McAfee causes Boot Image action problems Configuration Manager 2012 SP1 #sysctr


UPDATE 04/02/2013:

Microsoft has updated AV exclusions for Configuration Manager 2012: http://blogs.technet.com/b/systemcenterpfe/archive/2013/01/11/updated-system-center-2012-configuration-manager-antivirus-exclusions-with-more-details.aspx

During a side-by-side migration to Configuration Manager 2012 SP1 we noticed no default boot images we available in the Admin console. Adding the boot images manually we encountered the following error “You can not import this boot image. Only finalized boot image are supported”

image 

During the initial setup the process of creating boot images failed as can be seen in the CM setup log.

image

After some research I found the following interesting thread Access Denied Error:5 Adding Package to .WIM with DISM. Herein was clear that McAfee causes the problem. Disabling Access Protection and On Access Scanner solves this issue. My colleague Tom Klaver pointed me to a McAfee article which provides some more background of the root cause of this issue.

The problem will occurs with boot image- (import, updating, customizing) and offline servicing actions.

There are a few workarounds available to prevent this problem:

clip_image001

Make sure before you start a Configuration Manager 2012 SP1 installation or upgrade, or perform boot image actions that McAfee is properly configured.

Advertisements

5 thoughts on “McAfee causes Boot Image action problems Configuration Manager 2012 SP1 #sysctr

  1. Johan Pol

    Hi Is this enough to fix the problem ?
    Temporarily exclude folders from AV scanning (C:\Windows\TEMP\BootImages & \ConfigMgr_OfflineImageServicing)

    Or do you also need t disable Access Protection ?

    1. Hi Johan, excluding these folders from AV scanning (access protection) is indeed sufficient. I would rather prefer excluding these folders over general disabling on Access Protection feature. Furthermore I prefer SCEP over McAfee due to the tigh integration with SCCM and the ease with which it can be maintained, especially in enterprise environments.

  2. pranay

    hi Ronny,
    i am having the exact same problem…
    i am upgraded my sccm 2012 site to sccm 2012 SP1 & now i am not able to update my boot images,I know disabling access protection will do the job(as i have tested this).
    but how can we exclude the folder from access protection I searched but did’nt found a way to exclude it….
    if you can please provide a way of excluding these folders from McAfee Access protection.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s