Best practice to run Microsoft Endpoint Protection client in VDI environment

We are using Citrix XenDesktop VDI environment. Symantec Endpoint Protection client (VDI performance optimised) has been installed on the “streamed to the clients” virtual machine image. Basically, all the files (in golden image) have been “tattooed” with
Symantec signature. Now, when the new VM starts, Symantec scan engine simply ignores “tattooed” files and also randomise scan times. This is a rough explanations but I hope you’ve got the idea.
We are switching from Symantec to Microsoft Endpoint Protection and I’m looking for any information and documentation in regards best practice for running Microsoft Endpoint Protection clients in VDI environment.
 Thanks in advance.

I see this post is a bt old but the organization I'm with has a very large VDI deployment using VMware. We also are using SCEP 2012 for the AV.
Did you find out what you were looking for or did you elect to take a different direction?
We install SCEP 2012 into the base image and manage the settings using GPO and the updates for defs are through the normal route.
Our biggest challenge is getting alert message from the client.
Thanks

Similar Messages

  • Best Practice to configure tnsnames.ora on client of MAA environment in 10g

    Hi,
    I have a MAA environment, 1 RAC Primary of 2 nodes and 1 RAC standby of 2 nodes too. I want to configure the tnsnames.ora on clients (we have many clients on each PC) and I need to configure the tnsnames.
    I have read some papers but the information is not clear regarding to configure the tnsnames on clients. I just want to have only one entrie on tnsnames that I can use on clients to connect to RAC Primary and/or Standby depending on what site is primary in that moment, I was thinking in something like this:
    SALES.WORLD =
    (DESCRIPTION =
    (ADDRESS = (PROTOCOL = TCP)(HOST = site1a)(PORT = 1521))
    (ADDRESS = (PROTOCOL = TCP)(HOST = site1b)(PORT = 1521))
    (ADDRESS = (PROTOCOL = TCP)(HOST = site2a)(PORT = 1521))
    (ADDRESS = (PROTOCOL = TCP)(HOST = site2b)(PORT = 1521))
    (LOAD_BALANCE = yes)
    (CONNECT_DATA =
    (SERVER = DEDICATED)
    (SERVICE_NAME = sales.world)
    (FAILOVER_MODE =
    (TYPE = SELECT)
    (METHOD = BASIC)
    (RETRIES = 180)
    (DELAY = 5)
    Where site1 is RAC Primary now, and site2 is standby. But in case of switchover, I want that clients recognize automatically to which site connect.
    I was thinking to stop listeners on site that is not primary on that moment.
    The question is if this is the best practice on this scenario?.
    Thanks for your advice.
    Luis

    Hi Louis,
    you need to setup a service with clusterware. On both sides: primary and standby.
    On primary you start them. On standby the services are also configured but stopped.
    In case of switchover or failover, data guard will notice clusterware to bring them up.
    You need to use this service name in your clients tnsnames.
    Another issue are TCP timeouts, to protect against them you use
    outbount_connect_timeout in your sqlnet.ora
    Also have a look at
    http://www.oracle.com/technology/deploy/availability/pdf/MAA_WP_10gR2_SwitchoverFailoverBestPractices.pdf
    HTH Mathias

  • Remove Microsoft Endpoint Protection 2012 Client

    Hi,
    I ended up with Microsoft Endpoint Protection 2012 on my private PC and I can't get rid of it.
    When I try to uninstall it via the "Programs and Features" dialogue the "Uninstall" or "Change" button disappears everytime I select the endpoint entry. Wild guess, this is due to a group policy setting.
    So my question is, which group policy do I have to change to successfully uninstall the client without having to reinstall my whole system.
    Thanks
    Simon

    Hi
    Thank you for your post here.
    Please read the articles below to see if they are helpful.
    http://support.microsoft.com/kb/2834133
    http://technet.microsoft.com/en-us/library/gg477040.aspx
    Best Regards
    Quan Gu

  • Endpoint Protection clients no getting updates from SCCM 2012 in new Secondary Site

