This example will show you a way to get compliance data from your clients regarding the System Center Endpoint Protection 2012 Client.

Now, I’m aware that we through CM2012 reports and console views already have good tools to monitor the client states in regard to SCEP – but lets say you have another antimalware product and would like some compliance info from the clients inserted into CM2012 that you then can use to create reports etc.

The principals are the same.

First of all you will need to create configuration Items in the CM2012 Console – these items will hold the setting criteria we hold up against the clients.

Step 1. Give the Configuration Item a name, and maybe assign some categories to it.


Step 2. Specify the Operating System you want this to run on.


Step 3. Add 3 new Settings to the Configuration Item, these Settings will be the items that we check for on the Clients.


Setting 1: Does the SCEP service executable exist on the client and does it have the correct file version.


Setting 2: Is that Installation State a correct Registry Value.


Setting 3: is the Installation StateCode a correct Registry Value.


*Note: The 3 settings and their values are mainly found in the C:\Windows\CCM\Logs\EndpointProtectionAgent.log.

Step 4. After having created the 3 settings you will see the compliance rules for all the settings, depending on what you look for it might be a good idea to change the serverity level of rule if its non-compliant.


A couple of Next clicks, and you are done.

All that remains are for you to add the Configuration Item to a Baseline and deploy it to a collection of clients, or maybe to add it to an already running “Standard Client Security” Baseline if have that running. A word of caution though. When you create Configuration Items and Baseline’s – be mindfull of the remediation settings you can set, some things you might want to auto-remediate if supported and somethings you definately do not want to auto-remediate.

Again – like i said, CM2012 already have reports and console views available for you, so dont focus so much on the example being SCEP but on the principle of you getting wiser on some client setting or state that you want to know more about.

A result of these Compliant or Non-Compliant rules can be seen in reports or even in collections where you configure the query to look for the result of the Configuration Item. And you could then deploy some fix that would install automatically on clients that reported back as Non-Compliant f.ex.

Query Example:

select *  from  SMS_R_System 
inner join SMS_G_System_CI_ComplianceState on SMS_G_System_CI_ComplianceState.ResourceId = SMS_R_System.ResourceId 
where SMS_G_System_CI_ComplianceState.LocalizedDisplayName = "System Center Endpoint Protection 2012 Installed" 
and SMS_G_System_CI_ComplianceState.ComplianceStateName = "Non-Compliant"

Happy Non-Compliance hunting.