Author: Minfang Lv, Software Development Engineer in Test, Configuration Manager Sustained Engineering
Applies to: FEP 2010 SU1, SCEP 2012 SP1, SCEP 2012 R2
The platform update released on April 8, 2014 for Forefront Endpoint Protection 2010 and System Center 2012 Endpoint Protection will add new functionality related to Operating System (OS) end-of-life. The endpoint protection agent will now assess whether the operating system of the computer is approaching the end of the support lifecycle (see: http://support.microsoft.com/lifecycle/). If configured to generate alerts, it will warn end users that the operating system on their computer is approaching end-of-life, that it is in a grace period following end-of-life, or that it has exited the grace period and the Anti-malware service is no longer helping to protect their computer:
Stage 1: OS is approaching end-of-life.At this stage, the OS is near the end of its support lifecycle. FEP/SCEP will still work as normal.
Stage 2: Grace period. OS has reached end-of-life, but anti-malware platform service is still running and definition updates can be received. For example, for Windows XP, the Grace Period stage starts on April 8, 2014.
NOTE: We have found in our research that the effectiveness of antimalware solutions on out-of-support operating systems is limited. Given the fast pace of technology, it has become increasingly important that customers use modern software and hardware that is designed to help protect PCs and servers against today’s threat landscape. For this reason, there is no guarantee that every OS that reaches end-of-life will be provided a grace period.
Stage 3: Anti-malware service stopped. You can no longer start the anti-malware service, and your computer will not receive anti-malware definition updates. Thus FEP/SCEP will no longer help to protect your computer. For example, for Windows XP, this stage starts on July 14th, 2015.
In a controlled enterprise environment, it’s the IT administrator that controls the OS upgrade and platform updates, and end users have no control over their OS. So, for FEP and SCEP customers, we will not expose the warning UI for Stage 1 or 2 to the end users, by default. End users will only receive the error when Stage 3 starts. They will have the exact same behavior/Client UI as usual during Stage 1 &2.
For the IT administrator, FEP/SCEP will generate event errors for each of the 3 stages. FEP/SCEP also provides a registry key to show the current end-of-life status of the current OS if it’s near end-of-life: HKLM\Software\Microsoft\Microsoft Antimalware\EndOfLifeState:
Note:This registry key state applies to all operating systems when they approach end-of-life in the future. If the current OS is not approaching end-of-life, you will not see the registry key value.
Configuration Manger users can use DCM configuration items to monitor the end-of life-state of their computers.
Configuration Manager Resources
Documentation Library for System Center 2012 Configuration Manager
System Center 2012 Configuration Manager Forums
System Center 2012 Configuration Manager Survival Guide
System Center Configuration Manager Support
This posting is provided "AS IS" with no warranties and confers no rights.
I like the registry setting so it is easy to check With DCM, but when is this key actually set? I've checked several XP and 2003 machines and I cannot see it. They are running SCEP.Could you please clarify the timeframe for stage 1? "OS is approaching end-of-life" = 1 month away? 1 year?
I tried Update for System Center Endpoint Protection 2012 Client - 126.96.36.199 (KB2952678) on my XP and SCEP 2012 R2 Client environment. I checked behavior by changeing datetime, Microsoft Antimalware Service stopped at 6/15/2015 (JST), not 7/14/2015. I wonder why?
I would like to find out information on the length of the grace period and if this also applies if extended support is purchased for Server 2003
How come this article doesn't mention a grace period for Server 2003? Does Stage 3 no longer exist?