Updated System Center 2012 Configuration Manager Antivirus Exclusions with more details on OSD and Boot Images, etc…

With the release of Service Pack 1 for System Center 2012 Configuration Manager, we have been seeing some issues (not necessarily new issues) revealed with Antivirus Exclusion issues around OSD and Boot Image related activities as follows:

OSD Related A/V Exclusion Considerations:

Boot image actions:

  • Importing default boot WIM’s during initial site setup
  • Updating default boot WIM’s during site upgrade
  • Manual import of custom boot images (customer action)
  • Customize boot images (drivers, prestart command, WinPE optional components, background
    image, etc.)

Folders to exclude from AV scanning:

  • Temporary folder for these cases is C:\Windows\TEMP\BootImages\{GUID}.  Exclude C:\Windows\TEMP\BootImages
    and subfolders.

 OS image actions:

  • Offline Servicing

Folders to exclude from AV scanning:

  • Temporary folder for offline servicing is <X:>\ConfigMgr_OfflineImageServicing
    and several subfolders used for different purposes – staging files, mounting
    OS, etc. – where <X:> is the StagingDrive value from the Offline
    Servicing Manager section of the site control file.  If this value is
    missing, we use the drive where the site is installed.  Exclude <X:>\ConfigMgr_OfflineImageServicing
    and subfolders.\


Boot images not updated after upgrading to SP1 in System Center 2012 Configuration Manager:

I was also provided anecdotal information from an issue that  if you find yourself in situation where boot images didn’t get updated during site upgrade to SP1, you
can manually update the boot images using the following instructions:

  • Rename the boot.wim and the default boot wims in each architecture folder of the <smsinstall>OSD\boot\ folder – both the i386 and x64 to <wim>.bak
  • Starting with the i386 folder first...Find the install folder of the ADK, which should be here if you installed with the defaults: “C:\Program Files (x86)\Windows
    Kits\8.0\Assessment and Deployment Kit\Windows Preinstallation Environment\x86\en-us\winpe.wim”. You will need to copy the winpe.wim to the <smsinstall>OSD\boot\i386 folder. Rename it to boot.wim.
  • You will also need to copy it again, but this time rename it so it matches the name of the default boot wim for the site – so it should look like boot.<packageid>.wim
  • Update default boot image. Click “Execute Method” -> input object path as SMS_BootImagePackage.PackageID="<Image ID you see in the Console e.g. POL00001>" -> UpdateDefaultImage
  • You will need to do this for the x64 folder as well. Do not do this for any custom boot images – this is just to update the default boot wims installed during setup of the site.


General Antivirus Exclusions and Additional Information for System Center 2012 Configuration Manager Endpoint Protection

Additionally per my other post showing how to import various templates for different servers, here is the general list of file/folder exclusions exported from the Endpoint Protection System Center 2012 Configuration Manager template"

%programfiles%\Microsoft Configuration Manager\Inboxes\*.* (shortened list for blog sake)
%programfiles(x86)%\Microsoft Configuration Manager\Inboxes\*.* (shortened list for blog sake)

These entries above were taken directly from one of the included templates in System Center 2012 Configuration Manager which I have attached to the post

Additional links to Antivirus and Antimalware Information:

Where is the Documentation for System Center 2012 Endpoint Protection?

Forefront Endpoint Protection Blog

Guidance on serve initial FEP definition update with SCCM through DP

How to use the Definition Update Automation Tool for Forefront Endpoint Protection
2010 Update Rollup 1

Important Changes to Forefront Product Roadmaps

Support Questions about Windows 8 and Windows Server 2012 for Configuration Manager and
Endpoint Protection

Virus scanning recommendations for Enterprise computers that are running currently supported versions of Windows

Antivirus programs may contribute to file backlogs in SMS 2.0, SMS 2003 and Configuration Manager 2007:

ConfigMgr 2007 Antivirus Scan and Exclusion Recommendations:


Thanks, Cliff Hughes
Premier Field Engineer
System Center 2012 Configuration Manager


Comments (24)
  1. Anonymous says:

    Alex, workstation-based DISM activities are affected by the McAfee issue as well. Adding the exclusions to specific clients can work, or another approach that I used was a basic Win7 VM for building my custom boot WIMs.

  2. Anonymous says:

    @ Pollewops

    You need to disable Access Protection (feature of McAfee).

    After that every thing will work fine.

  3. Anonymous says:

    I solved the issue. I hope it’s the same issue you were having. Basically, the default boot image had some custom drivers injected into it. The packages containing those drivers were in a failed distribution state. After I corrected that, I was able to
    follow these instructions and didn’t receive the WMI error. I then ran into another small issue. When I tried to update distribution points with the updated boot image, I received an error but at least ConfigMgr told me what driver was the culprit. I cleaned
    that driver out of the boot image (and several other drivers that are unneeded in WinPE). This time when updating the content on the distribution points, everything was successful.

