Troubleshooting SCEP Anti-Malware Policies on Clients.

Today I want to talk about how to troubleshoot System Center Endpoint Protection (SCEP) anti-malware policies on your client PCs.  Since the introduction of SCCM 2012 SP1, a new feature called “Client Side Merge” was introduced.  Basically, if multiple anti-malware policies are targeted to the same collection, the policy with the highest priority wins when there are conflicting settings.

For a quick overview of which policies are being applied, you can open the log at C:\Windows\CCM\Logs\EndpointProtectionAgent.log or you can open the SCEP client, click on the drop down arrow next to the “Help” menu and choose “About”.  This will bring up a window with a list of all policies being applied, however, this will not tell you which one has the highest priority.

EndpointProtectionAgent.Log:
2014-03-03_11-27-15

SCEP Client:
2014-03-03_11-25-12

So, how do you figure out which policies are being applied to the client PCs and which one has the highest priority and its settings are being merged?

Method 1:  Check the Windows Registry

  1. Open regedit.exe on the client PC.
  2. Navigate to the following key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CCM\EPAgent\LastAppliedPolicy
  3. You will see a list of all anti-malware policies along with all merged settings which are shown with a value of “0x00000002”.  In the screenshot below, you can see that “SWS EP VIP Policy” has all its settings merged into the other two policies.  This is because this policy has the highest priority among the other two policies; causing its settings to be merged with the others.
    2014-03-03_11-34-40

Method 2:  Command-line Windows Registry query

  1. Open a command-prompt in administrative mode.
  2. Run the following command:
    reg query HKLM\SOFTWARE\Microsoft\CCM\EPAgent\LastAppliedPolicy /f 2 /d
  3. You will see the below output showing the merged settings from the policy with the highest priority:
    2014-03-03_12-09-02

References:  Niall Brady

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s