Forcing an Endpoint Protection Scan on an individual computer

One of the many great new features on SCCM 2012 (SP1) is new Fast Channel/Client notification that among other things allows you to trigger a Endpoint Protection operation such as Full Scan.

You can read all the fascinating details here:
http://blogs.technet.com/b/configmgrteam/archive/2012/09/27/fast-channel-for-system-management.aspx

There is a small “gotcha” however to be aware of to ensure you don’t accidentally trigger an operation on many or all of your devices if you are only targeting one.  Yikes!

Consider the following scenario:
You have a device that is reporting repeat malware infections. In turn, you wish to force a Full Scan on that device in an attempt to clear up the malware issues so you go to your Configuration Manager Administrator Console and navigate to Assets and Compliance>Devices.  You enter the computer name in the Search field and click Search.  You then right click the device and sele… wait a minute… the “Endpoint Protection” option is missing from the context menu (as well as the ribbon)?

EPcontext

Before you call Microsoft to help troubleshoot why this option isn’t available rest assured its nothing you are doing or not doing.  This is by design (although for the life of me I can’t think of why other than there may have been an oversight or some underlying code that forces this limitation?)

Well what to do?  The good news is there IS still a very valid way of triggering an operation on a single device.  You must navigate to the Device Collections node and locate any collection that would contain the device you are seeking.  You may notice that simply selecting any collection (including All Systems) brings the “Endpoint Protection” option to the ribbon.

EPRibbon

This is useful if you wish to trigger the operation on the entire collection.  To trigger for the individual machine however select Show Members from the ribbon with the collection selected.

EPShowRibbon

This will open a new node in the console showing all members of the collection.  Click to select the machine you are wanting to target from the list.  You will notice the Endpoint Protection option still in the Ribbon.  DO NOT CLICK IT.  If you look carefully you will see that this option still only appears in the “Collection” category on the ribbon.  Clicking this will indeed trigger the operation on every machine in the collection.

EPCollection

Unlike many areas of the Admin Console, when you select an Item, the available options for that item appear on the Ribbon.  This is not the case for Endpoint Protection.  You must right-click the individual device and select Endpoint Protection from the context menu.

EPRightClick

You will be prompted to click OK prior to the action being initiated.  This confirmation dialog also shows you how many devices will be targeted.

EPConfirm

Although this method is certainly acceptable for triggering an Endpoint Protection action, you can see how one may overlook that the ribbon is still in the Collection context if not paying close attention.

Now start scanning!!

Advertisements

3 thoughts on “Forcing an Endpoint Protection Scan on an individual computer

  1. Is there a way to get the Endpoint context menu from within Devices, rather than having to go to the Collections listing first and THEN to the Devices area after having double-clicked? All it does is add an alias/reference to the specific collection, underneath the Devices branch in the tree. It seems super cumbersome to have to to the collection first.

  2. I agree it would be nice to just hit a device directly from the device node. 😐

  3. Thank you for this post. Not to familiar with ConfigMgr, but without this post, I’d never have found the stupid Endpoint protection section to run a manual scan. Thanks again

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s