the set scan times, just the default scan times.  I also don't see the exclusions.  I see in that req query command that the Exclusions are (Excluded), but the scan schedule should apply. The priorities on the applied AMP (antimalware policies) are:

Default Client AntimMalware Policy  10000

All Windows SCEP Clients Policy  21

Windows Server Scanning Exclusions  5

These policies are applied to appropriate collections.  When I click on the system in question in the console and look at the antimalware policies, it lists those three. 

I cannot for the life of me get these policies to apply even though they have what i think are the right priorities.  The way i understand it, the policies stack for most of the settings.  So the default settings get set by the default policy.  Then the "All Windows SCEP Policy" settings would override or merge with any settings in the default policy.  Then the "Windows Server Scanning Exclusions" policy would override or merge with any of the previous two policies.  Am I misinterpreting things here?

Make sure you are  pushing out the policy after you create it.  Just having it listed as a policy doesn't do anything, it needs to be deployed to the collections.  If you click on the policy, you should be able to see how many times it was deployed and to what collections.  

are the computers in the correct collection ? do they have working Configuration Manager clients (reported as healthy)

the section from your check above

"Windows Server Scanning Exclusions (Excluded)    REG_DWORD    0x2
    Default Client Antimalware Policy (Excluded)    REG_DWORD    0x2"

doesn't mean they are excluded, it just means it's merging the exclusions from those two policies together

Yep, i've deployed it.  I can see the policies in question has 1 deployment.  When i look at the deployment tab on the policy i can verify the collection. On a device in the collection and look at the AntiMalware Policies tab i can see the policies applied to it and even the Last Update Time and no error code. 

I even see this in the ccmexec.log file of the client:

Notifying endpoint 'EndpointProtectionAgent' of __InstanceModificationEvent settings change on object CCM_AntiMalwarePolicyPlaceHolder.SiteSettingsKey="{6249BEE8-7845-4FA1-AC6A-AE42E985E5F7}/200" for user 'S-1-5-18'.

that GUID is the Assignment Unique ID that you can see in the console, on the devices' AntiMalware Policies tab when you set that column to view it.  I also see that GUID in the EndpointProtectionAgent.log file in this line:

start to send State Message with topic type = 2002, state id = 1, error code = 0x00000000, and message = <Instance><AppliedAmPolicies><Policy ID="{0d1a67b0-e300-4760-b98f-132052971216}"/><Policy ID="{9D689B08-88DF-4B7E-BAD2-34D665BFD082}/200"/><Policy ID="{6249BEE8-7845-4FA1-AC6A-AE42E985E5F7}/200"/></AppliedAmPolicies></Instance>

which shows the policy as getting applied.  However, the client user interface doesn't reflect any of the settings in the policy. 

Clients are working and they are receiving endpoint definitions through the SUP.  From everything i see, they are healthy clients. 

Thanks for checking in Niall, your blog post has been a big help in troubleshooting this so far. 

Yes, I know this is an old post, just trying to clean them up.

Did you even figure this out?, if so how did you fix it?

When I first push the sccm 2012 client, and after scep 2012 installs. The client only has the default policy applied. Then about 14 or hours later the policy that I have pushed to the collection which this computer resides in gets applied.

This is fine for desktops without any critical software on them. But, my host virtual machines and sql servers processes cant sit and be scanned for 14. Is there someway to manual apply the policy?

I went to the configmgr cpl and ran the machine policies and user actions about 10 times to get the policy to apply - but still didnt pull down the scep policy and get the exclusions for my specific server to apply.

and the server is in a collection with the policy in question pushed to it.

Any help would be appreciated. 

Thanks, 

Dan

 

Since no else has replied, I recommend that you contact Microsoft Support (CSS), they should be able to help you out.