Configure Endpoint Protection 2012 in SCCM 2012 SP1

In this blog I’ll explain how to configure Endpoint Protection 2012. This scanner/protection is in SCCM 2012 integrated and it will be installed automatically if the client has the Configmgr client installed.

So, this is a simple, but a quick how-to. (You must already have installed the WSUS and installed and configured the Software Update Point role (SUP))

First, we have to make a new collection. This collection is for all Windows 7 clients or Windows 8 clients. In my example I’m using Windows 8.

The Endpoint Protection updates works only with Device collection.

Step 1 Device Collection

Go to Assets and Compliance and right click on Device Collections. Click on Create Device Collection.

A new window will appear. Give the collection a name. I’ll choose for All Windows 8 Computers.

Limiting collection is All Systems

Click on Add Rule and click on Query Rule.

Give the query a name. In my example All Windows 8 Computers and click on Edit Query Statement

In the new window click on the button Show Query Language.

Ok, add this SQL query.

Select * from SMS_R_System where SMS_R_Systems.OperatingSystemNameAndVersion like “%Workstation 6.2%”

(for Windows 7 = Workstation 6.1)

Click Ok.

Click Ok.

Change schedule to 10 minutes (this is a lab)

Like this:

Click Next

And close the wizard.

Right click on the new collection and go to properties.

Open the tab Alerts

Enable View this collection in the Endpoint Protection dashboard.

Click Ok to close the properties.

Step 2 (Configure Software Update Point and Software updates)

Go to Administration -> Sites and select your site. Right click on your site and go to Configure Site Components -> Software Update Point

You have to select Forefront Endpoint Protection 2010 in the tab Products. Click Ok to close.

Go to Software Library in the menu. Right Click on All Software Updates and choose for Synchronize Software Updates.

You will get this warning. Click on Yes.

To check the status, you have to open wsyncmgr log. This log is located in C:\Program Files\Microsoft Configuration Manager\Logs

Go back to the console and right click on Automatic Deployment Rules and click on Create Automatic Deployment Rule.

Give the rule a name. In my example is that Automatic Deployment Rule for Endpoint Protection Updates.

Collection is the new collection All Windows 8 Computers.

Click Next.

Check Date Released or Revised and choose for last 1 day.

Check Product and choose for Forefront Endpoint Protection 2010.

Like this:

Change schedule to 1 day.

Change Time based to UTC and Software available time to 2 hours. Installation deadline is As soon as possible. Like this:

Click Next.

Enable Configuration Manager alerts.

Change deployment options to Download software updates from distribution point and install.

Select Create a new deployment package. Enter a name and the source path for the updates.

Add a distribution point.

Click Next.

Click Next.

Click Next

Click Close.

Step 3 (configure custom antimalware policies)

You have to configure an antimalware policies. Do not configure the default policy but always make a new one. This is the best practise to use the policies. The custom policies always take precedence over default antimalware policies as they have a higher priority.

Go to Assets and Compliance and right click on Antimalware Policies. Click on Create antimalware policy.

Enter a name and select everything in the list.

Ok, we have to configure the list in the left pane.

You have to configure the list items on the left. This is for every environment different, so I don’t go into the details of that. Don’t forget the source in Definition updates.

After that right click on the policy and choose for Deploy

Select the correct collection, in my example is All Windows 8 Computers.

Step 4 (Custom Client Device Settings)

You have to tell the client that you want to use Endpoint Protection. This means we have to change the Client Device Settings. Go to Administration and right click on Client Settings. Click on Create Custom Client Device Settings. Also with this custom has a higher priority than the Default Client settings.

Enter a name and select Endpoint Protection.

Go to Endpoint Protection in the left pane.

Change some settings if you want, but this is default. Click Ok.

Right click on the custom client device settings and click on deploy.

Select the collection and click Ok.

Now we have to check if everything is working. Go to the client and open Endpoint Protection. Click on the Arrow next to Help and click on About System Center Endpoint Protection

IN the list you have to find your custom policy, if not then we have to force or wait the sync with SCCM.

If you don’t find your custom policy, go to Control Panel and open Configuration Manager. Open the tab Actions and select Machine Policy Retrieval & Evaluation Cycle and then click on the Run Now button.

You will get this message. Click Ok and waith for a minute. After that the machine gets the custom antimalware policy.

You can also check the logs in C:\Windows\CCM\Logs\ for the endpoint protection status and for the updates.


#4 troubleshoot: CCMsetup error WOW64 Emulation Layer – Event ID 1109

I was deploying Windows 7 and Windows 8 images, but after installing Configmgr client it stops without any error or warning.

So, after checking the logs and eventvwr I got still no clue about the stop/failure. The only thing I could do is running the setup manually from the distribution point.

I ran CCMsetup.exe from \\SCCM2012\C$\SMSPKGE$\CM200014\ and I got this message:

This is btw on a Windows 7 machine, but I got also the same error on a Windows 8 machine.

Very odd, so the next step was copy the Client folder to the local drive and ran it from there, but after that I get still the same error. Checking the eventvwr I got this event ID.

Ok, now from the source directory. Running CCMsetup.exe from \\SCCM2012\SMS_CM2\Client and didn’t get warnings nor errors. So this must be a corruption after updating the package to the distribution point.

I have checked the settings of the package and found this option. This option is disabled by default. It’s a simple option and it’s says also if you want to run this from the distribution point you have to enable this.

I have enabled “Copy the content in this package to a package share on distribution points: ”

I have tried the installation from the share again, and it runs without any problems.

But this will fixed the deploying maybe not. If you have got still the same problem. Check this blog:


#5 troubleshoot: Couldn’t verify ‘C:\Windows\ccmsetup\MicrosoftPolicyPlatformSetup.msi’ authenticode signature. Return code 0x800b0101 in ccmsetup.log

I was deploying Windows 7 en 8 images, but after copying the setup files en installing the Configmgr Client it stops. I don’t get any warnings or information about the stop. So, I have searched for the error in the logs.

You see in the SMSTS.log (located in C:\Windows\Temp) a failure look like this:

Hmm ok? But the client setup has own log file, maybe better to understand. This log file is located in C:\Windows\ccmsetup\Logs\ccmsetup.log

Now we see a better warning why the setup stops. The failure is Couldn’t verify ‘C:\Windows\ccmsetup\MicrosoftPolicyPlatformSetup.msi’ authenticode signature. Return code 0x800b0101

What I found on the Internet is that this is a bug in Service Pack 1. Microsoft has released a hotfix for Windows 7 and the old OS versions. Windows 8 has also a hotfix for this problem.

There is 2 methods to solve this.

Method 1:

This hotfix is for al site servers. Install this KB2801987 to all site servers in your hierarchy.

Method 2:

For Win7 and beneath that look at this link: KB2749655

For Win8 look at this link: KB2756872

This hotfix must be installed before installing the Configmgr client (duh). This means you have to update your images. There is an easy way to do that.

Open the command prompt (run as administrator) and go to the directory where the hotfix is located. (on SCCM server!)

In my example is that E:\Resource\hotfix\win7\Windows6.1-KB2749655-x64.msu

We have to extract the MSU file. We need the cab file inside the MSU file. So type in:

Windows6.1-KB2749655-x64.msu /extract:E:\Resource\hotfix\win7\

Like this:

Now we have some files in the Win7 directory. Two of the files is .cab.

Next step is mounting the WIM file. Run this commando to mount the image to a folder. First create a folder. In my example is E:\mount

Then run this commado:

DISM /mount-wim /wimfile:E:\resource\images\win7.wim /index:1 /mountdir:E:\mount

This can take a few minutes.

Then, DISM /image:E:\mount /Add-Package /PackagePath:E\resource\hotfix\win7\

You will get this:

You are done. You have to unmount the WIM file by this commando:

DISM /Unmount-WIM /Mountdir:E:\mount /Commit

Like this:

And to this also with Windows 8 images.

Last step before test it/ deploying it. Update your distribution point by right click on the Windows 7 image and choose for Update Distribution Points.

That’s all folks.

#3 troubleshoot: OSD – Content location request for IDXXXXXX:X failed (Code 0x80040102)

I was working with a new build and capture of Windows 8 deployment but at the begin of the task sequence in WinPE I got this message.

Content location request for IDXXXXXXX failed (Code 0x80040102) See screenshot:

So, the only thing you have to do is, go to Administration in the console and go to Boundary Groups. Right click on the item and go to properties. I have got 1 item. Maybe you have more.

This is an infra is migrate from a SCCM 2007 infrastructure. That’s the reason of the name.


Go to the Reference tab.

And enable “Use this boundary group for site assignment” and choose for the correct site.

Also add the content location. Choose for your distribution point.

You are done..

Deploy APK (Android) app in SCCM 2012 with Windows Intune Connector

A new blog about deploying apps via SCCM. This blog is not for all platforms, but only about Android because I have only an Android Smartphone to test it. The way to manage an Android device is not the same as for iOS or Windows RT/8. Windows Intune doesn’t support direct management for Android, but only for iOS and Windows RT/8. This means you have to connect your android device to Exchange ActiveSync Services (EAS) to manage the device. It could be an on-premise Exchange or the Cloud Exchange like Office365.

But the good part of this blog is that you don’t need or have to use EAS for deploying apps to your android device(s). The only thing you need is the DirSync with your corporate active directory to the Cloud (Windows Azure Active Directory) the users must be familiar in Windows Intune for the log-in the Company Portal.