    I recently stood up a secondary site behind a PCI firewall to manage PCI in-scope systems. All of my boundaries are properly configured and there are no overlaps. I am able to push packages to these clients and the clients are reporting as healthy however
    I am not able to get updates to the SCEP clients. There is no internet access from these systems so I have to rely on updates from SCCM. From what I can see in the WindowsUpdate log it is only trying to go to Microsoft for the definitions. Here is the Log:
    2014-04-30 11:05:09:739
     828 da8
    Misc WARNING: Send failed with hr = 80072ee2.
    2014-04-30 11:05:09:739
     828 da8
    Misc WARNING: Proxy List used: <(null)> Bypass List used : <(null)> Auth Schemes used : <None>
    2014-04-30 11:05:09:739
     828 da8
    Misc WARNING: Send request failed, hr:0x80072ee2
    2014-04-30 11:05:09:739
     828 da8
    Misc WARNING: WinHttp: SendRequestUsingProxy failed for <HTTPS://sls.update.microsoft.com/SLS/{9482F4B4-E343-43B6-B170-9A65BC822C77}/x64/6.3.9600.0/0?CH=41&L=en-US&P=&PT=0x7&WUA=7.9.9600.16422>.
    error 0x80072ee2
    2014-04-30 11:05:09:739
     828 da8
    Misc WARNING: WinHttp: SendRequestToServerForFileInformation MakeRequest failed. error 0x80072ee2
    2014-04-30 11:05:09:739
     828 da8
    Misc WARNING: WinHttp: SendRequestToServerForFileInformation failed with 0x80072ee2
    2014-04-30 11:05:09:739
     828 da8
    Misc WARNING: WinHttp: ShouldFileBeDownloaded failed with 0x80072ee2
    2014-04-30 11:05:09:739
     828 da8
    SLS FATAL: GetResponse failed with hresult 0x80072ee2...
    2014-04-30 11:05:09:739
     828 da8
    EP FATAL: EP: CSLSEndpointProvider::GetWUClientDataAndInitParser - failed to get SLS data, error = 0x80072EE2
    2014-04-30 11:05:09:739
     828 da8
    EP FATAL: EP: CSLSEndpointProvider::GetEndpointFromSLS - Failed to get client data and init parser, error = 0x80072EE2
    2014-04-30 11:05:09:739
     828 da8
    EP FATAL: Failed to obtain 9482F4B4-E343-43B6-B170-9A65BC822C77 redir SecondaryServiceAuth URL, error = 0x80072EE2
    2014-04-30 11:05:09:739
     828 da8
    Agent WARNING: Failed to obtain the authorization cab URL for service 7971f918-a847-4430-9279-4a52d1efe18d, hr=0
    2014-04-30 11:05:09:739
     828 da8
    Agent FATAL: Caller <NULL> failed to opt in to service 7971f918-a847-4430-9279-4a52d1efe18d, hr=0X80072EE2
    2014-04-30 11:05:09:739
     828 da8
    SLS Retrieving SLS response from server...
    2014-04-30 11:05:09:739
     828 da8
    SLS Making request with URL HTTPS://sls.update.microsoft.com/SLS/{9482F4B4-E343-43B6-B170-9A65BC822C77}/x64/6.3.9600.0/0?CH=41&L=en-US&P=&PT=0x7&WUA=7.9.9600.16422
    2014-04-30 11:05:30:742
     828 da8
    Misc WARNING: Send failed with hr = 80072ee2.
    2014-04-30 11:05:30:742
     828 da8
    Misc WARNING: Proxy List used: <(null)> Bypass List used : <(null)> Auth Schemes used : <None>
    2014-04-30 11:05:30:742
     828 da8
    Misc WARNING: Send request failed, hr:0x80072ee2
    2014-04-30 11:05:30:742
     828 da8
    Misc WARNING: WinHttp: SendRequestUsingProxy failed for <HTTPS://sls.update.microsoft.com/SLS/{9482F4B4-E343-43B6-B170-9A65BC822C77}/x64/6.3.9600.0/0?CH=41&L=en-US&P=&PT=0x7&WUA=7.9.9600.16422>.
    error 0x80072ee2
    2014-04-30 11:05:30:742
     828 da8
    Misc WARNING: WinHttp: SendRequestToServerForFileInformation MakeRequest failed. error 0x80072ee2
    2014-04-30 11:05:30:742
     828 da8
    Misc WARNING: WinHttp: SendRequestToServerForFileInformation failed with 0x80072ee2
    2014-04-30 11:05:30:742
     828 da8
    Misc WARNING: WinHttp: ShouldFileBeDownloaded failed with 0x80072ee2
    2014-04-30 11:05:30:742
     828 da8
    SLS FATAL: GetResponse failed with hresult 0x80072ee2...
    2014-04-30 11:05:30:742
     828 da8
    EP FATAL: EP: CSLSEndpointProvider::GetWUClientDataAndInitParser - failed to get SLS data, error = 0x80072EE2
    2014-04-30 11:05:30:742
     828 da8
    EP FATAL: EP: CSLSEndpointProvider::GetSecondaryServicesEnabledState - Failed to get client data and init parser, error = 0x80072EE2
    2014-04-30 11:05:30:742
     828 da8
    Agent   * WARNING: Online service registration/service ID resolution failed, hr=0x80248014
    2014-04-30 11:05:30:742
     828 da8
    Agent   * WARNING: Exit code = 0x80248014
    2014-04-30 11:05:30:742
     828 da8
    Agent *********
    2014-04-30 11:05:30:742
     828 da8
    Agent **  END  **  Agent: Finding updates [CallerId = System Center Endpoint Protection (DDEFDD14-250E-4DC8-A0B3-9D667EC5D8EB)  Id = 9]
    2014-04-30 11:05:30:742
     828 da8
    Agent *************
    2014-04-30 11:05:30:742
     828 da8
    Agent WARNING: WU client failed Searching for update with error 0x80248014
    2014-04-30 11:05:30:742
     828 da8
    IdleTmr WU operation (CSearchCall::Init ID 9, operation # 99) stopped; does use network; is not at background priority
    2014-04-30 11:05:30:742
     828 da8
    IdleTmr Decremented PDC RefCount for Network to 0
    2014-04-30 11:05:30:742
     828 da8
    IdleTmr Decremented idle timer priority operation counter to 0
    2014-04-30 11:05:30:743
     576 12c0
    COMAPI >>--  RESUMED  -- COMAPI: Search [ClientId = System Center Endpoint Protection (DDEFDD14-250E-4DC8-A0B3-9D667EC5D8EB)]
    2014-04-30 11:05:30:743
     576 12c0
    COMAPI   - Updates found = 0
    2014-04-30 11:05:30:743
     576 12c0
    COMAPI   - WARNING: Exit code = 0x00000000, Result code = 0x80248014
    2014-04-30 11:05:30:743
     576 12c0
    COMAPI ---------
    2014-04-30 11:05:30:743
     576 12c0
    COMAPI --  END  --  COMAPI: Search [ClientId = System Center Endpoint Protection (DDEFDD14-250E-4DC8-A0B3-9D667EC5D8EB)]
    2014-04-30 11:05:30:743
     576 12c0
    COMAPI -------------
    2014-04-30 11:05:30:743
     576 1254
    COMAPI WARNING: Operation failed due to earlier error, hr=80248014
    2014-04-30 11:05:30:743
     576 1254
    COMAPI FATAL: Unable to complete asynchronous search. (hr=80248014)
    The log is from a Server 2012 R2 Client. The only thing I was able to find was this Article which did not resolve my issue. Anyone else encounter anything similar? Any help would be appreciated.
    Regards, Evan Mills - Systems Administrator

