Endpoint Protection not updating
Hi all,
Not sure if this is the right forum but I couldn't see one for Endpoint Protection
I've been having some troubles updating EP on 2 of my 40 of so machines for a while and I can't work it out. Basically they aren't seeing that EP updates are available to install for them.
I've uninstalled EP and the CM client. They re-installed fine. The 2 machines are getting the same policies as the others. I've deleted the Software Distribution directory, reset BITS, deleted the qr*.dat files.
When I initiate a Software Updates scan from the Configuration Mgr client this is what appears in my WindowsUpdate.log
2013-05-13 09:18:15:205 5704 19b8 COMAPI -------------
2013-05-13 09:18:15:205 5704 19b8 COMAPI -- START -- COMAPI: Search [ClientId = CcmExec]
2013-05-13 09:18:15:205 5704 19b8 COMAPI ---------
2013-05-13 09:18:15:210 948 a04 Agent *************
2013-05-13 09:18:15:210 5704 19b8 COMAPI <<-- SUBMITTED -- COMAPI: Search [ClientId = CcmExec]
2013-05-13 09:18:15:210 948 a04 Agent ** START ** Agent: Finding updates [CallerId = CcmExec]
2013-05-13 09:18:15:210 948 a04 Agent *********
2013-05-13 09:18:15:210 948 a04 Agent * Include potentially superseded updates
2013-05-13 09:18:15:210 948 a04 Agent * Online = Yes; Ignore download priority = Yes
2013-05-13 09:18:15:210 948 a04 Agent * Criteria = "(DeploymentAction=* AND Type='Software') OR (DeploymentAction=* AND Type='Driver')"
2013-05-13 09:18:15:210 948 a04 Agent * ServiceID = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7} Managed
2013-05-13 09:18:15:210 948 a04 Agent * Search Scope = {Machine}
2013-05-13 09:18:15:538 948 a04 PT +++++++++++ PT: Synchronizing server updates +++++++++++
2013-05-13 09:18:15:538 948 a04 PT + ServiceId = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}, Server URL =
HTTP://%FQDN%8530/ClientWebService/client.asmx
2013-05-13 09:19:16:523 948 a04 Misc WARNING: SendRequest failed with hr = 80072ee2. Proxy List used: <%PROXYIP%> Bypass List used : <(null)> Auth Schemes used : <>
2013-05-13 09:19:16:523 948 a04 PT + Last proxy send request failed with hr = 0x80072EE2, HTTP status code = 0
2013-05-13 09:19:16:523 948 a04 PT + Caller provided proxy = No
2013-05-13 09:19:16:523 948 a04 PT + Proxy list used = %PROXYIP%
2013-05-13 09:19:16:523 948 a04 PT + Bypass list used = <NULL>
2013-05-13 09:19:16:523 948 a04 PT + Caller provided credentials = No
2013-05-13 09:19:16:523 948 a04 PT + Impersonate flags = 0
2013-05-13 09:19:16:523 948 a04 PT + Possible authorization schemes used =
2013-05-13 09:19:16:523 948 a04 PT WARNING: GetConfig failure, error = 0x80072EE2, soap client error = 5, soap error code = 0, HTTP status code = 200
2013-05-13 09:19:16:524 948 a04 PT WARNING: PTError: 0x80072ee2
2013-05-13 09:19:16:524 948 a04 PT WARNING: GetConfig_WithRecovery failed: 0x80072ee2
2013-05-13 09:19:16:524 948 a04 PT WARNING: RefreshConfig failed: 0x80072ee2
2013-05-13 09:19:16:524 948 a04 PT WARNING: RefreshPTState failed: 0x80072ee2
2013-05-13 09:19:16:524 948 a04 PT WARNING: Sync of Updates: 0x80072ee2
2013-05-13 09:19:16:524 948 a04 PT WARNING: SyncServerUpdatesInternal failed: 0x80072ee2
2013-05-13 09:19:16:524 948 a04 Agent * WARNING: Failed to synchronize, error = 0x80072EE2
