cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Updated System Center 2012 Configuration Manager Antivirus Exclusions with more details on OSD and Boot Images, etc...
By
brmcmill
Published Sep 30 2019 05:58 PM 7,458 Views
brmcmill
Microsoft
‎Sep 30 2019 05:58 PM

Updated System Center 2012 Configuration Manager Antivirus Exclusions with more details on OSD and Boot Images, etc...

‎Sep 30 2019 05:58 PM

First published on TECHNET on Jan 11, 2013

Authored by Clifton Hughes

 

With the release of Service Pack 1 for System Center 2012 Configuration Manager, we have been seeing some issues (not necessarily new issues) revealed with Antivirus Exclusion issues around OSD and Boot Image related activities as follows:

 

OSD Related A/V Exclusion Considerations:

 

Boot image actions:

  • Importing default boot WIM’s during initial site setup
  • Updating default boot WIM’s during site upgrade
  • Manual import of custom boot images (customer action)
  • Customize boot images (drivers, prestart command, WinPE optional components, background
    image, etc.)


Folders to exclude from AV scanning:

  • Temporary folder for these cases is C:\Windows\TEMP\BootImages\{GUID}.  Exclude C:\Windows\TEMP\BootImages
    and subfolders.

OS image actions:

  • Offline Servicing

Folders to exclude from AV scanning:

  • Temporary folder for offline servicing is <X:> \ConfigMgr_OfflineImageServicing
    and several subfolders used for different purposes – staging files, mounting
    OS, etc. – where <X:> is the StagingDrive value from the Offline
    Servicing Manager section of the site control file.  If this value is
    missing, we use the drive where the site is installed.  Exclude <X:> \ConfigMgr_OfflineImageServicing
    and subfolders.\

Boot images not updated after upgrading to SP1 in System Center 2012 Configuration Manager:

 

I was also provided anecdotal information from an issue that  if you find yourself in situation where boot images didn’t get updated during site upgrade to SP1, you
can manually update the boot images using the following instructions:

 

  • Rename the boot.wim and the default boot wims in each architecture folder of the <smsinstall>OSD\boot\ folder – both the i386 and x64 to <wim>.bak
  • Starting with the i386 folder first...Find the install folder of the ADK, which should be here if you installed with the defaults: “C:\Program Files (x86)\Windows
    Kits\8.0\Assessment and Deployment Kit\Windows Preinstallation Environment\x86\en-us\winpe.wim”. You will need to copy the winpe.wim to the <smsinstall>OSD\boot\i386 folder. Rename it to boot.wim.
  • You will also need to copy it again, but this time rename it so it matches the name of the default boot wim for the site – so it should look like boot.<packageid>.wim
  • Update default boot image. Click “Execute Method” -> input object path as SMS_BootImagePackage.PackageID="<Image ID you see in the Console e.g. POL00001>" -> UpdateDefaultImage
  • You will need to do this for the x64 folder as well. Do not do this for any custom boot images – this is just to update the default boot wims installed during setup of the site.

General Antivirus Exclusions and Additional Information for System Center 2012 Configuration Manager Endpoint Protection

 

Additionally per my other post showing how to import various templates for different servers, here is the general list of file/folder exclusions exported from the Endpoint Protection System Center 2012 Configuration Manager template"

 

%allusersprofile%\NTUser.pol
%systemroot%\system32\GroupPolicy\registry.pol
%windir%\Security\database\*.chk
%windir%\Security\database\*.edb
%windir%\Security\database\*.jrs
%windir%\Security\database\*.log
%windir%\Security\database\*.sdb
%windir%\SoftwareDistribution\Datastore\Datastore.edb
%windir%\SoftwareDistribution\Datastore\Logs\edb.chk
%windir%\SoftwareDistribution\Datastore\Logs\edb*.log
%windir%\SoftwareDistribution\Datastore\Logs\Edbres00001.jrs
%windir%\SoftwareDistribution\Datastore\Logs\Edbres00002.jrs
%windir%\SoftwareDistribution\Datastore\Logs\Res1.log
%windir%\SoftwareDistribution\Datastore\Logs\Res2.log
%windir%\SoftwareDistribution\Datastore\Logs\tmp.edb
%programfiles%\Microsoft Configuration Manager\Inboxes\*.* (shortened list for blog sake)
%programfiles(x86)%\Microsoft Configuration Manager\Inboxes\*.* (shortened list for blog sake)

 

These entries above were taken directly from one of the included templates in System Center 2012 Configuration Manager which I have attached to the post

 

Additional links to Antivirus and Antimalware Information:

 

Where is the Documentation for System Center 2012 Endpoint Protection?

 

Forefront Endpoint Protection Blog

 

Guidance on serve initial FEP definition update with SCCM through DP

 

How to use the Definition Update Automation Tool for Forefront Endpoint Protection
2010 Update Roll...

 

Important Changes to Forefront Product Roadmaps

 

Support Questions about Windows 8 and Windows Server 2012 for Configuration Manager and
Endpoint Pr...

 

Virus scanning recommendations for Enterprise computers that are running currently supported versions of Windows
http://support.microsoft.com/kb/822158

 

Antivirus programs may contribute to file backlogs in SMS 2.0, SMS 2003 and Configuration Manager 2007:
http://support.microsoft.com/kb/327453

 

ConfigMgr 2007 Antivirus Scan and Exclusion Recommendations:
http://blogs.technet.com/b/configurationmgr/archive/2010/11/30/configmgr-2007-antivirus-scan-and-ex...

 

Thanks, Cliff Hughes
Premier Field Engineer
System Center 2012 Configuration Manager

 

SCEP12_Default_CfgMgr2012.xml

0 Likes
Like
Version history
Last update:
‎Oct 15 2019 12:11 PM
Updated by:
Labels