System Center Premier Field Engineer Blog

Premier Field Engineering – System Center – Field Studies

Updated System Center 2012 Configuration Manager Antivirus Exclusions with more details on OSD and Boot Images, etc...

Updated System Center 2012 Configuration Manager Antivirus Exclusions with more details on OSD and Boot Images, etc...

  • Comments 17
  • Likes

With the release of Service Pack 1 for System Center 2012 Configuration Manager, we have been seeing some issues (not necessarily new issues) revealed with Antivirus Exclusion issues around OSD and Boot Image related activities as follows:

OSD Related A/V Exclusion Considerations:

Boot image actions:

  • Importing default boot WIM’s during initial site setup
  • Updating default boot WIM’s during site upgrade
  • Manual import of custom boot images (customer action)
  • Customize boot images (drivers, prestart command, WinPE optional components, background
    image, etc.)

Folders to exclude from AV scanning:

  • Temporary folder for these cases is C:\Windows\TEMP\BootImages\{GUID}.  Exclude C:\Windows\TEMP\BootImages
    and subfolders.

 OS image actions:

  • Offline Servicing

Folders to exclude from AV scanning:

  • Temporary folder for offline servicing is <X:>\ConfigMgr_OfflineImageServicing
    and several subfolders used for different purposes – staging files, mounting
    OS, etc. – where <X:> is the StagingDrive value from the Offline
    Servicing Manager section of the site control file.  If this value is
    missing, we use the drive where the site is installed.  Exclude <X:>\ConfigMgr_OfflineImageServicing
    and subfolders.\

 

Boot images not updated after upgrading to SP1 in System Center 2012 Configuration Manager:

I was also provided anecdotal information from an issue that  if you find yourself in situation where boot images didn’t get updated during site upgrade to SP1, you
can manually update the boot images using the following instructions:

  • Rename the boot.wim and the default boot wims in each architecture folder of the <smsinstall>OSD\boot\ folder – both the i386 and x64 to <wim>.bak
  • Starting with the i386 folder first...Find the install folder of the ADK, which should be here if you installed with the defaults: “C:\Program Files (x86)\Windows
    Kits\8.0\Assessment and Deployment Kit\Windows Preinstallation Environment\x86\en-us\winpe.wim”. You will need to copy the winpe.wim to the <smsinstall>OSD\boot\i386 folder. Rename it to boot.wim.
  • You will also need to copy it again, but this time rename it so it matches the name of the default boot wim for the site – so it should look like boot.<packageid>.wim
  • Update default boot image. Click “Execute Method” -> input object path as SMS_BootImagePackage.PackageID="<Image ID you see in the Console e.g. POL00001>" -> UpdateDefaultImage
  • You will need to do this for the x64 folder as well. Do not do this for any custom boot images – this is just to update the default boot wims installed during setup of the site.

 

General Antivirus Exclusions and Additional Information for System Center 2012 Configuration Manager Endpoint Protection

Additionally per my other post showing how to import various templates for different servers, here is the general list of file/folder exclusions exported from the Endpoint Protection System Center 2012 Configuration Manager template"

%allusersprofile%\NTUser.pol
%systemroot%\system32\GroupPolicy\registry.pol
%windir%\Security\database\*.chk
%windir%\Security\database\*.edb
%windir%\Security\database\*.jrs
%windir%\Security\database\*.log
%windir%\Security\database\*.sdb
%windir%\SoftwareDistribution\Datastore\Datastore.edb
%windir%\SoftwareDistribution\Datastore\Logs\edb.chk
%windir%\SoftwareDistribution\Datastore\Logs\edb*.log
%windir%\SoftwareDistribution\Datastore\Logs\Edbres00001.jrs
%windir%\SoftwareDistribution\Datastore\Logs\Edbres00002.jrs
%windir%\SoftwareDistribution\Datastore\Logs\Res1.log
%windir%\SoftwareDistribution\Datastore\Logs\Res2.log
%windir%\SoftwareDistribution\Datastore\Logs\tmp.edb
%programfiles%\Microsoft Configuration Manager\Inboxes\*.* (shortened list for blog sake)
%programfiles(x86)%\Microsoft Configuration Manager\Inboxes\*.* (shortened list for blog sake)

These entries above were taken directly from one of the included templates in System Center 2012 Configuration Manager which I have attached to the post

Additional links to Antivirus and Antimalware Information:

Where is the Documentation for System Center 2012 Endpoint Protection?

