SCEP 2012 SP1 - User could disable recommanded default actions

Ask a question

Tuesday, February 05, 2013 12:53 PM

0

Hello,

With System Center Configuration Manager 2012 SP1, the user has access to the following option on the client (all the users are local administrator of the computer) :

How to update the policy in order to disable this option for the users as the screenshoot below ?

Thank's for your help and feel free to ask if some information are missing.

Follow me on Twitter http://www.twitter.com/liontux | My Blog (French/English) : http://security.sakuranohana.fr/
- Reply
- Quote

All Replies

Tuesday, February 05, 2013 2:33 PM

1
Try setting the following registry value:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Antimalware

DWORD - DisableRoutinelyTakingAction = 0

There doesn't seem to be a way to set this through editing the policy, but placing it in this area of the registry will cause it to apply like a policy. You could probably set it automatically through a Compliance setting (formerly DCM)
- Proposed As Answer by Derek Gary Tuesday, February 05, 2013 4:37 PM
- Marked As Answer by Lionel LEPERLIERMVP Wednesday, February 06, 2013 4:14 PM
- Reply
- Quote
Tuesday, February 05, 2013 3:15 PM

0

This option work fine but is there a way to push it through an option on the SCEP policies ?

PS : is there a web page referencing all the registry key and their action ?
Follow me on Twitter http://www.twitter.com/liontux | My Blog (French/English) : http://security.sakuranohana.fr/
- Reply
- Quote
Tuesday, February 05, 2013 4:19 PM

0

It doesn't look like it can be set through the SCEP policy. However, you should be able to set it automatically with a Compliance setting. Check out Kent's blog for a good example of how to do this with a registry setting:

http://blog.coretech.dk/kea/configure-client-remediation-in-configmgr-2012-to-monitor-only-using-settings-management/

I can't find any registry key reference specific to SCEP, but most of the info for FEP 2010 still applies. If you use the ADMX reference here

http://technet.microsoft.com/en-us/library/gg412481.aspx

and the admin template files available here

http://www.microsoft.com/en-us/download/details.aspx?id=13088

You can probably find what you're looking for. For example, the DisableRoutinelyTakingAction reg key equates to the "Turn on routine remediation" setting.
- Reply
- Quote
Tuesday, February 05, 2013 9:14 PM

0
After trying to use a compliance setting to set the reg value, I found that it doesn't work as expected on a 64-bit system. When it remediates the registry value, it sets a REG_QWORD value instead of REG_DWORD. SCEP doesn't recognize the QWORD, only the DWORD. After some more searching I found a thread describing a similar problem and the poster found that the only way to successfully set the value was to use a script remediation action instead of a direct registry remediation action:

http://social.technet.microsoft.com/Forums/en-US/configmanagersecurity/thread/2237c818-51fc-41a3-8707-768368e5c0cb/
- Marked As Answer by Lionel LEPERLIERMVP Wednesday, February 06, 2013 4:14 PM
- Reply
- Quote
Monday, March 04, 2013 10:27 AM

0

For information it seems to be specified to the french version of the UI here's another strange behavior.

Follow me on Twitter http://www.twitter.com/liontux | My Blog (French/English) : http://security.sakuranohana.fr/
- Reply
- Quote

SCEP 2012 SP1 - User could disable recommanded default actions

All Replies

Products

Resources

Solutions

Updates

Trials

Related Sites

Training

Certifications

Other resources

Support by product

Other support links

Not an IT pro?