TL; DR: Use a Client IT Tools policy instead of a path exclusion.


A couple of times in the past year, I’ve ran into issues with Bit9 blocking a Configuration Manager client upgrade. The strange part is that the product has been in place for a number of years, there are exclusions in place, and the problem is only starting now.

Configuration Manager can be upgraded multiple times a year, and these upgrades are required if clients are running the latest build of Windows. But if an organization is not up on rapid release cadences, and are still following a 3-year OS refresh process, chances are their Configuration Manager environment isn’t being updated frequently, either.

With no CM updates, there are no client upgrades…the only time these clients are getting upgraded is when they go through an OS Deployment that includes the client installation.

When a client install/upgrade is initiated from the console, the CCM process will attempt to connect to the admin$ share on the workstation, copy down a CCMSetup.exe file, and kick it off. That executable then downloads the payload from Configuration Manager and proceeds with the installation. During the install, the executable launches the ClientMSI, which also does stuff like write temp files to the C:\Windows\Installer directory.

Herein lies the problem.

The typical exclusions that are configured in Bit9 will whitelist a file or folder, and has the option to also whitelist any application that runs from those directories. It does not, however, whitelist any application that is launched from the initial whitelisted application.

To fix this, we need a different type of exclusion for the Configuration Manager Client. In Bit9, it’s called the Client IT Tools Policy. With this policy, applications executed by identified processes, or anything in the identified path will also be whitelisted (LOCAL_WHITE). The process goes like this:

  1. Navigate to the Reputation page and click the Add button.
  2. In the popup window, select IT Tools as the type.
  3. Type C:\Windows\CCMSetup\** for the path.
  4. Check the “Include all child processes” box for files created by those child processes to also grant them the LOCAL_WHITE reputation.
  5. Apply the policy (after testing) to your server and workstation clients.


Hope this helps!