Forefront Endpoint Protection Blog

Guidance on serve initial FEP definition update with SCCM through DP

How to use the Definition Update Automation Tool for Forefront Endpoint Protection
2010 Update Rollup 1

Important Changes to Forefront Product Roadmaps

Support Questions about Windows 8 and Windows Server 2012 for Configuration Manager and
Endpoint Protection

Virus scanning recommendations for Enterprise computers that are running currently supported versions of Windows
http://support.microsoft.com/kb/822158 

Antivirus programs may contribute to file backlogs in SMS 2.0, SMS 2003 and Configuration Manager 2007:
http://support.microsoft.com/kb/327453

ConfigMgr 2007 Antivirus Scan and Exclusion Recommendations:
http://blogs.technet.com/b/configurationmgr/archive/2010/11/30/configmgr-2007-antivirus-scan-and-exclusion-recommendations.aspx

 

Thanks, Cliff Hughes
Premier Field Engineer
System Center 2012 Configuration Manager

Attachment: SCEP12_Default_CfgMgr2012.xml
Comments
  • Cliff,

    Our boot images didn't update either and I'm trying to follow your instructions but I'm not sure where I need to be to do this step:

    •Update default boot image. Click “Execute Method” -> input object path as SMS_BootImagePackage.PackageID="<Image ID you see in the Console e.g. POL00001>" -> UpdateDefaultImage

    Thanks!

  • And how do you find out if the boot images were updated when SP1 was installed?

    And how on earth is anyone supposed to know what you are talking about here:

    • Update default boot image. Click “Execute Method” -> input object path as SMS_BootImagePackage.PackageID="<Image ID you see in the Console e.g. POL00001>" -> UpdateDefaultImage

  • Oh, and the RTM boot image version is 6.1.7600.16385 and the SP1 boot image version is 6.2.9200.16384.

  • I don't see my other comment stating that Cliff was using wbemtest.exe to execute the method. Here's the PowerShell way:

    Get-CimInstance -Namespace root/SMS/site_<your site code> -ClassName SMS_BootImagePackage -Filter "PackageId='<your package id>'" | Invoke-CimMethod -MethodName UpdateDefaultImage

  • What do you mean with:

    "•Update default boot image. Click “Execute Method” -> input object path as SMS_BootImagePackage.PackageID="<Image ID you see in the Console e.g. POL00001>" -> UpdateDefaultImage"

    ?

    Thanks

  • I made both exclusions, but still McAfee disturbed my offline servicing process.

    What do I need to do more ?

  • @ Pollewops

    You need to disable Access Protection (feature of McAfee).

    After that every thing will work fine.

  • I love your blog site nice all the comments are wonderful. I’ts great!!!

    p0ctech24solutions.com

  • I have problem with x64 image, wich I allready copied from ADK to folder mentioned. After I run powershell command, I get the following error:

    PS E:\> Get-CimInstance -Namespace root/SMS/site_xxx -ClassName SMS_BootImagePackage -Filter "PackageId='O1200004'" | Invoke-CimMethod -MethodName UpdateDefaultImage

    Invoke-CimMethod : Generic failure

    At line:1 char:111

    + ... ='O1200004'" | Invoke-CimMethod -MethodName UpdateDefaultImage

    +                    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

       + CategoryInfo          : NotSpecified: (SMS_BootImagePa...D = "O1200004")

      :CimInstance) [Invoke-CimMethod], CimException

       + FullyQualifiedErrorId : HRESULT 0x80041001,Microsoft.Management.Infrastructure.CimCmdlets.InvokeCimMethodCommand

    I was succesfully able to fix x86 image with this.

  • Many thanks for this, confirms what I figured out today as well.

  • Hi Alex,

    Please leave your comments here as well.... I am very curious what you found out...

  • I ran into the issue where creating / updating a boot.wim failed, reason was the McAfee Access scanner, once I turned that one off, all worked as expected. Now getting the security guys to include the exclusions on the ePO Server.

    By the way, as we speak, I also noticed that I got an access denied error, when I wanted to edit a boot.wim on my local workstation using the ADK. e.g mounting worked fine, but as soon as I wanted to add a winpe component using the add-package dism command, I get an access denied, now working with the security guys to see if they can provide me with an acception to see whether this is really also related to mcafee.

    Alex

  • Alex, workstation-based DISM activities are affected by the McAfee issue as well. Adding the exclusions to specific clients can work, or another approach that I used was a basic Win7 VM for building my custom boot WIMs.

  • Is the exclusion for "%systemroot%\system32\GroupPolicy\registry.pol" right?

    Should it not be "%systemroot%\system32\GroupPolicy\Machine\registry.pol" and

    "%systemroot%\system32\GroupPolicy\User\registry.pol" ?

  • It is ausome

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment