Symptoms
Threat overrides that you had previously authored in the Forefront Endpoint Protection (FEP) or System Center 2012 Endpoint Protection (SCEP) area of the Configuration Manager console are missing. Clients are also missing threat overrides set by FEP or SCEP policy. Threats you choose to allow via policy are cleaned by the FEP or SCEP client when they should be allowed.
Cause
This can happen if the threat override section in the FEP or SCEP policy is overwritten with blank data. There are two situations that can cause the threat override section to be overwritten with blank data and either situation causes the symptoms described in this article. The situations are listed below:
-
FEP or SCEP policy is edited from the Configuration Manager console on a computer that does not have the FEP or SCEP client software installed.
-
A data race condition in the UI can also cause this problem if a FEP or SCEP policy is opened, edited, and saved before FEP or SCEP definition enumeration is completed in the UI. Because the UI is not fully populated, a blank section is saved for threat overrides. This enumeration process typically takes less than a minute. This process only occurs the first time a FEP or SCEP policy is opened in a Configuration Manager UI session, or when definitions are updated on the FEP or SCEP client that protects the computer hosting the Configuration Manager console.
Resolution
-
Do not edit FEP or SCEP policy from a Configuration Manager console on a computer that does not have the FEP 2010 or SECP 2012 client software installed. If the computer hosting the Configuration Manager console does not have the FEP client software installed, you must install the FEP or SECP client software to avoid this problem.
-
To resolve the second cause, you must give the FEP or SECP policy UI sufficient time to load the override section of policy. You can verify that the section is loaded by clicking the Antimalware tab, and then clicking Overrides. If the dialog box displays a Loading Data message, the override data is not yet loaded into the UI (this process typically takes less than a minute). If you see the custom threat override data in this section, the data is loaded and the policy can be applied.
More Information
The FEP or SCEP policy dialog box in the Configuration Manager console pulls a list of all known threats from the FEP 2010 or SECP 2012 client software installed on the same system. Once this data is gathered, FEP/SECP caches it in the memory of the UI process. This means that in the same session there will only be a delay loading this data the first time you open a FEP/SECP policy for editing. However, the first time you open a FEP or SECP policy after you start the Configuration Manager console the override data may not have sufficient time to load before you save the policy, and a blank override section may be saved with the policy, resulting in the loss of any customized override data.
Microsoft is aware of this problem, and it will be addressed in a future release of the product.