none
FEP Policy not applying completely. RRS feed

  • Question

  • Hi, we are running FEP 2010, version in question is 2.1.1116.0
    I created a custom fep policy and applied it to a server, it applies fine, no errors, the client says its the correct policy, all looks good.

    But in opening up the Settings / Excluded files are in the client, there are a lot of exclusions from the old policy still there and a number from the new policy that aren't there.

    Manually running configsecuritypolicy.exe with the policy local is the same result (taking sccm out of the picture).

    i tested the policy on 3 servers in two domains, 1 was good, the other 2 are not correct, both happen to be in an older legacy domain. Servers are Win 2003. I looked at registry permissions where the exclusions are, they look the same. I read where whacking the whole antimalware key in the registry would clean it out, but i would like to find root cause due to possible others impacted.

    Thanks, Jon


    Jon

    Monday, September 23, 2013 7:01 PM

Answers

  • Hi,

    As far as I know, the problem you encountered is about registry key value rewriting.

    Generally, you apply a policy to the client, it need to change your specific registry key value.

     If you are the first time to apply, it usually works fine.

    If you have had an old policy like you did. When you apply a new custom policy to the FEP client, it may not rewrite your registry key value, in the other words, the key value is still the old which is used for your old policy.

    So when you clear out your key value, it works fine.

    Additionally, is there any error information on FEP client site?

    You also can check “Status of a specific advertisement” report or “Computers with a specific policy distribution state” report.

    Hope it is helpful

    Thanks

    Tuesday, September 24, 2013 8:23 AM
    Moderator

All replies

  • Hi,

    As far as I know, the problem you encountered is about registry key value rewriting.

    Generally, you apply a policy to the client, it need to change your specific registry key value.

     If you are the first time to apply, it usually works fine.

    If you have had an old policy like you did. When you apply a new custom policy to the FEP client, it may not rewrite your registry key value, in the other words, the key value is still the old which is used for your old policy.

    So when you clear out your key value, it works fine.

    Additionally, is there any error information on FEP client site?

    You also can check “Status of a specific advertisement” report or “Computers with a specific policy distribution state” report.

    Hope it is helpful

    Thanks

    Tuesday, September 24, 2013 8:23 AM
    Moderator
  • no error messages, so the fix is to clean out the stale stuff out of the registry somehow and re add the policy I guess. 

    Thanks, Jon


    Jon

    Tuesday, September 24, 2013 2:55 PM
  • I'm currently installing and configuring SCEP via a self-created C# program, and one of the steps is cleaning out the registry settings when applying a policy.

    If you are interested, I could see about putting it on the MSDN galleries...

    Karl


    When you see answers and helpful posts, please click Vote As Helpful, Propose As Answer, and/or Mark As Answer



    My Blog: http://unlockpowershell.wordpress.com
    My Book: Windows PowerShell 2.0 Bible
    My E-mail: -join ("6B61726C6D69747363686B65406D742E6E6574"-split"(?<=\G.{2})",19|%{[char][int]"0x$_"})

    Tuesday, September 24, 2013 10:31 PM
  • Karl,

    thanks, I would love to see anything regarding this, I was thinking of just whacking the keys that hold the exclusions, and keep whacking until its fixed. We are migrating to SC 2012 in the next 6 months, looking forward to that.  


    Jon

    Wednesday, September 25, 2013 1:55 AM
  • Jon,

    Here is the code:

    http://social.technet.microsoft.com/wiki/contents/articles/20091.clear-system-center-end-point-protection-exclusions-without-sccm.aspx

    Karl


    When you see answers and helpful posts, please click Vote As Helpful, Propose As Answer, and/or Mark As Answer



    My Blog: http://unlockpowershell.wordpress.com
    My Book: Windows PowerShell 2.0 Bible
    My E-mail: -join ("6B61726C6D69747363686B65406D742E6E6574"-split"(?<=\G.{2})",19|%{[char][int]"0x$_"})

    Friday, October 4, 2013 6:59 PM