Hello, we got a bunch of Windows XP machines in the SCCM/WSUS environment, and it came to my attention that as of July 14th 2015 SCEP and FEP will cease working on all the Windows XP machines.

It also mentioned that all Windows XP machines are to have this registry entry (HKLM\Software\Microsoft\Microsoft
Antimalware\EndOfLifeState), which will tell me what phase of the expiration I am at, but the registry entry is missing all together.

Can anyone tell me whether I should be panicking and looking for a 3rd party malware protection provider?

Even if you go with other anti-malware software, the XP systems will still be much more prone to infections and exploits because the underlying flaws that enable attack vectors aren't being patched.

Microsoft touched on this in their recent announcement for end of Server 2003 support:

http://blogs.technet.com/b/configmgrteam/archive/2015/01/23/system-center-endpoint-protection-support-for-windows-server-2003.aspx

"We have found in our research that the effectiveness of antimalware solutions on out-of-support operating systems is limited. Given the fast pace of technology, it has become increasingly important that customers use modern software and hardware that is designed to help protect PCs and servers against todays threat landscape."

• Edited by KevinMJohnston Wednesday, January 28, 2015 9:55 PM
• Proposed as answer by Derek Gary Thursday, January 29, 2015 3:16 PM

Even if you go with other anti-malware software, the XP systems will still be much more prone to infections and exploits because the underlying flaws that enable attack vectors aren't being patched.

Microsoft touched on this in their recent announcement for end of Server 2003 support:

http://blogs.technet.com/b/configmgrteam/archive/2015/01/23/system-center-endpoint-protection-support-for-windows-server-2003.aspx

"We have found in our research that the effectiveness of antimalware solutions on out-of-support operating systems is limited. Given the fast pace of technology, it has become increasingly important that customers use modern software and hardware that is designed to help protect PCs and servers against todays threat landscape."

• Edited by KevinMJohnston Wednesday, January 28, 2015 9:55 PM
• Proposed as answer by Derek Gary Thursday, January 29, 2015 3:16 PM

The main problem is using unsupported operating system like Windows XP which support for it has been ended. You should consider upgrading to supported version of Windows. Third-party Anti-Malware products couldn't protect you much in Windows XP because you won't get any new security update for Windows XP.

If you are not sure how to get started or whether your environment supports newer version of Windows, start by using MAP Toolkit:

https://technet.microsoft.com/en-us/solutionaccelerators/dd537566.aspx

Thanks, but I am fully aware of the fact that there wouldn't be any more patches for the OS itself, and at this time the company is ok with taking that risk, but the fact that SCEP and FEP would cease functioning all together needs to be re mediated somehow.

So can anyone tell me why the alarming registry entry is missing in the XP machines within my SCCM/WSUS environment? Does it mean that SCEP and FEP will continue working in my environment even past July 14th 2015?

What exact version of FEP/SCEP are you running? It appears that the EndOfLifeState registry key was added as part of the platform update released on April 8th 2014 (which is a little confusing because the corresponding KB article is labeled March 2014 Anti-Malware Platform Update) which would be version 4.5.216.0

http://support.microsoft.com/kb/2952678

http://blogs.technet.com/b/configmgrteam/archive/2014/03/27/fep-and-scep-anti-malware-protection-support-after-oses-reach-end-of-life.aspx

"The platform update released on April 8, 2014 for Forefront Endpoint Protection 2010 and System Center 2012 Endpoint Protection will add new functionality related to Operating System (OS) end-of-life. The endpoint protection agent will now assess whether the operating system of the computer is approaching the end of the support lifecycle."

• Edited by KevinMJohnston Thursday, January 29, 2015 5:14 AM

What exact version of FEP/SCEP are you running? It appears that the EndOfLifeState registry key was added as part of the platform update released on April 8th 2014 (which is a little confusing because the corresponding KB article is labeled March 2014 Anti-Malware Platform Update) which would be version 4.5.216.0

http://support.microsoft.com/kb/2952678

http://blogs.technet.com/b/configmgrteam/archive/2014/03/27/fep-and-scep-anti-malware-protection-support-after-oses-reach-end-of-life.aspx

"The platform update released on April 8, 2014 for Forefront Endpoint Protection 2010 and System Center 2012 Endpoint Protection will add new functionality related to Operating System (OS) end-of-life. The endpoint protection agent will now assess whether the operating system of the computer is approaching the end of the support lifecycle."

• Edited by KevinMJohnston Thursday, January 29, 2015 5:14 AM

Thanks Kevin, yeah that would explain it.

Most of the XP machines are running Antimalware Client Version: 4.3.215.0.

Are there any legal constraints from running FEP/SCEP on the Windows XP machines past July 14th 2015?

Not sure about the legal aspect, but even if an older version keeps working after July 14th 2015 ("working" as in, the anti-malware service doesn't shut down) it still will not receive any new definition updates, which would quickly render it less useful than it already is on XP.

I'd say the legal issues your company should worry about would be potential liabilities if they are breached and company/customer data is compromised. I hope you at least aren't running any point-of-sale systems on XP

Yeah valid points.

How do you know that it won't be receiving any new definition updates though?

No POS systems on these hosts :))

After rereading the available docs, I suppose it doesn't specifically rule out the scenario where an older anti-malware platform version without the EndOfLifeState reg key would continue to receive definition updates after July 14th. Seems strange that they would control this entirely from a client-side setting instead of setting a flag on the def updates themselves to not install on XP. There doesn't seem to be any OS distinction on the def update package as of today, so they may not change anything on that end. You'll have to come back and update the thread after July 14th and let us know how it goes :-)

• Marked as answer by Gramelot Thursday, January 29, 2015 3:49 PM

After rereading the available docs, I suppose it doesn't specifically rule out the scenario where an older anti-malware platform version without the EndOfLifeState reg key would continue to receive definition updates after July 14th. Seems strange that they would control this entirely from a client-side setting instead of setting a flag on the def updates themselves to not install on XP. There doesn't seem to be any OS distinction on the def update package as of today, so they may not change anything on that end. You'll have to come back and update the thread after July 14th and let us know how it goes :-)

• Marked as answer by Gramelot Thursday, January 29, 2015 3:49 PM

Oh boy, seems like Microsoft wants us to "gamble" with enterprise compliance, gray area = money making opportunities! :P