2013-05-13 09:19:16:525 948 a04 Agent * WARNING: Exit code = 0x80072EE2
2013-05-13 09:19:16:525 948 a04 Agent *********
2013-05-13 09:19:16:525 948 a04 Agent ** END ** Agent: Finding updates [CallerId = CcmExec]
2013-05-13 09:19:16:525 948 a04 Agent *************
2013-05-13 09:19:16:525 948 a04 Agent WARNING: WU client failed Searching for update with error 0x80072ee2
2013-05-13 09:19:16:526 5704 19b8 COMAPI >>-- RESUMED -- COMAPI: Search [ClientId = CcmExec]
2013-05-13 09:19:16:527 5704 19b8 COMAPI - Updates found = 0
2013-05-13 09:19:16:527 5704 19b8 COMAPI - WARNING: Exit code = 0x00000000, Result code = 0x80072EE2
2013-05-13 09:19:16:527 5704 19b8 COMAPI ---------
2013-05-13 09:19:16:527 5704 19b8 COMAPI -- END -- COMAPI: Search [ClientId = CcmExec]
2013-05-13 09:19:16:527 5704 19b8 COMAPI -------------
2013-05-13 09:19:16:527 5704 19b8 COMAPI WARNING: Operation failed due to earlier error, hr=80072EE2
2013-05-13 09:19:16:527 5704 19b8 COMAPI FATAL: Unable to complete asynchronous search. (hr=80072EE2)
2013-05-13 09:19:21:526 948 a04 Report REPORT EVENT: {4F1FD932-6FB2-4909-BB14-B58ECB839A4B} 2013-05-13 09:19:16:524+1000 1 148 101 {00000000-0000-0000-0000-000000000000} 0 80072ee2 CcmExec Failure Software
Synchronization Windows Update Client failed to detect with error 0x80072ee2.
2013-05-13 09:19:21:543 948 a04 Report CWERReporter::HandleEvents - WER report upload completed with status 0x8
2013-05-13 09:19:21:543 948 a04 Report WER Report sent: 7.6.7600.256 0x80072ee2 00000000-0000-0000-0000-000000000000 Scan 101 Managed
2013-05-13 09:19:21:543 948 a04 Report CWERReporter finishing event handling. (00000000)
From my research this indicates to me that these computers are trying to access the internet to perform their updates. They should be going to Config Mgr as specified in the policy and then WSUS (MS Updates is not selected in my policy). These
machines do not have internet access. The machines that are updating correctly also don't have internet access
Below is the WUAHandler.log
Its a WSUS Update Source type ({E6405AF2-4712-4848-8E46-A6AFF1872B0A}), adding it. WUAHandler 13/05/2013 9:18:15 AM 6584 (0x19B8)
Existing WUA Managed server was already set (%FQDN%:8530), skipping Group Policy registration. WUAHandler 13/05/2013 9:18:15 AM 6584 (0x19B8)
Added Update Source ({E6405AF2-4712-4848-8E46-A6AFF1872B0A}) of content type: 2 WUAHandler 13/05/2013 9:18:15 AM 6584 (0x19B8)
Scan results will include superseded updates only when they are superseded by service packs and definition updates. WUAHandler 13/05/2013 9:18:15 AM 6584 (0x19B8)
Search Criteria is (DeploymentAction=* AND Type='Software') OR (DeploymentAction=* AND Type='Driver') WUAHandler 13/05/2013 9:18:15 AM 6584 (0x19B8)
Async searching of updates using WUAgent started. WUAHandler 13/05/2013 9:18:15 AM 6584 (0x19B8)
Async searching completed. WUAHandler 13/05/2013 9:19:16 AM 5152 (0x1420)
OnSearchComplete - Failed to end search job. Error = 0x80072ee2. WUAHandler 13/05/2013 9:19:16 AM 6584 (0x19B8)
Scan failed with error = 0x80072ee2. WUAHandler 13/05/2013 9:19:16 AM 6584 (0x19B8)
Any help would be awesome
Thanks
Thanks for the reply.