    Every two hours is too aggressive for the ADR. Definitions are only released 2-3 times a day so every 8 hours is what most consider best practice. Is your WSUS sync occurring every two hours as well? If not, then the ADR wouldn't have anything new to pick
    up anyway. It's best to set the WSUS sync for every 8 hours and then set the ADR to run after any successful WSUS sync.
    So the EP definitions are caching but not installing? What does the WUAHandler.log show? One of my machines shows the following which indicates a successful installation from the ConfigMgr delivered update:
    1. Update (Missing): Definition Update for Microsoft Endpoint Protection - KB2461484 (Definition 1.173.933.0) (0a156122-d4f8-4215-9e63-8f0f1e32c9c6, 200)    WUAHandler    4/30/2014 6:49:33 AM    11080 (0x2B48)
    Async installation of updates started.    WUAHandler    4/30/2014 6:49:34 AM    11080 (0x2B48)
    Update 1 (0a156122-d4f8-4215-9e63-8f0f1e32c9c6) finished installing (0x00000000), Reboot Required? No    WUAHandler    4/30/2014 6:50:23 AM    8664 (0x21D8)
    Async install completed.    WUAHandler    4/30/2014 6:50:23 AM    8664 (0x21D8)
    Installation of updates completed.    WUAHandler    4/30/2014 6:50:23 AM    11032 (0x2B18)
    It sounds like if you set "Check for Endpoint Protection definitions at a specific interval" to 0 then it would prevent the WindowsUpdate.log activity you're seeing when the EP client tries to reach out for updates.

