We discovered some issues with the Base Filter Engine, a new security feature introduced by Microsoft in Windows 6.x versions (Vista, 7 2008 Rx). Obviously running the BFE service without any specific IPsec polisy will deny any host assessment or compliance scans using McAfee MVM 7.x.
We found a workaround by creating a IPsec policy object that will enforce trust towards the scan engines IP address(es), but does anyone of you know a more gentle and elegant way to deal with this? Support says "This is a Microsoft issue" which we disagree in.
Discussing this with Thomas Kirk offline. An option to cope with this might be to add the source certificates from the MVM appliances to the organisation root certificate trust. We would be able to test.