Wednesday, October 10, 2012

SCCM 2012 - Fix Endpoint Protection Critical machines



So, we deploy Endpoint Protection in our business.
This will in my experience run very smooth, with very little complications.
I've worked with lots of different Malware products since 1993, more and more experience with this great malware product from Microsoft over the past 4 years. I would recommend all that now run FEP 2010 to head for SCEP 2012 included and totally integrated into SCCM 2012.
It more easy to handle, it still uses very little resources compared to others, and even grater protection than before. All in the same smooth running SCCM 2012 console, and benefits from the power of SCCM functions, like ensuring that the Malware agent is working and healthy, built in policys for AD, Exchange, SQL, SCOM, SCCM, File Servers, etc..   And with combining the power of SCCM you could then automatically apply the correct policy for each of these kind of servers, with using AD OU or Group Collections membership or inventory.



It also gives you even better visable controll in the Console now.

You will discover that deploying Endpoint Protection to your business will be very easy.
Now some of your clients will have issues, that need to be resolved.
But way do we have these kinds of error now, and not when I was running FEP?
We I think you did, but it was hard to discover in the SCCM 2007.
And why not run a different Malware product? Well, yes you could run a different Malware and Management product. But that would only conceal these kinds of errors that are related to basic funtions of the OS. Microsoft integrate product and use functions that is allready there in the OS, like Policy, Windows Update, etc.. And yes for Endpoint Protection also the great management product Configuration Manager to handle it, and make sure its working well.

Anyway, we look further into the few clients marked Critical and how we can resolv some issues:

We click in Monitoring - System Center 2012 Endpoint Protection Status
And click on Active Clients at Risk....


This will open a Collection for you containing the machines that have issues with either the SCCM Client Agent or the SCEP Malware agent.

In this example is the error: Failed to open the local machine Group Policy.
Now, why this happens to some clients we dont know yet, but could be a corrupt file, resulting in that even Group Policys will be having difficulties applying correctly.
Anyway, we have to resolve this.

You will also find error like this in the EndpointProtectionAgent.log



How to fix this?

Browse to the Clients Windows\System32\GroupPolicy\Machine\
And delete the file: Registry.pol 
The restart the Clients Service : SMS Agent..

In the log you will now see that its Applying the Policy fine:


And eventually in the Console, when its reported back. It will tell you this status.


In some cases I have Uninstall the SCCM Client, and reinstalled it.


If you want to automate the deletion of the Registry.pol file, just create a Program in SCCM and deploy it With this command:
cmd /c DEL "C:\Windows\system32\grouppolicy\machine\Registry.pol" /Q /S>NUL

10 comments:

  1. Nice one thanks! I've just deployed the above script in the hope it'll fix the 7 machines with this exact fault :)

    ReplyDelete
  2. hi guys ,

    can anyone can guide me step by step implementing this script
    please give me your insights
    regards
    joseph

    ReplyDelete
  3. create a batch file and google how to create a package, and push it out to your sick clients. Or run cmd.exe in admin mode on each sick machine, paste the above line of code in and hit enter. You would want to test any code like this on a single machine anyways before you push it out to a collection. Unless your really good at reimaging computers and have good backups and an excellent backup restore system in place.

    ReplyDelete
  4. Has deployment of this package fixed many entries within your SCCM? I have an issue on several clients where local policy is the problem, if I could fix it on many machines at once that would make life easier.

    ReplyDelete
  5. Yes, this fixes the Local Group Policy issue on many machines.

    ReplyDelete
  6. You should consider copying the local policy from another machine to fix this. Otherwise you might lose some of your local policy settings.

    ReplyDelete
  7. I have a question regarding SCEP alerts.
    Currently in our environment we are getting email alerts for every detected malware.
    However our requirement is just to get those alerts in which malware is detected however not removed or no action taken.

    ReplyDelete
    Replies
    1. Hi, and thanks for asking. Yes thats understandable and you would then want to set Alerting level on the Collection to one of these:

      Medium – Detected, pending action - The alert is generated when there is one or more computers in the specified collection on which malware is detected, and you must manually remove the malware.


      ◦Low – Detected, still active - The alert is generated when there are one or more computers in the specified collection on which malware is detected and is still active.

      https://technet.microsoft.com/en-us/library/hh508782.aspx

      Hope this helps

      Delete
  8. Hi, and thanks for asking. Yes thats understandable and you would then want to set Alerting level on the Collection to one of these:

    Medium – Detected, pending action - The alert is generated when there is one or more computers in the specified collection on which malware is detected, and you must manually remove the malware.


    ◦Low – Detected, still active - The alert is generated when there are one or more computers in the specified collection on which malware is detected and is still active.

    https://technet.microsoft.com/en-us/library/hh508782.aspx

    Hope this helps

    ReplyDelete