  • Upgraded SCCM 2012 SP1 to CU5 - Problem updating Endpoint Protection Client (to V4.5.216.0)

    We upgraded SCCM SP1 to CU5. We got one primary site, on which we had no problems with running the CU setup. After the upgrade we pushed the new administrator console and client.
    SP1 CU5 - console update -> Updated on all administrator users (50 computers)
    SP1 CU5- x64 and x86 client update -> Updated on pilot group (50 computers)
    No problems so far.
    We are having troubles updating the Endpoint Protection Client version. This was V4.1.522.0 before the upgrade. When we enroll a new computer, it receives the new V4.5.216.0, which is the last version.
    But we can't update our older clients. We try to deploy the software update (Update for Forefront Endpoint Protection 2010 Client - 4.5.216.0 (KB2952678)) but it doesn't install. After 20 minutes, if I look in the Deployment logs, it says the installation
    was successfull; but it isn't, it's still the old version.
    Strange thing is, we can upgrade to an inbetween version (Update for Forefront Endpoint Protection 2010 Client - 4.3.215.0 (KB2864366)). Which installs on a test client.
    If I look to the cache files of the new EP Client update, and use the UpdateInstall.exe manually, the update does install. Then I see in the logfile EndpointProtectionAgent.log it still refers to the version 4.1.522.0.
    EP 4.5.216.0 is installed, version is higher than expected installer version 4.1.522.0. EndpointProtectionAgent 13/01/2015 14:54:00 7808 (0x1E80)
    Re-apply EP AM policy. EndpointProtectionAgent 13/01/2015 14:54:00 7808 (0x1E80)
    Apply AM Policy. EndpointProtectionAgent 13/01/2015 14:54:00 7808 (0x1E80)
    Create Process Command line: "c:\Program Files\Microsoft Security Client\\ConfigSecurityPolicy.exe" "C:\Windows\CCM\EPAMPolicy.xml". EndpointProtectionAgent 13/01/2015 14:54:00 7808 (0x1E80)
    Applied the C:\Windows\CCM\EPAMPolicy.xml with ConfigSecurityPolicy.exe successfully. EndpointProtectionAgent 13/01/2015 14:54:02 7808 (0x1E80)
    Save new policy state 1 to registry SOFTWARE\Microsoft\CCM\EPAgent\PolicyApplicationState EndpointProtectionAgent 13/01/2015 14:54:02 7808 (0x1E80)
    State 1 and ErrorCode 0 and ErrorMsg and PolicyName Antimalware Policy and GroupResolveResultHash D277339FA77A9017801399D96266BAD42DE74F38 is NOT changed. EndpointProtectionAgent 13/01/2015 14:54:02 7808 (0x1E80)
    Skip sending state message due to same state message already exists. EndpointProtectionAgent 13/01/2015 14:54:02 7808 (0x1E80)
    Firewall provider is installed. EndpointProtectionAgent 13/01/2015 14:54:02 7808 (0x1E80)
    Installed firewall provider meet the requirements. EndpointProtectionAgent 13/01/2015 14:54:02 7808 (0x1E80)
    This is the WindowsUpdate.log when I try to push the new EP client.
    2015-01-14 11:24:13:651 7416 1c44 Handler :::::::::
    2015-01-14 11:24:13:651 7416 1c44 Handler : Updates to install = 1
    2015-01-14 11:24:21:716 7416 1c44 Handler : WARNING: Command line install completed. Return code = 0x8004ff25, Result = Failed, Reboot required = false
    2015-01-14 11:24:21:716 7416 1c44 Handler : WARNING: Exit code = 0x8024200B
    2015-01-14 11:24:21:716 7416 1c44 Handler :::::::::
    2015-01-14 11:24:21:716 7416 1c44 Handler :: END :: Handler: Command Line Install
    2015-01-14 11:24:21:732 7416 1c44 Handler :::::::::::::
    2015-01-14 11:24:21:794 1096 c18 Agent *********
    2015-01-14 11:24:21:794 1096 edc AU Can not perform non-interactive scan if AU is interactive-only
    2015-01-14 11:24:21:794 1096 c18 Agent ** END ** Agent: Installing updates [CallerId = CcmExec]
    2015-01-14 11:24:21:794 1096 c18 Agent *************
    2015-01-14 11:24:21:794 2296 fac COMAPI >>-- RESUMED -- COMAPI: Install [ClientId = CcmExec]
    2015-01-14 11:24:21:794 2296 fac COMAPI - Install call complete (succeeded = 0, succeeded with errors = 0, failed = 1, unaccounted = 0)
    2015-01-14 11:24:21:794 2296 fac COMAPI - Reboot required = No
    2015-01-14 11:24:21:794 2296 fac COMAPI - WARNING: Exit code = 0x00000000; Call error code = 0x80240022
    2015-01-14 11:24:21:794 2296 fac COMAPI ---------
    2015-01-14 11:24:21:794 2296 fac COMAPI -- END -- COMAPI: Install [ClientId = CcmExec]
    2015-01-14 11:24:21:794 2296 fac COMAPI -------------
    2015-01-14 11:24:21:794 1096 1620 AU Can not perform non-interactive scan if AU is interactive-only
    2015-01-14 11:24:26:739 1096 1424 Report REPORT EVENT: {ED287668-4BEF-46FD-BB57-CA17680E5D3B} 2015-01-14 11:24:21:732+0100 1 182 101 {A90C3005-7B59-4268-8B11-12D9BE5C8EA0} 201 80070643 CcmExec Failure Content Install Installation Failure: Windows failed to install the following update with error 0x80070643: Update for System Center Endpoint Protection 2012 Client - 4.5.216.0 (KB2952678).
    2015-01-14 11:24:27:207 1096 1424 Report CWERReporter::HandleEvents - WER report upload completed with status 0x8
    2015-01-14 11:24:27:207 1096 1424 Report WER Report sent: 7.5.7601.17514 0x80070643 A90C3005-7B59-4268-8B11-12D9BE5C8EA0 Install 101 Managed
    2015-01-14 11:24:27:207 1096 1424 Report CWERReporter finishing event handling. (00000000)
    Thanks in advance!

