McAfee causes Boot Image action problems Configuration Manager 2012 SP1 #sysctr
UPDATE 04/02/2013:
Microsoft has updated AV exclusions for Configuration Manager 2012: http://blogs.technet.com/b/systemcenterpfe/archive/2013/01/11/updated-system-center-2012-configuration-manager-antivirus-exclusions-with-more-details.aspx
During a side-by-side migration to Configuration Manager 2012 SP1 we noticed no default boot images we available in the Admin console. Adding the boot images manually we encountered the following error “You can not import this boot image. Only finalized boot image are supported”
During the initial setup the process of creating boot images failed as can be seen in the CM setup log.
After some research I found the following interesting thread Access Denied Error:5 Adding Package to .WIM with DISM. Herein was clear that McAfee causes the problem. Disabling Access Protection and On Access Scanner solves this issue. My colleague Tom Klaver pointed me to a McAfee article which provides some more background of the root cause of this issue.
The problem will occurs with boot image- (import, updating, customizing) and offline servicing actions.
There are a few workarounds available to prevent this problem:
- Temporarily disable Access Protection
- Temporarily exclude folders from AV scanning (C:\Windows\TEMP\BootImages & <X:>\ConfigMgr_OfflineImageServicing)
Make sure before you start a Configuration Manager 2012 SP1 installation or upgrade, or perform boot image actions that McAfee is properly configured.
Categories
Modern Workplace 
Hi Is this enough to fix the problem ?
Temporarily exclude folders from AV scanning (C:\Windows\TEMP\BootImages & \ConfigMgr_OfflineImageServicing)
Or do you also need t disable Access Protection ?
Hi Johan, excluding these folders from AV scanning (access protection) is indeed sufficient. I would rather prefer excluding these folders over general disabling on Access Protection feature. Furthermore I prefer SCEP over McAfee due to the tigh integration with SCCM and the ease with which it can be maintained, especially in enterprise environments.
Hi Ronny, nice to hear from you…..how is life at Microsoft ?
hi Ronny,
i am having the exact same problem…
i am upgraded my sccm 2012 site to sccm 2012 SP1 & now i am not able to update my boot images,I know disabling access protection will do the job(as i have tested this).
but how can we exclude the folder from access protection I searched but did’nt found a way to exclude it….
if you can please provide a way of excluding these folders from McAfee Access protection.
Hi Pranay,
Please follow the instructions as mentioned in the article below how and what to exclude. Exclusion of files and folders may vary per AV solution.
http://blogs.technet.com/b/systemcenterpfe/archive/2013/01/11/updated-system-center-2012-configuration-manager-antivirus-exclusions-with-more-details.aspx
Regards,
Ronny