Using System Center Endpoint Protection 2012 SP1 on Windows Embedded Standard 7 and POSReady 7 with File Based Write Filters

Posted By J.T. Kimbell Program Manager

Mark Gladding is one of our program managers at Windows Embedded. Mark is responsible for manageability of Embedded device. Since joining the team last March he has worked on the Windows Embedded 8 Pro product and delivered updates on a number of releases, such as Kinect for Windows, RDP8, .NET 4.5 support for Windows Embedded Standard 7, and POSReady 7. He found some time in his schedule to discuss Write Filters.

This blog post is for using System Center Endpoint Protection 2012 SP1 on Windows Embedded Standard 7 and POS Ready 7 with File Based Write Filters. You have the following configuration:

  • Windows Embedded Standard 7 or Windows Embedded POSReady 7
  • File Based Write Filters
  • System Center Endpoint Protection 2012 SP1 (SCEP 2012 SP1)

You want to use File Based Write Filters (FBWF), and you want to make sure your device is always protected and up-to-date. How do you do that with the write filter enabled? More precisely, how do you protect the device with the write filter enabled and not lose your changes whenever the system reboots?

For purposes of this blog post, we will assume you have a working System Center Configuration Manager 2012 SP1 environment. You will need to install the SCEP client on the devices and make sure SCEP is correctly configured.

Make sure the write filter is off when you perform the client installation. To disable the write filter, run fbwfmgr /disable, and restart the device. With write filters disabled, you can follow the instructions in the link above for installing/configuring SCEP. Once SCEP setup is complete, you can re-enable the write filter on the device by using fbwfmgr /enable and rebooting once again.

Now that you have SCEP installed on your devices, you want to make sure that engine and definition updates persist through the reboots. To do that, you will need to define some file exclusions. The following exclusions need to be applied to your write-filter-enabled device:

  • Registry:
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware
  • Folders:
    • %ProgramData%\Microsoft\Microsoft Antimalware\Definition Updates\
    • %ProgramData%\Microsoft\Microsoft Antimalware\Scans\
    • %ProgramData%\Microsoft\Microsoft Antimalware\Support\
    • %ProgramFiles%\Microsoft Security Client\
  • Files:
    • %Windir%\Windowsupdate.log
    • %Windir%\Temp\MpCmdRun.log
    • %SystemRoot%\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun*.log
    • %SystemRoot%\ServiceProfiles\NetworkService\AppData\Local\Temp\MpCmdRun*.log

There are a number of additional log files created during SCEP operation, and depending on the size of your overlay, you may choose to put some or all of the log files below into the exclusion list as well. If you choose not to exclude the log files, then be sure to monitor the size of your overlay to make sure you don’t run out of space between reboots.

Log files:

  • 32-bit: %Windir%\System32\CCM\Logs
  • 64-bit: %Windir%\SysWOW64\CCM\Logs


For more information on FBWF and fbwfmgr:

For more information on adding exclusions: