Use System Center Endpoint Protection 2012 SP1 on Windows Embedded Standard 7 and POSReady 7 with File-Based Write Filter

  • Article

6/27/2013

Microsoft

July 2013

Summary

Describes how to use System Center Endpoint Protection on a device running Standard 7 or POSReady 7 with the File-Based Write Filter enabled.

Applies To

Windows Embedded Standard 7

Windows Embedded POSReady7

System Center Endpoint Protection 2012 SP1 (SCEP 2012 SP1)

Introduction

You want to use the File-Based Write Filter (FBWF), and you want to make sure your device is always protected and up-to-date. How do you protect the device with the write filter enabled without losing your changes whenever the system restarts?

Procedure

For purposes of this paper, we will assume you have a working System Center Configuration Manager 2012 SP1 environment. You will need to install the System Center Endpoint Protection client on the devices and make sure it is correctly configured. See Endpoint Protection in Configuration Manager for more information on configuring System Center Endpoint Protection.

Make sure the File-Based Write Filter is off when you perform the client installation. To disable the write filter, run fbwfmgr /disable, and restart the device. With write filters disabled, you can follow the instructions in the link above for installing or configuring System Center Endpoint Protection. Once setup is complete, you can re-enable the write filter on the device by using fbwfmgr /enable and restarting once again.

Now that you have System Center Endpoint Protection installed on your devices, you want to make sure that engine and definition updates persist through the reboots. To do that, you will need to define some file, folder, and registry exclusions. The following exclusions need to be applied to your device:

  • Registry:
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware
  • Folders:
    • %ProgramData%\Microsoft\Microsoft Antimalware\Definition Updates\
    • %ProgramData%\Microsoft\Microsoft Antimalware\Scans\
    • %ProgramData%\Microsoft\Microsoft Antimalware\Support\
    • %ProgramFiles%\Microsoft Security Client\
  • Files:
    • %Windir%\Windowsupdate.log
    • %Windir%\Temp\MpCmdRun.log
    • %SystemRoot%\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun*.log
    • %SystemRoot%\ServiceProfiles\NetworkService\AppData\Local\Temp\MpCmdRun*.log

There are a number of additional log files created during SCEP operation, and depending on the size of your overlay, you may choose to put some or all of the log files below into the exclusion list too. If you choose not to exclude the log files, then be sure to monitor the size of your overlay to make sure you don’t run out of space between restarts.

Log files:

  • 32-bit: %Windir%\System32\CCM\Logs
  • 64-bit: %Windir%\SysWOW64\CCM\Logs

Conclusion

To use System Center Endpoint Protection with Standard 7 or POSReady 7 devices that have the File-Based Write Filter enabled, you must first turn off FBWF during System Center Endpoint Protection installation, then turn it back on after installation is complete. In order to persist the engine and definition updates during restart, you must create specific exclusions for FBWF.

Additional Information

For more information on FBWF and fbwfmgr, see File-Based Write Filter (FBWF) Technical Reference (POSReady 7)

For more information on adding exclusions, see FBWF Manager