For iOS and Windows 8/RT is not that easy, because for Windows Modern(Metro) app you have to contact the developer for the APPX file. This is called Sideloading. Sideloading is deploying/installing Windows apps without the Windows Store. For iOS you need 2 files for the app. The files are IPA (the app) and PLIST (a manifest file) For these files you have to contact also the developer.

For configuring the Windows Intune Connector in SCCM, please read this blog: Windows Intune: Wave D and SCCM 2012 Service Pack 1 integration

For configuring the DirSync, please read this blog: System Center 2012 Configuration Manager SP1 and Windows Intune – Configuring and Installing Active Directory Synchronisation (DirSync)

So, let’s begin to download an APK file from the Internet. I’m using the “Quick Search Widget.apk” for testing. I’m downloading the file to E:\Resource\Apps\Android\ and the folder Resource is shared.

Go to the console and go to the Software Library in the menu. Right click on Applications and choose for Create Application.

Change type in the wizard to App Package for Android (*.apk file)

The location is where you downloaded the apk file. Don’t forget to use UNC path and not the local path. Like this \\SERVERNAME\Resource\Apps\Android\name.apk

Click Next

Click Next or add some information about the app.

Click Next

Click Close

Ok, we have added the app in SCCM. Now we have to make a User Collection.

Go to Assets and Compliance and right click on User Collections. Choose for Create User Collection.

In de wizard add some information about the collections. Give it a name and the limiting collection is All Users.

Click on Direct Rule. It opens a new screen. Click Next

We have to find some users they are allowed to downloading the app from the Company Portal. I have 1 user and that is Pietje Puk.

Resource class is User Resource, Attribute name is: User Name and Value: pietje% (% is a wildcard) You can also use SQL queries for a dynamic source and adding, but because of a lab env I’m using direct membership.

Select the user.

Click Next

Click Close

The user(s) are/is added. Click Next.

Click next.

The collection is created and ready for use.

Like this:

Now, we have to go back to Software Library and click on Applications. You will see in the right panel your Android App.

Right click on the app and choose for Deploy.

Collection is the new collection Google that we made earlier in this blog.

Click Add for adding a Distribution point.

You will get 2 distribution point if you are using 1 primary site and Windows Intune integration. Select here for the Cloud ( That is Windows Intune.

Click Next.

This is default. Click Next.

No schedule today, so leave it default.

Also default

Also default. If you use SCOM you could enable SCOM alerts

Click Next.

Click Close

Ok, this can take a while. See the result of the app.

Ok after a minute the status is success (green)

Now we have to test it. Get your device and go to

Log in with the user that you added in the Google User Collection. Sorry, about the language. This is Dutch.

Click on the blue tile, Download Apps.

You will see the app, in my case Quick Search Widget. Click on the app.

You get some information about the app. Click on the button Download App.

And again click on the link Download App now.

Check the notification bar for the status.

Click on the notification. Choose the location for installing.

That’s all, you have installed a “corporate” approved application from Windows Intune and SCCM 2012.

#2 Troubleshoot: WSUS Remote Configuration failed

Ok, this is number 2 troubleshoot, and an easy one. This blog is about configuring WSUS in SCCM 2012. After installing and configuring the role “Software Update Point”, in other words SUP, is it possible that you received this warning in the logs. Error is:

Remote configuration failed on WSUS server

Getting new configuration state to 3 (WSUS_CONFIG_FAILED)

The log is WCM.log in C:\Program Files\Microsoft Configuration Manager\Logs\

As you can see in the log the SUP will check the version of WSUS that you have installed on the server. Default installation via Server Manager is WSUS 3.0 SP2 without the hotfixes. This means you have to download KB2720211 and KB2734608. After that you have fixed this problem. After the installation SCCM can configure the WSUS remotely. Check the log beneath:

So, what I say, this one is easy to solve. You have to wait till the sync is done, can take a while. Be patience. Check also the component status in SCCM console.

TIP: Do not configure WSUS manual. You have to install the WSUS server only. The SUP role will configure the WSUS remotely. The settings must be configured in the SUP role and not in WSUS.

Good luck.

#1 Troubleshoot: Windows Intune Connector / Subscription

I start with some small blogs about the problems what I have met during the installation or configuration of System Center products, like SCCM and SCOM. These are maybe handy if you have some troubles with Apps, roles, portal, updates or distribution.

Hereby an error when you want to distribute an App to the Cloud (Windows Intune)

The error is:

Cannot access registry keys on server The operating system reported error: 53

Check the log distmgr.log in C:\Program Files\Microsoft Configuration Manager\Logs\

This happens if you want to distribute an App to the Cloud ( I don’t know why it didn’t work, but I had to reinstall the Windows Intune Connector by deleting the subscription in Administration. After that I have rebooted the server. Added the subscription and the Windows Intune Connector.

Now, I can distribute the Apps to the Cloud, check the log.

Good luck!