Today I want to talk about how to troubleshoot System Center Endpoint Protection (SCEP) anti-malware policies on your client PCs. Since the introduction of SCCM 2012 SP1, a new feature called “Client Side Merge” was introduced. Basically, if multiple anti-malware policies are targeted to the same collection, the policy with the highest priority wins when there are conflicting settings.
For a quick overview of which policies are being applied, you can open the log at C:\Windows\CCM\Logs\EndpointProtectionAgent.log or you can open the SCEP client, click on the drop down arrow next to the “Help” menu and choose “About”. This will bring up a window with a list of all policies being applied, however, this will not tell you which one has the highest priority.
So, how do you figure out which policies are being applied to the client PCs and which one has the highest priority and its settings are being merged?
Method 1: Check the Windows Registry
- Open regedit.exe on the client PC.
- Navigate to the following key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CCM\EPAgent\LastAppliedPolicy
- You will see a list of all anti-malware policies along with all merged settings which are shown with a value of “0x00000002”. In the screenshot below, you can see that “SWS EP VIP Policy” has all its settings merged into the other two policies. This is because this policy has the highest priority among the other two policies; causing its settings to be merged with the others.
Method 2: Command-line Windows Registry query
- Open a command-prompt in administrative mode.
- Run the following command:
reg query HKLM\SOFTWARE\Microsoft\CCM\EPAgent\LastAppliedPolicy /f 2 /d
- You will see the below output showing the merged settings from the policy with the highest priority:
References: Niall Brady