    Hello,
    According to
    kb2952678:
    To apply this update, you must have one of the following installed:
    System Center 2012 R2 Configuration Manager Cumulative Update 4 for System Center 2012
    Configuration Manager Service Pack
    Service Pack 2 for System Center Configuration Manager 2007 and Update Rollup 1 for
    Forefront Endpoint Protection 2010
    Do you have Update Rollup 1 for Forefront Endpoint Protection 2010?
    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

  • Endpoint Protection Client - definitions couldn't be updated

    Am on SCCM 2012 SP2 and have EndPoint protection client deployed to computers during the Task Sequence, and they get the update.
    The next day I will try an update from the client's GUI and will get the error "Virus and spyware definitions couldn't be updated". 
    In the antimalway policy applied to the collection the device is a member of, I indeed have its definition update source set to "Updates from UNC file shares", then in the server path for the UNC, it is set to "\\server.domain.com\D$\sources\Packages\Apps\Microsoft\EP_Definitions\Updates\x86"
    which is where the "mpam-fe.exe" and "nis_full/exe" files are. 
    I have no maintenance windows set on the device collection that this antimalware policy is applied to. 

    Hi, I just wanted to clarify, I only have the "UNC" path as the option for the source of updates. 
    I have also verified that in the registry in hklm policies Microsoft AntiMalware that the UNC path is indeed there and I can manually access the path from Start > Run. 
    I've tried running the Endpoint definitions update manually as an Administrator, and with the Windows Update service in every combo of state I could try, and still nothing (not that I want Endpoint getting updates from the internet anyways). 
    Not sure what we're looking for in the windowsupdate.log but here are the last few lines before the time I tried running the update. The error from definition update doesn't appear to add anything to this log file.
    2014-11-19 18:50:01:854
    1012 10a0
    Service *************
    2014-11-19 18:54:12:693
    2068 1398
    Misc ===========  Logging initialized (build: 7.5.7601.17514, tz: -0600)  ===========
    2014-11-19 18:54:12:693
    2068 1398
    Misc  = Process: C:\WINDOWS\CCM\CcmExec.exe
    2014-11-19 18:54:12:693
    2068 1398
    Misc  = Module: c:\Windows\system32\wuapi.dll
    2014-11-19 18:54:12:693
    2068 1398
    COMAPI FATAL: Unable to connect to the service (hr=80070422)
    2014-11-19 18:54:12:693
    2068 1398
    COMAPI WARNING: Unable to establish connection to the service. (hr=80070422)
    2014-11-19 18:54:33:507
    2068 1098
    COMAPI FATAL: Unable to connect to the service (hr=80070422)
    2014-11-19 18:54:33:507
    2068 1098
    COMAPI WARNING: Unable to establish connection to the service. (hr=80070422)

  • What is the best practices recommended from microsoft to give access a intranet portal from internet externally

    Hi
    what is the best practices recommended from microsoft
    i have a intranet portal in my organization used by employees  and i want to give access for employees to access external from  internet also
    can i use same url  for employees access intranet portal from internally and externally or diffrent url?
    like ( https://extranet.xyz.com.in)  and (http://intranet.xyz.com.in)
    internal url access by employees is( http://intranet.xyz.com.in)
    and this portal configured with claims based authentication
    here i have a F5 for load blance and
     a request from external to F5 is https request and F5 to sharepoint server http request
    and sharepoint server to F5 is http request but F5 to external users it is https response so 
    when i change below settings in alternate access mapings   all links changed to https
    but only authentication link is still showing http and authentication page not opened.
    adil

