SCEP 2012 Client settings currently have "Install Endpoint Protection client on computers" set to Yes. This is deployed to quite a few machines. The client installs just fine, everything updates, and we are set. In the Endpoint Protection Agent log shows periodic checks for if SCEP needs to be installed. Which technically isn't an issue and eventually I'll flip this setting to No and leave it Manage only.

However, around the times it checks the client I notice a GP Update kicking off. Does anyone know if installing SCEP or having the client check to see if it is installed kicks off a GP Update?

• Edited by Shambler Wednesday, April 15, 2015 9:13 PM

What are you seeing as evidence that a GP Update is happening?

ConfigSecurityPolicy.exe will cause activity by the Group Policy Client service, and will generate a Group Policy event in the System log, but that shouldn't mean that the equivalent of gpupdate is running.

For example, in my System log today I see two events for a regular group policy update that runs every 90 minutes (one event for user, one for computer). At a completely different time (at least 30 minutes later), I have another GP event related to the ConfigSecurityPolicy.exe activity. The two don't seem to be related.

• Edited by KevinMJohnston Wednesday, April 15, 2015 10:24 PM

Interesting. I didn't think to check that specific log. I do see activity in there for other GP objects besides SCEP. Perhaps it runs the equivalent of gpupdate /target:computer

I don't think I see any user items in there.

This reminds me of an issue I ran into before. Take the scenario of a domain joined machine that is currently connecting via the Internet. You have an IBCM server set up, so Internet connected machines are able to receive policy and software. You would think that would include changes to SCEP policy too. However, if you make a change to SCEP policy and then try to update policy on the client, it won't actually apply the SCEP policy changes until it's back on the domain. I guess that's because whatever ConfigSecurityPolicy.exe is doing requires a connection to be made to a domain controller and even though the SCEP content is stored locally in an XML file, it can't finish the process of getting it into Registry.pol and then into the Registry itself until it can connect to the DC again.

Seems like it would make more sense to just import it directly into the Registry and bypass the GP client entirely. Anyway, I don't mean to hijack the thread but it would be nice to see Microsoft clarify exactly what's going on in both cases :-)

• Edited by KevinMJohnston Wednesday, April 15, 2015 11:00 PM

Well damn. It looks like it is processing Computer Policy.

Verified between ProcMon, Wireshark, and GP Operational Log. I can clearly see that as soon as I run that SCEP policy processing command line, it reaches out to a DC. Throws around some TCP and LDAP traffic and starts reading/processing/something some GP ini files. (Shown as SMB traffic in wireshark)

Going to double verify with our networking team on their monitor report. And going to check in with one of the DC dudes to see what it looks like on their end.

I'll keep you guys posted.

Network team confirmed: Definitely SMB/LDAP traffic to and from the DC. Caused a little bit of a spike on the little 1.5mb pipe we have setup for the lab.