One very important aspect of your SCEP deployment is to stay on top of which policy your clients are receiving. All new SCEP clients will receive the default policy automatically, but if you've added any additional SCEP policies with custom settings, it's a good idea to check and make sure that your clients have received the policy correctly.
In order to complete this recipe, you'll need to utilize an account that has at least the SCEP administrators SCCM role assigned to it.
Follow these steps:
- Log into your SCCM CAS server and launch your SCCM 2012 management console.
- Navigate to
Assets and Compliance|Overview|Devicesand locate the collection that the custom policy has been assigned to. - Select any of the systems in this collection, and then click on the Endpoint Protection tab at the bottom of the screen.
- You should be able to see a column titled Policy Application Information. The first item under the title is called EP Policy Name, which is followed by the name of the current policy that is in effect for this client, as shown in the following screenshot:
SCEP clients receive their policy settings as SCCM advertisements of small XML files. Once a SCEP policy has been created, it needs to be assigned to an SCCM collection of computers to go into effect.
If you follow the preceding recipe and find that the computer you were spot-checking does not have the correct policy, go back to Assets and Compliance | Overview | Endpoint Protection | Antimalware Policies and double-check that your custom policy is assigned to the right collection.
If you've just deployed a new policy within the past few minutes and find that a computer does not have the correct policy, give it a few minutes and refresh the screen. It can take a while for a newly deployed policy to make its way down to a client.