    Hi,
    One of my clients has an environment similar to yours with an internal pair of F5s and a pair used for the access from the internet. 
    I am only going to focus on the method using an F5 Load Balancer and SSL Offloading. the setup of the F5 will not be covered in detail but a reference to the documentation to support SharePoint and SSL Offloading will be provided
    Since you arte going to be using SSL Offloading you do not need to extend your WebApps to use separate IIS WebSites with Unique IP Addresses
    Configure the F5 with SSL Offloading
    Configure a Internal AAM for SSL (HTTPS) for each WebApp that maps to the Public HTTP FQDN AAM Setting for each WebApp
    Our environment has an additional component we require RSA Authentication for all internet facing Sites. So we have the extra step of extending the WebApp to a separate IIS WebSite and configuring RSA for each extended WebSite.Reference:
    Reference SharePoint F5 Configuration:
    http://www.f5.com/featured/video/ssl-offloading/
    -Ivan

  • Looking for best practice white paper on Internet Based Client Management

    Looking for best practice white paper on Internet Based Client Management for SCCM 2012 R2.
    Has anyone implemented this in a medium sized corporate environment? 10k+ workstations.  We have a single primary site, SQL server and 85 DP's. 

    How about the TechNet docs: http://technet.microsoft.com/en-us/library/gg712701.aspx#Support_Internet_Clients ?
    Or one of the many blog posts on the subject shown from a web search: http://www.bing.com/search?q=configuration+manager+2012+internet+based+client+management&go=Submit+Query&qs=bs&form=QBRE ?
    Jason | http://blog.configmgrftw.com | @jasonsandys

  • Deploying SCCM EndPoint Protection Client with updates?

    Am using SCCM 2012 r2 and need to get the EndPoint Protection Client built int o my image. 
    If I deploy it post-imaging the laptop, how do I get the latest definitions?
    Because it shows up with a red icon in the system tray and I have to go in and manually update the definitions after I install it. 
    Is there a task that could be done in an OSD to update the definitions?
    Otherwise only way I can think of is preinstall and update and get the full scan done before capturing an image of my system to deploy to other systems. 

    Hi,
    If you use Endpoint Protection on all computer including the latest definitions in your Build and Capture saves time.
    Otherwise ,the command line in windows works fine ,trigger an update of SCEP at the end of the task sequence:
    "%Program Files%\Microsoft Security Client\mpcmdrun.exe" -SignatureUpdate
    Here are some great articles for you reference:
    Operating System Deployment and Endpoint Protection Client Installation
    http://blogs.technet.com/b/configmgrteam/archive/2012/04/12/operating-system-deployment-and-endpoint-protection-client-installation.aspx
    How to Configure Definition Updates for Endpoint Protection in Configuration Manager
    http://technet.microsoft.com/en-us/library/jj822983.aspx 
    We
    are trying to better understand customer views on social support experience, so your participation in this
    interview project would be greatly appreciated if you have time.
    Thanks for helping make community forums a great place.

  • Endpoint Protection Client Activity Log

    Hello
    I'd like to know how long SCCM 2012 keep the Endpoint protection client activity logs (logs of scan,detection, quarantine..etc) and if i can change it?
    thanx 

    HI,
    Endpoint Protection history data is deleted after 365 days, it can be controlled in the Site Maintenance task "Endpoint Protection is Delete Aged Endpoint Protection Health Status History Data"
    There is also a setting for "Delete Aged Threat Data" which is set to 30 days. It depends on which level of details you are after but it sounds like you should increase the "Delete Aged Threat Data"
    Regards,
    Jörgen
    -- My System Center blog ccmexec.com -- Twitter
    @ccmexec

