Security scopes and Antimalware policies

I'm in the process of trying to create a (for lack of a better word) Sub-Administrator role using Config Mgr 2012 SP1 that will allow a few select administrators the ability to manage antimalware policies, software updates and run reports on their respective device collections. So far I've created a custom security role that has accomplished everything I want, but I've run into an interesting issue. When one admin creates an antimalware policy it's viewable (and thus modifiable) by other admins and my ultimate goal is to only allow the admins access to their respective antimalware policies.

According to the technet documentation (http://technet.microsoft.com/en-us/library/hh508780.aspx)  this should be possible by using security scopes on the policies, however I can't seem to find an option to specify security scopes. I also tried using the powershell Cmdlet Set-CMAntiMalwarePolicy, which according to the documentation has a property for setting the security scope, however when I run the powershell command I receive an error that the property doesn't exist. I event went as far as listing all of the properties of the Cmdlet and the security scope property was missing there as well.

To add to my confusion, I was almost certain this was possible before we upgraded to SP1. In my initial testing, I had two users that when they created their antimalware policies, those policies were only visible to them and me because I'm a "Full Administrator". 

Am I missing something, or is this just not possible and the documentation is incorrect?

These are the permissions I've given as they pertain to the antimalware policies:

Read, Modify, Create, Read Default, Run Report

Thanks,

Bryce

February 25th, 2013 11:54pm

Called and confirmed with Microsoft that this is a post-SP1 bug and hope to see a hotfix soon.
Free Windows Admin Tool Kit Click here and download it now
March 5th, 2013 6:43am

Called and confirmed with Microsoft that this is a post-SP1 bug and hope to see a hotfix soon.
  • Marked as answer by Bryce17 Tuesday, March 05, 2013 3:43 AM
March 5th, 2013 6:43am

thanks for the update, did you get the hotfix name ?
Free Windows Admin Tool Kit Click here and download it now
March 5th, 2013 2:01pm

Unfortunately no as it's "not yet complete". Rep said they were actively working on it and hoped to have it out soon though. Someone with more contacts within MS may be able to fish out more information.
March 5th, 2013 10:57pm

Any update from Microsoft on this issue?  I am seeing the same issue where antimalware policies are no longer secured after upgrading to SP1. 
Free Windows Admin Tool Kit Click here and download it now
April 25th, 2013 5:00pm

Not as of yet. There was an update rollup that was released a few weeks ago (http://support.microsoft.com/kb/2817245), but I haven't had time to apply it to see if it corrects the issue. I was hoping to do it during our next maint window this weekend provided I don't get busy with something else. As of right now, I'm just telling my admins to play nice and don't touch what isn't theirs. Other than the Antimalware policies, everything else is working fine.
April 25th, 2013 5:26pm

Thanks.  I've applied the CU1 for SP1 last week and it did not resolve the issue and AM policies are still wide open.  Hopefully MS releases a hotfix soon.
Free Windows Admin Tool Kit Click here and download it now
April 25th, 2013 10:33pm

I didn't see anything about this being fixed in the release notes for CU2, anybody have a chance to verify? thanks!
July 15th, 2013 10:04am

I've installed SP1 CU2 in a test environment and it did not fix the missing security scopes on AM policies. 
Free Windows Admin Tool Kit Click here and download it now
July 15th, 2013 10:08am

We had our annual Config Mgr health check last week and I asked the engineer about this issue. From what they were able to find the scoping features were taken out of SP1 for "performance reasons". I'm waiting on the report that should include the information, but from what they were able to tell me is that the feature should return with R2.

Not exactly what everyone wanted to hear, but if anyone has any other contacts within MS maybe they can shed more light on why the scoping was removed and confirm if it will in fact be restored in R2. I personally didn't encounter any performance issues with scoping AM policies, but we only have a dozen so someone with hundreds or thousands may have seen an issue.

If I find time I'll try to download and install the R2 preview to confirm if the policies have actually returned.


July 15th, 2013 10:34am

We had our annual Config Mgr health check last week and I asked the engineer about this issue. From what they were able to find the scoping features were taken out of SP1 for "performance reasons". I'm waiting on the report that should include the information, but from what they were able to tell me is that the feature should return with R2.

Not exactly what everyone wanted to hear, but if anyone has any other contacts within MS maybe they can shed more light on why the scoping was removed and confirm if it will in fact be restored in R2. I personally didn't encounter any performance issues with scoping AM policies, but we only have a dozen so someone with hundreds or thousands may have seen an issue.

If I find time I'll try to download and install the R2 preview to confirm if the policies have actually returned.


  • Marked as answer by Bryce17 Monday, July 15, 2013 2:32 PM
  • Edited by Bryce17 Monday, July 15, 2013 2:34 PM spelling
Free Windows Admin Tool Kit Click here and download it now
July 15th, 2013 5:32pm

Sorry to post on an old topic but I'm running into this exact problem with SCCM 2012 R2. There doesn't appear to be security scopes for Antimalware Policies. Has anyone found a way to limit certain roles so they can only modify the policies that they have created?

What I'm hoping to do is allow "sub-administrators" the ability to manage their own collections but not others. It appears that by limiting the scope by collection it accomplishes this for most of the tasks. The admin cannon deploy a policy to a collection they don't have permissions to but they can modify other existing policies.

Thanks,

-Brandon

February 7th, 2014 10:00am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics