FEP and SCEP anti-malware protection support after OSes reach end-of-life
First published on CloudBlogs on Mar, 27 2014
, Software Development Engineer in Test, Configuration Manager Sustained Engineering
Applies to: FEP 2010 SU1, SCEP 2012 SP1, SCEP 2012 R2
The platform update released on April 8, 2014 for Forefront Endpoint Protection 2010 and System Center 2012 Endpoint Protection will add new functionality related to Operating System (OS) end-of-life. The endpoint protection agent will now assess whether the operating system of the computer is approaching the end of the support lifecycle (see:
). If configured to generate alerts, it will warn end users that the operating system on their computer is approaching end-of-life, that it is in a grace period following end-of-life, or that it has exited the grace period and the Anti-malware service is no longer helping to protect their computer:
Stage 1: OS is approaching end-of-life.
At this stage, the OS is near the end of its support lifecycle. FEP/SCEP will still work as normal.
Stage 2: Optional grace period.
OS has reached end-of-life, but anti-malware platform service is still running and definition updates can be received.
We have found in our research that the effectiveness of antimalware solutions on out-of-support operating systems is limited. Given the fast pace of technology, it has become increasingly important that customers use modern software and hardware that is designed to help protect PCs and servers against today’s threat landscape. For this reason, there is no guarantee that every OS that reaches end-of-life will be provided a grace period.
Stage 3: Anti-malware service stopped.
You can no longer start the anti-malware service, and your computer will not receive anti-malware definition updates. Thus FEP/SCEP will no longer help to protect your computer.
In a controlled enterprise environment, it’s the IT administrator that controls the OS upgrade and platform updates, and end users have no control over their OS. So, for FEP and SCEP customers, we will not expose the warning UI for Stage 1 or 2 (optional) to the end users, by default. End users will only receive the error when Stage 3 starts. They will have the exact same behavior/Client UI as usual during Stage 1 & 2 (optional).
For the IT administrator, FEP/SCEP will generate event errors for each of the 3 stages. FEP/SCEP also provides a registry key to show the current end-of-life status of the current OS if it’s near end-of-life: HKLMSoftwareMicrosoftMicrosoft AntimalwareEndOfLifeState:
means Stage 1 - OS is approaching end-of-life
means Stage 2 - Optional grace period, OS has reached end-of-life
means Stage 3 - Anti-malware service stopped
This registry key state applies to all operating systems when they approach end-of-life in the future. If the current OS is not approaching end-of-life, you will not see the registry key value.
Configuration Manger users can use DCM configuration items to monitor the end-of life-state of their computers.