  • Endpoint Protection Client not running run scheduled scan

    Hi,
    We are running SCCM 2012 R2 CU1 on our site system and clients, having upgraded from SCCM 2012 sp1 12 months ago.
    A few of our clients will not run a scheduled scan, even though it displays the Scan date and time in the client properties. 
    Someome did create a new EP policy and pointed the clients at it, but that didn't fix this problem.
    The AV engine and AV definitions are upto date and the real time monitor is running.
    In the SCCM console, Active Clients at Risk, the client has Endpoint Protection Enabled showing as Disabled, nothing in the Endpoint Protection Engine Version, nothing for Last Full Scan Start Time, Endpoint Protection Pending Full Scan - No.
    The MPLog-xxxx-xxx.log shows:
    Signature updated on 02-11-2015 05:57:13
    Product Version: 4.7.205.0
    Service Version: 4.7.205.0
    Engine Version: 1.1.11302.0
    AS Signature Version: 1.191.4588.0
    AV Signature Version: 1.191.4588.0
    2015-02-11T05:57:15.492Z IWscAVStatus::UpdateStatus() succceeded writing instance with state (1) and up-to-date state(1)
    2015-02-11T05:57:15.492Z IWscASStatus::UpdateStatus() succceeded writing instance with state (1) and up-to-date state(1)
    2015-02-11T05:57:40.982Z Process scan (postsignatureupdatescan) started.
    2015-02-11T05:57:50.420Z Process scan (postsignatureupdatescan) completed.
    2015-02-11T06:06:47.173Z AutoPurgeWorker triggered with dwWork=0x3
    2015-02-11T06:06:47.173Z Product supports installmode: 0
    2015-02-11T06:06:47.173Z Task(Scan -ScheduleJob -RestrictPrivileges) is scheduled to run in 604800000(ms) from now with period 21957080(ms)
    2015-02-11T06:06:47.173Z Task(SignatureUpdate -ScheduleJob -RestrictPrivileges) is scheduled to run in 28800000(ms) from now with period 28800000(ms)
    2015-02-11T06:06:47.173Z Task(Scan -ScheduleJob -RestrictPrivileges -ScanType 2) is scheduled to run in 86400000(ms) from now with period 70114864(ms)
    2015-02-11T06:06:47.844Z Detection State: Finished(0) Failed(0) CriticalFailed(0) Additional Actions(0)
    The EndpointProtectionAgent.log shows:
    Endpoint is triggered by message. EndpointProtectionAgent 11/02/2015 12:12:00 2692 (0x0A84)
    File C:\WINDOWS\ccmsetup\SCEPInstall.exe version is 4.5.216.0. EndpointProtectionAgent 11/02/2015 12:12:00 2692 (0x0A84)
    EP version 4.7.205.0 is already installed. EndpointProtectionAgent 11/02/2015 12:12:00 2692 (0x0A84)
    EP 4.7.205.0 is installed, version is higher than expected installer version 4.5.216.0. EndpointProtectionAgent 11/02/2015 12:12:00 2692 (0x0A84)
    Re-apply EP AM policy. EndpointProtectionAgent 11/02/2015 12:12:00 2692 (0x0A84)
    Apply AM Policy. EndpointProtectionAgent 11/02/2015 12:12:00 2692 (0x0A84)
    Create Process Command line: "c:\Program Files\Microsoft Security Client\\ConfigSecurityPolicy.exe" "C:\WINDOWS\CCM\EPAMPolicy.xml". EndpointProtectionAgent 11/02/2015 12:12:00 2692 (0x0A84)
    Applied the C:\WINDOWS\CCM\EPAMPolicy.xml with ConfigSecurityPolicy.exe successfully. EndpointProtectionAgent 11/02/2015 12:12:01 2692 (0x0A84)
    Save new policy state 1 to registry SOFTWARE\Microsoft\CCM\EPAgent\PolicyApplicationState EndpointProtectionAgent 11/02/2015 12:12:01 2692 (0x0A84)
    State 1 and ErrorCode 0 and ErrorMsg  and PolicyName Default Client Antimalware Policy
    SCEP Standard Desktop EP Policy and GroupResolveResultHash 5E75089B490B85DD66BBA85BC91E15A5EA853B9C is NOT changed. EndpointProtectionAgent 11/02/2015 12:12:01 2692 (0x0A84)
    Skip sending state message due to same state message already exists. EndpointProtectionAgent 11/02/2015 12:12:01 2692 (0x0A84)
    Firewall provider is installed. EndpointProtectionAgent 11/02/2015 12:12:01 2692 (0x0A84)
    Installed firewall provider meet the requirements. EndpointProtectionAgent 11/02/2015 12:12:01 2692 (0x0A84)
    Could anyone provide any pointers on why the scheduled scan wont work?
    Jaz

    Hi,
    Please verify if any GPO applied and overwrite the setting, you can check registry key:
    http://blogs.technet.com/b/mspfe/archive/2013/11/13/system-center-configuration-manager-2012-scep-policy-behavior.aspx
    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

  • Forefront Endpoint Protection Client filling OS drive with scan and definition files.

    I have installed FEP on our client servers, one of server filling C: drive space with scan files (.bin.xx) and with definitions. Why its not clearing like other servers? Please suggest!
    We haven't using it through SCCM, we have only FEP client which download updates directly from Internet. 
    Thanks in advance. 

