With the release of Service Pack 1 for System Center 2012 Configuration Manager, we have been seeing some issues (not necessarily new issues) revealed with Antivirus Exclusion issues around OSD and Boot Image related activities as follows:
OSD Related A/V Exclusion Considerations:
Boot image actions:
Folders to exclude from AV scanning:
OS image actions:
Boot images not updated after upgrading to SP1 in System Center 2012 Configuration Manager:
I was also provided anecdotal information from an issue that if you find yourself in situation where boot images didn’t get updated during site upgrade to SP1, youcan manually update the boot images using the following instructions:
General Antivirus Exclusions and Additional Information for System Center 2012 Configuration Manager Endpoint Protection
Additionally per my other post showing how to import various templates for different servers, here is the general list of file/folder exclusions exported from the Endpoint Protection System Center 2012 Configuration Manager template"
%allusersprofile%\NTUser.pol%systemroot%\system32\GroupPolicy\registry.pol%windir%\Security\database\*.chk%windir%\Security\database\*.edb%windir%\Security\database\*.jrs%windir%\Security\database\*.log%windir%\Security\database\*.sdb%windir%\SoftwareDistribution\Datastore\Datastore.edb%windir%\SoftwareDistribution\Datastore\Logs\edb.chk%windir%\SoftwareDistribution\Datastore\Logs\edb*.log%windir%\SoftwareDistribution\Datastore\Logs\Edbres00001.jrs %windir%\SoftwareDistribution\Datastore\Logs\Edbres00002.jrs%windir%\SoftwareDistribution\Datastore\Logs\Res1.log%windir%\SoftwareDistribution\Datastore\Logs\Res2.log%windir%\SoftwareDistribution\Datastore\Logs\tmp.edb%programfiles%\Microsoft Configuration Manager\Inboxes\*.* (shortened list for blog sake)%programfiles(x86)%\Microsoft Configuration Manager\Inboxes\*.* (shortened list for blog sake)
These entries above were taken directly from one of the included templates in System Center 2012 Configuration Manager which I have attached to the post
Additional links to Antivirus and Antimalware Information:
Where is the Documentation for System Center 2012 Endpoint Protection?
Forefront Endpoint Protection Blog
Guidance on serve initial FEP definition update with SCCM through DP
How to use the Definition Update Automation Tool for Forefront Endpoint Protection2010 Update Rollup 1
Important Changes to Forefront Product Roadmaps
Support Questions about Windows 8 and Windows Server 2012 for Configuration Manager andEndpoint Protection
Virus scanning recommendations for Enterprise computers that are running currently supported versions of Windowshttp://support.microsoft.com/kb/822158
Antivirus programs may contribute to file backlogs in SMS 2.0, SMS 2003 and Configuration Manager 2007:http://support.microsoft.com/kb/327453
ConfigMgr 2007 Antivirus Scan and Exclusion Recommendations:http://blogs.technet.com/b/configurationmgr/archive/2010/11/30/configmgr-2007-antivirus-scan-and-exclusion-recommendations.aspx
Thanks, Cliff Hughes Premier Field Engineer System Center 2012 Configuration Manager
Our boot images didn't update either and I'm trying to follow your instructions but I'm not sure where I need to be to do this step:
•Update default boot image. Click “Execute Method” -> input object path as SMS_BootImagePackage.PackageID="<Image ID you see in the Console e.g. POL00001>" -> UpdateDefaultImage
And how do you find out if the boot images were updated when SP1 was installed?
And how on earth is anyone supposed to know what you are talking about here:
• Update default boot image. Click “Execute Method” -> input object path as SMS_BootImagePackage.PackageID="<Image ID you see in the Console e.g. POL00001>" -> UpdateDefaultImage
Oh, and the RTM boot image version is 6.1.7600.16385 and the SP1 boot image version is 6.2.9200.16384.
I don't see my other comment stating that Cliff was using wbemtest.exe to execute the method. Here's the PowerShell way:
Get-CimInstance -Namespace root/SMS/site_<your site code> -ClassName SMS_BootImagePackage -Filter "PackageId='<your package id>'" | Invoke-CimMethod -MethodName UpdateDefaultImage
What do you mean with:
"•Update default boot image. Click “Execute Method” -> input object path as SMS_BootImagePackage.PackageID="<Image ID you see in the Console e.g. POL00001>" -> UpdateDefaultImage"
I made both exclusions, but still McAfee disturbed my offline servicing process.
What do I need to do more ?
You need to disable Access Protection (feature of McAfee).
After that every thing will work fine.
I love your blog site nice all the comments are wonderful. I’ts great!!!
I have problem with x64 image, wich I allready copied from ADK to folder mentioned. After I run powershell command, I get the following error:
PS E:\> Get-CimInstance -Namespace root/SMS/site_xxx -ClassName SMS_BootImagePackage -Filter "PackageId='O1200004'" | Invoke-CimMethod -MethodName UpdateDefaultImage
Invoke-CimMethod : Generic failure
At line:1 char:111
+ ... ='O1200004'" | Invoke-CimMethod -MethodName UpdateDefaultImage
+ CategoryInfo : NotSpecified: (SMS_BootImagePa...D = "O1200004")
:CimInstance) [Invoke-CimMethod], CimException
+ FullyQualifiedErrorId : HRESULT 0x80041001,Microsoft.Management.Infrastructure.CimCmdlets.InvokeCimMethodCommand
I was succesfully able to fix x86 image with this.
Many thanks for this, confirms what I figured out today as well.
Please leave your comments here as well.... I am very curious what you found out...
I ran into the issue where creating / updating a boot.wim failed, reason was the McAfee Access scanner, once I turned that one off, all worked as expected. Now getting the security guys to include the exclusions on the ePO Server.
By the way, as we speak, I also noticed that I got an access denied error, when I wanted to edit a boot.wim on my local workstation using the ADK. e.g mounting worked fine, but as soon as I wanted to add a winpe component using the add-package dism command, I get an access denied, now working with the security guys to see if they can provide me with an acception to see whether this is really also related to mcafee.
Alex, workstation-based DISM activities are affected by the McAfee issue as well. Adding the exclusions to specific clients can work, or another approach that I used was a basic Win7 VM for building my custom boot WIMs.
Is the exclusion for "%systemroot%\system32\GroupPolicy\registry.pol" right?
Should it not be "%systemroot%\system32\GroupPolicy\Machine\registry.pol" and