  4. Anonymous says:

    I’ve followed the directions to update my boot images and I get the following error

    Invoke-WmiMethod : Generic failure
    At line:1 char:110
    + … ‘ONB00002’" | Invoke-WmiMethod -Name UpdateDefaultImage
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : InvalidOperation: (:) [Invoke-WmiMethod], ManagementException
    + FullyQualifiedErrorId : InvokeWMIManagementException,Microsoft.PowerShell.Commands.InvokeWmiMethod

    Can someone help me fix this?

  5. Jason Ahlers says:


    Our boot images didn't update either and I'm trying to follow your instructions but I'm not sure where I need to be to do this step:

    •Update default boot image. Click “Execute Method” -> input object path as SMS_BootImagePackage.PackageID="<Image ID you see in the Console e.g. POL00001>" -> UpdateDefaultImage


  6. Mark says:

    And how do you find out if the boot images were updated when SP1 was installed?

    And how on earth is anyone supposed to know what you are talking about here:

    • Update default boot image. Click “Execute Method” -> input object path as SMS_BootImagePackage.PackageID="<Image ID you see in the Console e.g. POL00001>" -> UpdateDefaultImage

  7. Oh, and the RTM boot image version is 6.1.7600.16385 and the SP1 boot image version is 6.2.9200.16384.

  8. I don't see my other comment stating that Cliff was using wbemtest.exe to execute the method. Here's the PowerShell way:

    Get-CimInstance -Namespace root/SMS/site_<your site code> -ClassName SMS_BootImagePackage -Filter "PackageId='<your package id>'" | Invoke-CimMethod -MethodName UpdateDefaultImage

  9. Ramon says:

    What do you mean with:

    "•Update default boot image. Click “Execute Method” -> input object path as SMS_BootImagePackage.PackageID="<Image ID you see in the Console e.g. POL00001>" -> UpdateDefaultImage"



  10. Pollewops says:

    I made both exclusions, but still McAfee disturbed my offline servicing process.

    What do I need to do more ?

  11. pctech says:

    I love your blog site nice all the comments are wonderful. I’ts great!!!


  12. miitu says:

    I have problem with x64 image, wich I allready copied from ADK to folder mentioned. After I run powershell command, I get the following error:

    PS E:> Get-CimInstance -Namespace root/SMS/site_xxx -ClassName SMS_BootImagePackage -Filter "PackageId='O1200004'" | Invoke-CimMethod -MethodName UpdateDefaultImage

    Invoke-CimMethod : Generic failure

    At line:1 char:111

    + … ='O1200004'" | Invoke-CimMethod -MethodName UpdateDefaultImage

    +                    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

       + CategoryInfo          : NotSpecified: (SMS_BootImagePa…D = "O1200004")

      :CimInstance) [Invoke-CimMethod], CimException

       + FullyQualifiedErrorId : HRESULT 0x80041001,Microsoft.Management.Infrastructure.CimCmdlets.InvokeCimMethodCommand

    I was succesfully able to fix x86 image with this.

  13. Alex Verboon says:

    Many thanks for this, confirms what I figured out today as well.

  14. Pollewops says:

    Hi Alex,

    Please leave your comments here as well…. I am very curious what you found out…

  15. Alex Verboon says:

    I ran into the issue where creating / updating a boot.wim failed, reason was the McAfee Access scanner, once I turned that one off, all worked as expected. Now getting the security guys to include the exclusions on the ePO Server.

    By the way, as we speak, I also noticed that I got an access denied error, when I wanted to edit a boot.wim on my local workstation using the ADK. e.g mounting worked fine, but as soon as I wanted to add a winpe component using the add-package dism command, I get an access denied, now working with the security guys to see if they can provide me with an acception to see whether this is really also related to mcafee.


  16. kajmak says:

    Is the exclusion for "%systemroot%system32GroupPolicyregistry.pol" right?

    Should it not be "%systemroot%system32GroupPolicyMachineregistry.pol" and

    "%systemroot%system32GroupPolicyUserregistry.pol" ?

  17. Anonymous says:

    Pingback from My pre and post installation checklist | CMTrace – System Center

  18. Anonymous says:

    Pingback from My pre and post installation checklist | CMTrace – System Center

  19. Dave says:

    It is ausome

  20. Mike Niccum says:

    I agree the path looks wrong for I assume "C:WindowsSystem32GroupPolicyMachineRegistry.pol" and what about "C:WindowsSystem32GroupPolicyUserRegistry.pol"? I can attest in large (10,000+) environments that something causes the pol files to go
    to 0 bytes and the symptom is usually that updates are not being applied as the CM client writes the WSUS URL to Local Group Policy. If it’s corrupt the client can’t find the WSUS in ConfigMgr. Renaming the policy file and running a Software Update Scan will
    regenerate the policy file as the client writes to Local Group Policy.

  21. brad says:

    This is cool and useful and all, but this really needs to be in a proper technet article in the SCCM 2012 documentation so we know it’s up-to-date.

  22. anonymouscommenter says:

    Pingback from Configuration Manager 2012 RTM to SP1 Upgrade Overview | Russ Rimmerman – ConfigMgr Guy

  23. Mishaua says:

    Is most of this list still valid in SCCM CB?

  24. ccmcache folder? says:

    Why not the ccmcache folder?

Comments are closed.

Skip to main content