    Hi,
    Please check the logs below to see if there is any error.
    %allusersprofile%\Microsoft\Microsoft Antimalware\Support—Log files specific for the antimalware service
    %allusersprofile%\Microsoft\Microsoft Security Client\Support—Log files specific for the SCEP client software
    %windir%\WindowsUpdate.log—Windows Update log files, which include information about definition updates
    %windir%\CCM\Logs\EndpointProtectionagent.log – Shows Endpoint version and policies applied
    %windir%\temp\MpCmdRun.log – Activity when performing scans and signature updates
    %windir%\temp\MpSigStub.log – Update progress for signature and Engine updates
    Reference:http://kickthatcomputer.wordpress.com/2014/03/04/endpoint-protection-log-locations/
    Note: Microsoft provides third-party contact
    information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.
    Best Regards,
    Joyce

  • Best practice for running multiple sites on 1 CF install?

    Hi-
    I'm setting up a new hosting environment (Windows Server 2008 Standard 64 bit VPS  configuration, MySQL, IIS 7, CF 9)
    Has anyone seen any docs or can anyone suggest best practices for configuring multiple sites in this environment? At this point I'm thinking simple is best, one new site in IIS for each client (domain) and point it to CF.
    Given this environment, is anyone aware of any gotchas within the setup of CF 9 on IIS 7?
    Thank you in advance,
    Rich

    There's nothing wrong with that approach. You can run as many IIS sites as you like against a single CF install.
    As for installing CF on IIS 7, I recommend that you do the following: install CF 9 without connecting it to IIS, then installing the 9.0.1 upgrade and any hotfixes, then connecting CF to IIS using the web server configuration utility. This will keep you from having to install the IIS 6 compatibility layer that's needed with CF 9 but not with CF 9.0.1.
    Dave Watts, CTO, Fig Leaf Software
    http://www.figleaf.com/
    http://training.figleaf.com/

  • Locally check how Endpoint Protection client gets updates

    Hi,
    I'm in the middle of a large deployment of SCEP (ahem) System Center 2012 Endpoint Protection, and I've come across an interesting question. Is it possible to determine the method the local SCEP client used to obtain it's most recent definitions update?
    The background here is that our clients are set to obtain updates from the SCCM server, and only from the Internet as a last resort after 12 hours of failure. However, during one recent deployment, the local team reported a spike in their Internet traffic
    and believe several hundred SCEP clients updated via the Internet. Is it possible to verify this locally from log files on the computer or some other method?
    This is an issue for some of our locations where Internet bandwidth is at a premium, but we have good internal WAN links.
    Kind regards,
    Matt

    Hi,
    We could configure Definition Update sources under Antimalware Policy.
    How to Configure Definition Updates for Endpoint Protection in Configuration Manager
    Best Regards,
    Joyce Li
    We
    are trying to better understand customer views on social support experience, so your participation in this
    interview project would be greatly appreciated if you have time.
    Thanks for helping make community forums a great place.

  • Best Practice: continuously running db procedure

    I've written a database procedure that pulls messages off an AQ. Then does some processing on them and stores the result on in a table. I'd like the procedure to run continuously. I also call the same procedure with different parameters which determine which messages will get pulled off. My questions are these:
    1. what is the best practice for keeping this procedure running continuously? If the client side connection is eventually terminated will the process keep running? Set timeout somewhere for no timeout?
    2. How to determine which procedure instances are running. I'm thinking I may need to create different schemas that have execute priviledge for the different instances so that I can atleast tell which process is which. Is there a better way to tell which is which if I need to kill one?
    thanks,
    dan

    > 1. what is the best practice for keeping this procedure running continuously? If the client
    side connection is eventually terminated will the process keep running? Set timeout
    somewhere for no timeout?
    DBMS_JOB or DBMS_SCHEDULER processes are ideal as these have no client part.
    As for a client.. when it dies, it usually takes its server process with it. As soon as Oracle notices that the client is gone (usually when it attempts to send data to it), it will terminate the dedicated server process that serviced the client, or it will clean up the virtual circuit of the shared server session that serviced that client.
    > 2. How to determine which procedure instances are running. I'm thinking I may need to
    create different schemas that have execute priviledge for the different instances so that> I can atleast tell which process is which. Is there a better way to tell which is which if I
    > need to kill one?
    With DBMS_JOB/DBMS_SCHEDULER it is easy. You check the RUNNINGJOBS views. Details on these are in the [url http://download.oracle.com/docs/cd/B19306_01/server.102/b14237/toc.htm]Oracle® Database Reference guide.

Maybe you are looking for