Best way to prevent Endpoint Protection installation on some clients?

[nylentone]

We have a large number of Windows Embedded devices which we do want to have the SCCM client, but do not want to have Endpoint Protection. To prevent the installation of EPP on these devices, I have created alternate Client Settings with settings as so:

 

Manage Endpoint Protection client on client computers: Yes

Install Endpoint Protection client on client computers: No

 

I created a collection based on a query:

 

... SMS_R_System.OperatingSystemNameandVersion like "%Embedded%"

 

I checked the "Use incremental updates for this collection" box so that, theoretically, devices would get added immediately.

 

Is there a better way to accomplish this? What concerns me is that, even after showing up in my Embedded collection, Endpoint Protection Deployment Information for a client will still say "To be installed". And it seems that, on rare occasions, EPP will get installed on an Embedded device anyway.

[anyweb]

 

nd it seems that, on rare occasions, EPP will get installed on an Embedded device anyway.

 

are those rare systems in the right collection or not ?

[nylentone]

 

are those rare systems in the right collection or not ?

 

First of all, thanks for taking a look at my post.

 

I may have to retract my statement that some get EPP anyway. My coworkers have complained of this happening, but no one seems to have any proof.

 

One of the things that concerns me is that after a newly imaged Windows Embedded device is joined to the domain, the Endpoint Protection Deployment State shows "To be installed". It never seems to actually install, though (which is good). The logical question would be, what does it say after a few days? But that brings me to the other issue, which is that the WES devices drop out of SCCM a few hours after they're set up. Sometimes, a few days later, they'll randomly show up again. This doesn't happen to any of the thousands of PCs on our network.