FEP and SCEP anti-malware protection support after OSes reach end-of-life

FEP and SCEP anti-malware protection support after OSes reach end-of-life

  • Comments 2
  • Likes

Author:  Minfang Lv, Software Development Engineer in Test, Configuration Manager Sustained Engineering

Applies to: FEP 2010 SU1, SCEP 2012 SP1, SCEP 2012 R2

The platform update released on April 8, 2014 for Forefront Endpoint Protection 2010 and System Center 2012 Endpoint Protection will add new functionality related to Operating System (OS) end-of-life. The endpoint protection agent will now assess whether the operating system of the computer is approaching the end of the support lifecycle (see: http://support.microsoft.com/lifecycle/). If configured to generate alerts, it will warn end users that the operating system on their computer is approaching end-of-life, that it is in a grace period following end-of-life, or that it has exited the grace period and the Anti-malware service is no longer helping to protect their computer:

Stage 1: OS is approaching end-of-life.At this stage, the OS is near the end of its support lifecycle. FEP/SCEP will still work as normal.

Stage 2: Grace period.OS has reached end-of-life, but anti-malware platform service is still running and definition updates can be received. For example, for Windows XP, the Grace Period stage starts on April 8, 2014.

Stage 3: Anti-malware service stopped. You can no longer start the anti-malware service, and your computer will not receive anti-malware definition updates. Thus FEP/SCEP will no longer help to protect your computer. For example, for Windows XP, this stage starts on July 14th, 2015.

In a controlled enterprise environment, it’s the IT administrator that controls the OS upgrade and platform updates, and end users have no control over their OS. So, for FEP and SCEP customers, we will not expose the warning UI for Stage 1 or 2 to the end users, by default. End users will only receive the error when Stage 3 starts. They will have the exact same behavior/Client UI as usual during Stage 1 &2.

For the IT administrator, FEP/SCEP will generate event errors for each of the 3 stages. FEP/SCEP also provides a registry key to show the current end-of-life status of the current OS if it’s near end-of-life: HKLM\Software\Microsoft\Microsoft Antimalware\EndOfLifeState:

  • 1 means Stage 1 - OS is approaching end-of-life
  • 2 means Stage 2 - Grace period, OS has reached end-of-life
  • 3 means Stage 3 - Anti-malware service stopped

Note:This registry key state applies to all operating systems when they approach end-of-life in the future. If the current OS is not approaching end-of-life, you will not see the registry key value.

Configuration Manger users can use DCM configuration items to monitor the end-of life-state of their computers.

--Minfang Lv

Configuration Manager Resources

Documentation Library for System Center 2012 Configuration Manager

System Center 2012 Configuration Manager Forums

System Center 2012 Configuration Manager Survival Guide

System Center Configuration Manager Support

This posting is provided "AS IS" with no warranties and confers no rights.

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
  • I like the registry setting so it is easy to check With DCM, but when is this key actually set? I've checked several XP and 2003 machines and I cannot see it. They are running SCEP.

    Could you please clarify the timeframe for stage 1? "OS is approaching end-of-life" = 1 month away? 1 year?

  • I tried Update for System Center Endpoint Protection 2012 Client - 4.5.216.0 (KB2952678) on my XP and SCEP 2012 R2 Client environment. I checked behavior by changeing datetime, Microsoft Antimalware Service stopped at 6/15/2015 (JST), not 7/14/2015. I wonder why?