SCCM – Forcing an Endpoint Protection Scan on an individual computer

One of the many great new features on SCCM 2012 (SP1) is new Fast Channel/Client notification that among other things allows you to trigger a Endpoint Protection operation such as Full Scan.

You can read all the fascinating details here:

There is a small “gotcha” however to be aware of to ensure you don’t accidentally trigger an operation on many or all of your devices if you are only targeting one.  Yikes!

Consider the following scenario:
You have a device that is reporting repeat malware infections. In turn, you wish to force a Full Scan on that device in an attempt to clear up the malware issues so you go to your Configuration Manager Administrator Console and navigate to Assets and Compliance>Devices.  You enter the computer name in the Search field and click Search.  You then right click the device and sele… wait a minute… the “Endpoint Protection” option is missing from the context menu (as well as the ribbon)?


Before you call Microsoft to help troubleshoot why this option isn’t available rest assured its nothing you are doing or not doing.  This is by design (although for the life of me I can’t think of why other than there may have been an oversight or some underlying code that forces this limitation?)

Well what to do?  The good news is there IS still a very valid way of triggering an operation on a single device.  You must navigate to the Device Collections node and locate any collection that would contain the device you are seeking.  You may notice that simply selecting any collection (including All Systems) brings the “Endpoint Protection” option to the ribbon.


This is useful if you wish to trigger the operation on the entire collection.  To trigger for the individual machine however select Show Members from the ribbon with the collection selected.


This will open a new node in the console showing all members of the collection.  Click to select the machine you are wanting to target from the list.  You will notice the Endpoint Protection option still in the Ribbon.  DO NOT CLICK IT.  If you look carefully you will see that this option still only appears in the “Collection” category on the ribbon.  Clicking this will indeed trigger the operation on every machine in the collection.


Unlike many areas of the Admin Console, when you select an Item, the available options for that item appear on the Ribbon.  This is not the case for Endpoint Protection.  You must right-click the individual device and select Endpoint Protection from the context menu.


You will be prompted to click OK prior to the action being initiated.  This confirmation dialog also shows you how many devices will be targeted.


Although this method is certainly acceptable for triggering an Endpoint Protection action, you can see how one may overlook that the ribbon is still in the Collection context if not paying close attention.

Now start scanning!!