Tag Archives: system center endpoint protection

System Center Endpoint Protection – Updated ADMX Template for the March 2016 Update – KB3106514

The new update has been out for a little while now (KB3106514) and brings with it three new settings.

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Microsoft Antimalware\MpEngine
DWORD name: MpEnablePUS

This setting enables detection and removal of Potentially Unwanted Applications (PUA) downloaded through IE, Firefox or Chrome. One thing about this is that it will only apply to new detections going forward. This setting will not cause existing PUAs to be detected and removed.

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Antimalware\UX Configuration

DWORD name: SuppressRebootNotification

This is a setting to suppress the reboot notification from the client if it detects that a reboot is required to finish the clean-up of any malware. This is useful in shared environments (RDS, etc.), where a this kind of thing would not be fun.

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Microsoft Antimalware

DWORD name: ThreatFileHashLogging

This setting records an event with ID 1120 to the log file containing the SHA-1 hash of the affected file for more research and correlation with other infections or threats.

There’s also a link from the knowledge base page to a script on the PowerShell gallery for setting up anti-malware client updates on a UNC share, which is quite nice for new deployments, without using something like System Center Configuration Manager (SCCM) or Windows Server Update Services (WSUS).

I have added these updates to my ADMX template for System Center Endpoint Protection, which can be downloaded from GitHub. Note that from this update on, the file names and data drop the 2012R2 version number from the file name, which makes more sense going forward. The old files are still there for reference.

The direct links to the files are:

SystemCenterEndpointProtection.admx
SystemCenterEndpointProtection.adml

It’s been just over a year since the last policy template settings change from Microsoft for their Endpoint Protection products and still no sign of an official file! I’ll keep on with the updates for this until Microsoft sort it out.

UPDATE:

I’ve made a couple more changes to add two new policy options that I had previously overlooked, these are:

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Microsoft Antimalware\Real-Time Protection

DWORD name: DisableScriptScanning

This setting provides an admin override to disable script scanning.

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Microsoft Antimalware\Real-Time Protection

DWORD name: LocalSettingOverrideDisableScriptScanning

This setting allows the local client setting for script scanning to take precedence over a group policy setting.

SCEP 2012 R2 / FEP 2010 – May Update Manual Download Links (KB3049560)

Another month, another update for the Microsoft Endpoint Protection engine!

Unfortunately, I hoped the ADMX template for managing SCEP 2012 that was mentioned when the update was first released would be available, but it looks like it’s been pulled for some reason. I’ll keep an eye out for it though and hopefully it will mean I don’t have to maintain my own ADMX template for this anymore.

As I’ve done previously, I pulled these download links from SCCM, viewing the Content Information in the update view for KB3049560.

Here’s the update, it appears to be the same for both FEP 2010 and SCEP 2012:
wsus.ds.download.windowsupdate.com/c/msdownload/update/software/crup/2015/05/updateinstall_a4deb3eebd3ac19f8b465097d818708a0e0d87c7.exe

These files are hosted by Microsoft and may disappear at any time!

Have fun!

SCEP 2012 R2 / FEP 2010 – February Update Manual Download Links (KB3041687)

UPDATE: The May download links are here.

I recently noticed a few people looking around for the SCEP/FEP February update direct download links.

I pulled these download links from SCCM 2012 R2, viewing the Content Information in the update view for KB3041687.

System Center Endpoint Protection 2012: http://wsus.ds.download.windowsupdate.com/c/msdownload/update/software/crup/2015/02/scepinstall_230274d8b20bbe30fb94a287fd82670af0309ea4.exe

Forefront Endpoint Protection 2010: http://wsus.ds.download.windowsupdate.com/c/msdownload/update/software/crup/2015/02/fepinstall_96be19e39aab5c5c7c569a6b143e6e44b72aaec0.exe

These files are hosted by Microsoft and may disappear at any time!

Have fun!

SCEP 2012 R2 – Updated ADMX Template for the February Update – KB3041687

The revised February update for Microsoft Endpoint Protection products is out (KB3041687) and brings with it a couple of changes to registry keys introduced in the first February update.

This update deprecates the DisableGenericReports subkey and adds a new DWORD called SubmitSamplesConsent to the following place:

HKEY_LOCAL_MACHINE\Software\Microsoft\Microsoft Antimalware\SpyNet

This new key will allow configuration of sample submissions to Microsoft for analysis.

I have added these updates to my ADMX template for SCEP 2012 R2, which can be downloaded from GitHub.

Notes from KB3036437

Endpoint Protection may request file samples to be sent to Microsoft for further analysis. By default, Endpoint Protection will always prompt before it sends such samples. There is an option available to send samples automatically. To opt in to automatic sample submission, open the Endpoint Protection UI, click the Settings tab, select the Advanced section, and then click Send file samples automatically when further analysis is required.

Administrators can manage automatic sample submission with additional configuration options through WMI, PowerShell, and Group Policy by using the following registry subkeys:

MAPS Configuration

Registry location:

HKEY_LOCAL_MACHINE\Software\Microsoft\Microsoft Antimalware\SpyNet

DWORD name: SpyNetReporting
DWORD values:

  • 0 – Off
  • 1 – Basic Membership
  • 2 – Advanced Membership

Sample Submission

Registry location:

HKEY_LOCAL_MACHINE\Software\Microsoft\Microsoft Antimalware\SpyNet

DWORD name: SubmitSamplesConsent
DWORD values:

  • 0 (default) – Automatic sample submission disabled. End-users will always be prompted for samples.
  • 1 – Most samples will be sent automatically. Files that are likely to contain personal information will still prompt and require additional confirmation.
  • 2 – All sample submission disabled. Samples will never be sent and end-users will never be prompted.
  • 3 – All samples will be sent automatically. All files determined to require further analysis will be sent automatically without prompting.

SCCM 2012 R2 – Problems with SCEP 2012 R2 and Group Policy Results

We ran into an issue yesterday with Group Policy Results when using SCEP 2012 R2, the problem exactly follows this particular issue on the TechNet Forums, but appears to affect a couple of extra registry keys.

It’s really unfortunate that this still isn’t fixed in SCCM 2012 R2, having also been an issue in 2012, as the post describes.

To resolve the problem, I used my existing SCEP Group Policy ADMX template in creating a GPO to replicate the default settings pushed out to clients with SCCM, which solves the problem, as the exceptions and settings we push out to standard clients aren’t any different from the Microsoft recommended settings.

In the GPO I had to specify the exclusion settings and also the default threat actions, which are specified in the registry here:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Antimalware\Threats\ThreatSeverityDefaultAction

Previously these settings were defined as REG_DWORD, but need to be REG_SZ, as shown below:

ThreatSeverityDefaultAction

SCEP 2012 R2 – Group Policy ADMX Template: Updated

A quick followup to my earlier post on the SCEP 2012 ADMX template, I was working today with our Citrix environment and needed to remove visibility of the SCEP client interface.

Fortunately, there is an option in the SCCM Endpoint Protection policies, so I know the functionality to do this is there. This doesn’t seem to have been an option in Forefront Endpoint Protection (FEP) 2010, otherwise it would have been in the original policy template.

The value for this is “UILockdown” and is found next to the other UX configuration settings for SCEP:

HKLM\Software\Policies\Microsoft\Microsoft Antimalware\UX Configuration\UILockdown
(1 for disabled, 0 for enabled)

I’ve updated the ADMX template to make this new setting visible, the changes I’ve made to the template are here for the ADMX and here for the ADML.

The files can be downloaded here. I’ll also continue to update the template as I find other settings that weren’t present in FEP 2010.

SCEP 2012 R2 – Group Policy ADMX Template

I’ve been working a lot with System Center Configuration Manager (SCCM) and System Center Endpoint Protection (SCEP) recently and as part of the work, I’ll be migrating servers over to using SCEP. We have decided on a two part move, firstly moving antivirus to SCEP with Group Policy management, then later adding the SCCM client if we feel it would be better. Obviously reporting, status, definition updates and other useful features are nice, but we have System Center Operations Manager (SCOM) for monitoring, so we will certainly write some monitors for this!

Initially theres a roadblock, as the only ADMX provided is as part of the Forefront Endpoint Protection 2010 tools and it’s not obvious it applies to SCEP 2012. Fortunately Microsoft haven’t changed anything since then, so it’s essentially a drop in solution. However, if you want to be nice and use the right names for things, you need to do a little bit of work to alter the friendly names, which I’ve done here. Copy the files into the “%systemroot%\PolicyDefinitions” folder locally to test, then into the policy central store for your domain when it makes sense.

SystemCenterEndpointProtection2012R2.admx
SystemCenterEndpointProtection2012R2.adml

EDIT: Latest versions are:

SystemCenterEndpointProtection.admx
SystemCenterEndpointProtection.adml