It shouldn't be a proxy issue as the computers aren't configured to use a proxy. Nothing is ticked in IE settings about connecting to the Internet and the netsh winhttp show proxy gives me a direct connection
Nothing in bypass list as well
I check these settings on a machine that is working and the settings are the same
I looked in the scanagent.log and got this
- -Processing Scan Job TTL invalidity request ScanAgent 16/05/2013 3:02:17 PM 4376 (0x1118)
Message received: '<?xml version='1.0' ?> <UpdateSourceMessage MessageType='ScanByUpdateSource'>
<ForceScan>TRUE</ForceScan>
<UpdateSourceIDs>
<ID>{E6405AF2-4712-4848-8E46-A6AFF1872B0A} </ID>
</UpdateSourceIDs>
</UpdateSourceMessage>'
ScanAgent 16/05/2013 3:02:19 PM 5348 (0x14E4)
*****ScanByUpdateSource request received with ForceReScan=2, ScanOptions=0x0000000a, WSUSLocationTimeout = 604800 ScanAgent 16/05/2013 3:02:19 PM 5348 (0x14E4)
Sources are not current ScanAgent 16/05/2013 3:02:19 PM 5348 (0x14E4)
ScanJob({9B789A83-3229-4658-99E4-0FD797B48AB0}): - - - - - -Locations requested for ScanJobID={9B789A83-3229-4658-99E4-0FD797B48AB0} (LocationRequestID={5D090B44-18AC-4153-AEB4-55CE285A7CD1}), will process the scan request once locations are available. ScanAgent 16/05/2013
3:02:19 PM 5348 (0x14E4)
*****WSUSLocationUpdate received for location request guid={5D090B44-18AC-4153-AEB4-55CE285A7CD1} ScanAgent 16/05/2013 3:02:19 PM 5348 (0x14E4)
Sources are not current ScanAgent 16/05/2013 3:02:19 PM 3680 (0x0E60)
ScanJob({9B789A83-3229-4658-99E4-0FD797B48AB0}): CScanJob::OnScanComplete -Scan Failed with Error=0x80244019 ScanAgent 16/05/2013 3:02:19 PM 5348 (0x14E4)
ScanJob({9B789A83-3229-4658-99E4-0FD797B48AB0}): CScanJob::ScheduleScanRetry- ScanRetry Timer task successfully scheduled. Will wake up in next 1800 seconds ScanAgent 16/05/2013 3:02:19 PM 5348 (0x14E4)
ScanJob({9B789A83-3229-4658-99E4-0FD797B48AB0}): CScanJob::OnScanComplete - Scan Retry successfully scheduled ScanAgent 16/05/2013 3:02:19 PM 5348 (0x14E4)
ScanJob({9B789A83-3229-4658-99E4-0FD797B48AB0}): CScanJobManager::OnScanComplete- Scan has failed, scan request will be pending for scan retry cycle. ScanAgent 16/05/2013 3:02:20 PM 5348 (0x14E4)
CScanAgent::ScanCompleteCallback - failed at OnScanComplete with error=0x87d00631 ScanAgent 16/05/2013 3:02:20 PM 5348 (0x14E4)
Doesn't make any sense to me
I can use IE to hit the wsus/sccm server (roles installed on same machine). It will prompt me to download or save the *.cab files as well.
Similar Messages
-
Log file for manual download Endpoint Protection Definition Updates
Hi,
I am downloading manually endpoint protection definition updates from SCCM 2012 R2, which log file I have to check for download progress.
Regards,
Manzoor AhmedIf you are downloading updates manually you will need to have an alternate source other than ConfigMgr for definition updates.
https://support.microsoft.com/en-us/kb/2831244?wa=wsignin1.0
Here is a list of the logs for SCEP.
http://chadstech.net/scep-2012-client-log-files/
The logs depend on which sources you have set for updates, if you have updates coming from windows update or WSUS then you could look at WindowsUpdate.log -
SCCM 2012 Endpoint Protection initial update not downloaded
Hi,
I'm new to SCCM 2012. I recently started deploying the Endpoint Protection to all of clients (Windos 7 and XP Pro).
I've noticed that some clients have not been updating their initial definitions after the Endpoint Protection Software is installed.
