I'm in the process of trying to create a (for lack of a better word) Sub-Administrator role using Config Mgr 2012 SP1 that will allow a few select administrators the ability to manage antimalware policies, software updates and run reports on their respective device collections. So far I've created a custom security role that has accomplished everything I want, but I've run into an interesting issue. When one admin creates an antimalware policy it's viewable (and thus modifiable) by other admins and my ultimate goal is to only allow the admins access to their respective antimalware policies.

According to the technet documentation (http://technet.microsoft.com/en-us/library/hh508780.aspx)  this should be possible by using security scopes on the policies, however I can't seem to find an option to specify security scopes. I also tried using the powershell Cmdlet Set-CMAntiMalwarePolicy, which according to the documentation has a property for setting the security scope, however when I run the powershell command I receive an error that the property doesn't exist. I event went as far as listing all of the properties of the Cmdlet and the security scope property was missing there as well.

To add to my confusion, I was almost certain this was possible before we upgraded to SP1. In my initial testing, I had two users that when they created their antimalware policies, those policies were only visible to them and me because I'm a "Full Administrator". 

Am I missing something, or is this just not possible and the documentation is incorrect?

These are the permissions I've given as they pertain to the antimalware policies:

Read, Modify, Create, Read Default, Run Report

Thanks,

Bryce

Called and confirmed with Microsoft that this is a post-SP1 bug and hope to see a hotfix soon.

Called and confirmed with Microsoft that this is a post-SP1 bug and hope to see a hotfix soon.

• Marked as answer by Bryce17 Tuesday, March 05, 2013 3:43 AM

thanks for the update, did you get the hotfix name ?

Unfortunately no as it's "not yet complete". Rep said they were actively working on it and hoped to have it out soon though. Someone with more contacts within MS may be able to fish out more information.

Any update from Microsoft on this issue?  I am seeing the same issue where antimalware policies are no longer secured after upgrading to SP1. 

Not as of yet. There was an update rollup that was released a few weeks ago (http://support.microsoft.com/kb/2817245), but I haven't had time to apply it to see if it corrects the issue. I was hoping to do it during our next maint window this weekend provided I don't get busy with something else. As of right now, I'm just telling my admins to play nice and don't touch what isn't theirs. Other than the Antimalware policies, everything else is working fine.

Thanks.  I've applied the CU1 for SP1 last week and it did not resolve the issue and AM policies are still wide open.  Hopefully MS releases a hotfix soon.

I didn't see anything about this being fixed in the release notes for CU2, anybody have a chance to verify? thanks!

I've installed SP1 CU2 in a test environment and it did not fix the missing security scopes on AM policies. 

We had our annual Config Mgr health check last week and I asked the engineer about this issue. From what they were able to find the scoping features were taken out of SP1 for "performance reasons". I'm waiting on the report that should include the information, but from what they were able to tell me is that the feature should return with R2.

Not exactly what everyone wanted to hear, but if anyone has any other contacts within MS maybe they can shed more light on why the scoping was removed and confirm if it will in fact be restored in R2. I personally didn't encounter any performance issues with scoping AM policies, but we only have a dozen so someone with hundreds or thousands may have seen an issue.

If I find time I'll try to download and install the R2 preview to confirm if the policies have actually returned.

We had our annual Config Mgr health check last week and I asked the engineer about this issue. From what they were able to find the scoping features were taken out of SP1 for "performance reasons". I'm waiting on the report that should include the information, but from what they were able to tell me is that the feature should return with R2.

Not exactly what everyone wanted to hear, but if anyone has any other contacts within MS maybe they can shed more light on why the scoping was removed and confirm if it will in fact be restored in R2. I personally didn't encounter any performance issues with scoping AM policies, but we only have a dozen so someone with hundreds or thousands may have seen an issue.

If I find time I'll try to download and install the R2 preview to confirm if the policies have actually returned.

• Marked as answer by Bryce17 Monday, July 15, 2013 2:32 PM
• Edited by Bryce17 Monday, July 15, 2013 2:34 PM spelling

Sorry to post on an old topic but I'm running into this exact problem with SCCM 2012 R2. There doesn't appear to be security scopes for Antimalware Policies. Has anyone found a way to limit certain roles so they can only modify the policies that they have created?

What I'm hoping to do is allow "sub-administrators" the ability to manage their own collections but not others. It appears that by limiting the scope by collection it accomplishes this for most of the tasks. The admin cannon deploy a policy to a collection they don't have permissions to but they can modify other existing policies.

Thanks,

-Brandon