SCEP and FEP end of life on Windows XP
Hello, we got a bunch of Windows XP machines in the SCCM/WSUS environment, and it came to my attention that as of
July 14th 2015 SCEP and FEP will cease working on all the Windows XP machines.
It also mentioned that all Windows XP machines are to have this registry entry (HKLM\Software\Microsoft\Microsoft
Antimalware\EndOfLifeState), which will tell me what phase of the expiration I am at, but the registry entry is missing all together.
Can anyone tell me whether I should be panicking and looking for a 3rd party malware protection provider?
January 28th, 2015 11:28pm
Even if you go with other anti-malware software, the XP systems will still be much more prone to infections and exploits because the underlying flaws that enable attack vectors aren't being patched.
Microsoft touched on this in their recent announcement for end of Server 2003 support:
http://blogs.technet.com/b/configmgrteam/archive/2015/01/23/system-center-endpoint-protection-support-for-windows-server-2003.aspx
"We have found in our research that the effectiveness of antimalware solutions on out-of-support operating systems is limited. Given the fast pace of technology, it has become increasingly important that customers use modern software and hardware
that is designed to help protect PCs and servers against todays threat landscape."
-
Edited by
KevinMJohnston
Wednesday, January 28, 2015 9:55 PM
-
Proposed as answer by
Derek Gary
Thursday, January 29, 2015 3:16 PM
January 29th, 2015 12:52am
Even if you go with other anti-malware software, the XP systems will still be much more prone to infections and exploits because the underlying flaws that enable attack vectors aren't being patched.
Microsoft touched on this in their recent announcement for end of Server 2003 support:
http://blogs.technet.com/b/configmgrteam/archive/2015/01/23/system-center-endpoint-protection-support-for-windows-server-2003.aspx
"We have found in our research that the effectiveness of antimalware solutions on out-of-support operating systems is limited. Given the fast pace of technology, it has become increasingly important that customers use modern software and hardware
that is designed to help protect PCs and servers against todays threat landscape."
-
Edited by
KevinMJohnston
Wednesday, January 28, 2015 9:55 PM
-
Proposed as answer by
Derek Gary
Thursday, January 29, 2015 3:16 PM
January 29th, 2015 12:52am
The main problem is using unsupported operating system like Windows XP which support for it has been ended. You should consider upgrading to supported version of Windows. Third-party Anti-Malware products couldn't protect you much in Windows XP because you
won't get any new security update for Windows XP.
If you are not sure how to get started or whether your environment supports newer version of Windows, start by using MAP Toolkit:
https://technet.microsoft.com/en-us/solutionaccelerators/dd537566.aspx
January 29th, 2015 1:02am
Thanks, but I am fully aware of the fact that there wouldn't be any more patches for the OS itself, and at this time the company is ok with taking that risk, but the fact that SCEP and FEP would cease functioning all together needs to be re mediated somehow.
So can anyone tell me why the alarming registry entry is missing in the XP machines within my SCCM/WSUS environment? Does it mean that SCEP and FEP will continue working in my environment even past
July 14th 2015?
January 29th, 2015 2:49am
Thanks Kevin, yeah that would explain it.
Most of the XP machines are running Antimalware Client Version: 4.3.215.0.
Are there any legal constraints from running FEP/SCEP on the Windows XP machines past July 14th 2015?
January 29th, 2015 4:56pm
Not sure about the legal aspect, but even if an older version keeps working after July 14th 2015 ("working" as in, the anti-malware service doesn't shut down) it still will not receive any new definition updates, which would quickly render it less
useful than it already is on XP.
I'd say the legal issues your company should worry about would be potential liabilities if they are breached and company/customer data is compromised. I hope you at least aren't running any point-of-sale systems on XP
January 29th, 2015 5:59pm
Yeah valid points.
How do you know that it won't be receiving any new definition updates though?
No POS systems on these hosts :))
January 29th, 2015 6:11pm
After rereading the available docs, I suppose it doesn't specifically rule out the scenario where an older anti-malware platform version without the EndOfLifeState reg key would continue to receive definition updates after July 14th. Seems strange that
they would control this entirely from a client-side setting instead of setting a flag on the def updates themselves to not install on XP. There doesn't seem to be any OS distinction on the def update package as of today, so they may not change anything on
that end. You'll have to come back and update the thread after July 14th and let us know how it goes :-)
-
Marked as answer by
Gramelot
Thursday, January 29, 2015 3:49 PM
January 29th, 2015 6:35pm
After rereading the available docs, I suppose it doesn't specifically rule out the scenario where an older anti-malware platform version without the EndOfLifeState reg key would continue to receive definition updates after July 14th. Seems strange that
they would control this entirely from a client-side setting instead of setting a flag on the def updates themselves to not install on XP. There doesn't seem to be any OS distinction on the def update package as of today, so they may not change anything on
that end. You'll have to come back and update the thread after July 14th and let us know how it goes :-)
-
Marked as answer by
Gramelot
Thursday, January 29, 2015 3:49 PM
January 29th, 2015 6:35pm
Oh boy, seems like Microsoft wants us to "gamble" with enterprise compliance, gray area = money making opportunities! :P
January 29th, 2015 6:49pm