On patch Tuesday this month, February 2015, a new version of the System Center Endpoint Protection client was released, which replaces the one released in October. The same way as the latest versions of the Endpoint protection client they are released on Microsoft Update / WSUS and can be deployed as an update to your clients. The scpeinstall.exe file on the Configuration Manager 2012 servers are updated with the Cumulative Updates as it has been before as well. So when you deploy a new System Center Endpoint Protection client it will require this update as well.
New in this release from the KB article, http://support.microsoft.com/kb/3036437:
The KB article was updated 13/2 with this new content.
The Update is now pulled back from Windows Update and expired in WSUS, if you are experiencing the issues with downloads being blocked with a message that they contain virus, you should downgrade those effected systems. More details can be found here: Team Blog
A new version 22.214.171.124 is released with the issue resolved: http://blogs.technet.com/b/configmgrteam/archive/2015/02/19/known-issue-endpoint-protection-blocks-internet-explorer-downloads.aspx
“The revised update to address the Internet Explorer download issue is now available on Microsoft Update and Windows Software Update Services as KB3041687. This release is version 126.96.36.199″.
- Improvements to registry and file system protection to counter tampering from malware.
- Sub-mount points can be automatically excluded, and volumes can be fully excluded in Real time protection (RTP).
- This update also includes the deprecation of the DisableGenericReports subkey in the following registry location:
Note Unless this key is edited directly in the registry, this update should not have any effect on telemetry behavior.
After you apply this update, to disable telemetry that’s sent by Endpoint Protection through Microsoft Active Protection Service (MAPS), open the Endpoint Protection UI, click the Settings tab, select the MAPS section, and then click I don’t want to join MAPS.
- Administrators can manage the MAPS configuration options through Windows Management Infrastructure (WMI), Windows PowerShell, and Group Policy.
- Endpoint Protection may request file samples to be sent to Microsoft for further analysis. By default, Endpoint Protection will always prompt before it sends such samples. There is an option available to send samples automatically. To opt in to automatic sample submission, open the Endpoint Protection UI, click the Settings tab, select the Advanced section, and then click Send file samples automatically when further analysis is required.
- Administrators can manage automatic sample submission with additional configuration options through WMI, PowerShell, and Group Policy by using the following registry subkeys:
- MAPS Configuration Registry location:
DWORD name: SpyNetReporting
- 0 – Off
- 1 – Basic Membership
- 2 – Advanced Membership
- Sample Submission Registry location:
DWORD name: SubmitSamplesConsent
- 0 (default) – Automatic sample submission disabled. End-users will always be prompted for samples.
- 1 – Most samples will be sent automatically. Files that are likely to contain personal information will still prompt and require additional confirmation.
- 2 – All sample submission disabled. Samples will never be sent and end-users will never be prompted.
- 3 – All samples will be sent automatically. All files determined to require further analysis will be sent automatically without prompting.
The new version is 188.8.131.52 which can be seen in the UI under help.
I have seen some issues being reported on the forums and from customers.
- WMI related errors in the event logs and SCCM Client Health reports back a faulty WMI, a reboot solves this issue.
- The next issue with the update is that registry keys needs to be configured as the KB articles states above, to stop the Submit sample consent dialog from being displayed and to be able to configure MAPS membership.
- There has also been reports about all downloads in IE being blocked as they contains virus, no real solution to that one yet.