Endpoint Protection Policy not apply on new SCCM 2012 client


  • Hello

    I apply sccm 2012 SP1 and all is working fine

    i'm updating client agent from 5.00.7711 to new 5.00.7743

    I notice that new client not receive FEP Policy

    Client also receive update, and apply the default policy.

    The strange thing is that FEP report my schedule scan (Tuesday , 01 pm) but on the console no policy result

    Please see the image below. no pc are moved from any collection just install new client. i try to restart the pc's but situation not changed. FEP screenshot is my pc that report "Antimalware policy" and not "FEP10 Std Desktop"

    Is it possible to force FEP policy or see any fep policy log ?

    looking at endpointprotectionagent.log :

    Handle AM Policy. EndpointProtectionAgent 26/06/2012 14:11:00 18052 (0x4684)
    Apply AM Policy. EndpointProtectionAgent 26/06/2012 14:11:00 18052 (0x4684)
    Create Process Command line: "c:\Program Files\Microsoft Security Client\\ConfigSecurityPolicy.exe" "C:\windows\CCM\EPAMPolicy.xml". EndpointProtectionAgent 26/06/2012 14:11:00 18052 (0x4684)
    Applied the C:\windows\CCM\EPAMPolicy.xml with ConfigSecurityPolicy.exe successfully. EndpointProtectionAgent 26/06/2012 14:11:04 18052 (0x4684)
    Save new policy state 1 to registry SOFTWARE\Microsoft\CCM\EPAgent\PolicyApplicationState EndpointProtectionAgent 26/06/2012 14:11:04 18052 (0x4684)
    State 1 and ErrorCode 0 and ErrorMsg  and PolicyName Antimalware Policy and GroupResolveResultHash 9AD6F3A97AF2CF6161DEB44BFB3C67DBC7B8C623 is NOT changed, SKip sending State Message. EndpointProtectionAgent 26/06/2012 14:11:04 18052 (0x4684)

    why client apply "local" EP policy?

    i open a question at SCCM 2012 forum but no resposne yet

    28 июня 2012 г. 12:01


Все ответы

  • Hi,

    Thank you for the post.

    Microsoft has found this issue and the workaround is just to create new policies.

    Cause: The problem here is SP1 site will generate/update policy only if the custom AM policy is changed, if the AM policy is not change, no policy for SP1 client will be generated.

    Workaround: Create new Antimalware policies from a Customer Technology Preview site, and not use the antimalware policies you may have had defined in a ConfigMgr 2012 site.

    If there are more inquiries on this issue, please feel free to let us know.

    Rick Tan

    TechNet Community Support

    29 июня 2012 г. 5:24
  • Hy Rick,

    Thank you very much for your reply

    Could i import the policy and reapply on CTP site or need to create a new policy?

    now i put my laptop to new collection and do a new custom client policy (not import), but i need to use the same policy due to an exclusion for DC, FileServer, etc

    I give u an update in a couple of hour



    Rick i made a new policy and put my laptop and xp test client to a new collection and deploy to it, but nothing , always ANTIMALWARE POLICY was applied

    • Изменено ZenoDJ 29 июня 2012 г. 14:02
    29 июня 2012 г. 12:44
  • Hi,

    Other suggestion is to change the policy (name or description) on SCCM console.

    If your clients do still show antimalware policy, I'd like suggest that you contact Microsoft Customer Service and Support (CSS) for this issue.

    How and when to contact Microsoft Customer Service and Support

    Rick Tan

    TechNet Community Support

    • Помечено в качестве ответа Rick TanModerator 6 июля 2012 г. 2:12
  • Hy Rick,

    unfortunately does not work

    Probably need to wait MS to resolve it

    Thank you for your cooperation!


    5 июля 2012 г. 13:56
  • Hi,

    Hi have the same issue, since SP 1, the policy name is antimalware policy.

    Any feedback?

    Tahnks in advance.

    11 декабря 2012 г. 21:35
  • Dear Manu Be

    It seems that "antimalware policy" is only a pure label

    Please look at your exclusion set and check if you find your custom exclusion

    in my environment my clients reports "antimalware policy" but they apply correctly our custom policy

    Let us know


    12 декабря 2012 г. 10:48
  • Hi ZenoDJ,

    Right, the good exclusions are applied but without SP1, it was the real name of policy apllied.  It was very nice and very faster to check if good policy was applied...

    Now, you have to check exclusions to be sure...


    12 декабря 2012 г. 12:59
  • From What's New in Configuration Manager 2012 SP1 (

    "Multiple antimalware policies that are deployed to the same client computer are now merged on the client. When two settings conflict, the highest priority option is used. Some settings are also merged, such as exclusion lists from separate antimalware policies. Client-side merge also honors the priority you have configured for each antimalware policy."

    In an environment that I'm currently working in, which uses a default EP policy as well as several additional policies based on the server/workstation function, some of the SCCM clients would receive up to 3 different EP policies based on different collection queries that the policies were deployed to. These policies become merged at the client level and I believe they are just represented as "Antimalware Policy" in the SP1 Endpoint Protection client.

    The best way that I've found to locally check what policies are actually applied to the client (besides looking in the SCCM console) is checking this registry key: HKLM\Software\Microsoft\CCM\EPAgent\LastAppliedPolicy

    • Предложено в качестве ответа Josh Heffner 11 января 2013 г. 18:09
    2 января 2013 г. 20:02
  • Hi ZendoDJ,

          Please check PolicyAgentProvider.log after refreshing Machine policies. If EP is the only changed policy you should see something like:

    --- Processing 1 settings change(s).	PolicyAgentProvider	16/05/2013 9:19:12 AM	21484 (0x53EC)
    --- [1] __InstanceModificationEvent settings change on object CCM_AntiMalwarePolicyClientConfig.SiteSettingsKey="{A9BF08A7-F25F-4CD0-9121-F6978FBB0A2F}/200_201_201".	PolicyAgentProvider	16/05/2013 9:19:12 AM	21484 (0x53EC)
    --- Begin Indicating 1 settings change(s).	PolicyAgentProvider	16/05/2013 9:19:12 AM	21484 (0x53EC)

    Here is what I have observed, even though the Policy Name is set to Antimalware Policy, the settings on the policy are applied correctly. Can you confirm this ?

    If I manually apply the policy with command line:  

    "C:\Program Files\Microsoft Security Client\ConfigSecurityPolicy.exe" "C:\Temp\<MY POLICY>.xml"

    it shows the correct name and settings.


  • Hi,

    I'm experiencing this issue also, except my settings are not getting applied.  See this thread:

    Has anyone seen anything like this?  I've got a case open with PSS but so far no luck. 

  • Hy Pranav,

    Sorry for no quick response

    Well ... i followed your step and have the same situation, manually applied my xml and all was applied correctly 

    My situation before your step is that policy was succesfully applied and "antimalware policy" was only a pure label. All exclusion succesfully update ... now i have label correct

    i update all my client to 5.00.7804.1202 

  • Hy jfergus

    thank you for your reply 

    As you read in my case settings are applied and "antimalware policy" is only a label .... 

    you find/have a very good guide to troubleshoot FEP policy!!!! Good shot!!!