Since they are not updating their detonation the client remains unprotected with the status icon in red.
The odd thing is that some of our computers do the initial update just fine while others are effected.
Also if I click update manually then the update goes through no issue, but with 100+ clients not updated its not something I want to do manually.
The clients are set to receive auto updates via a auto deployment rule.
Also the antimalware policy is set to do updates as well in this order:
Config Mgr
WSUS
Microsoft Malware Protection Center
Microsoft Update
Has anyone seen this before?
If I need to upload any specific logs just let me know.
Many ThanksDo you have Software update configured (and working) thru ConfigMgr or using a standalone WSUS?
Kent Agerlund | My blogs: blog.coretech.dk/kea and
SCUG.dk/ | Twitter:
@Agerlund | Linkedin: Kent Agerlund |
Mastering ConfigMgr 2012 The Fundamentals -
Why is KB2884678 Endpoint Protection Client Update Expired?
Hi,
KB2884678 Update for System Center Endpoint Protection 2012 suddenly expired in my SCCM Software Update Library. This was just released 10/9/2013. After testing and planned deployment, I was able to install this to the majority of my clients
and servers. However, now it is expired and I am not done yet.
Why did this update suddenly expired on SCCM? Is there something going on? I don't see a replacement either.Thanks! Although it's a bit confusing because it says it superseded KB2865173 and not mentions 2884678. But you are right. This must be the replacement because 2884678 brings the client to version 4.3 while 2907566 brings
the client to 4.4.
So I guess, do you know by any chance if installing Cumulative Update 3 will upgrade my clients to 4.4 or still 4.3? -
Endpoint Protection Signature Updates taking up Terabytes of Internet Data
I have my antimalware policy set up as below. I've been looking a web traffic reports on our firewalls and I can see that as of mid-December a lot of clients are going to the internet for their EP definition updates. In January alone client machines used
up 44 TB of data going to download.windowsupdate.com for updates.
I don't really understand why as my policy says not to even use Microsoft Update as a source at all.
What I've noticed on the firewall reports is that Monday resulted in literally 100 times more traffic than Wednesday which led to me thinking it might having something to do with the "If configuration manager is used as a source for definition updates
...." setting. This setting has a default value of 72 hours so if a client gets an update at 8 am on Friday morning then is turned off on Friday afternoon for the weekend and doesn't get turned on until 9 am on Monday morning this would mean it hasn't
had an update in 73 hours.
What happens at this point? I looks like the client goes to download.windowsupdate.com even when the policy says not to. It also looks like it doesn't first check for updates from Config Manager before it does this.
Another thing that doesn't make much sense is that this only started happening mid-December and I had been using SCCM for EP updates for nearly two months by that time.
Any ideas?
Hibs Ya Bass!There is no value in that registry key.
HHowever I have noticed that my ADRs have the below setting. I'm not sure what will happen with this setting enabled when I have no fallback locations configured.
Here are some logs of a typical PC going to the internet for updates - remember not all PCs are doing this.
From the mplogxxxx.log below you can see the EP client starting up at 23:50 UTC with version 1.67.1843.0 signatures installed. This version is out of date.
**************************END RTP Perf Log*************************
2014-03-16T23:50:33.339Z Verifying license file...
2014-03-16T23:50:33.339Z verified!
2014-03-16T23:50:33.339Z Product supports installmode: 0
2014-03-16T23:50:33.620Z Auto purger task is scheduled to run in 600000(ms) from now with period 86400000(ms)
Product Version: 4.4.304.0
Service Version: 4.4.304.0
Engine Version: 1.1.10302.0
AS Signature Version: 1.167.1843.0
AV Signature Version: 1.167.1843.0
2014-03-16T23:51:24.971Z Process scan (poststartupscan) started.
2014-03-16T23:51:26.572Z Process scan (poststartupscan) completed.
2014-03-16T23:53:05.128Z IWscAVStatus::UpdateStatus() succceeded writing instance with state (1) and up-to-date state(1)
2014-03-16T23:53:05.128Z IWscASStatus::UpdateStatus() succceeded writing instance with state (1) and up-to-date state(1)
2014-03-16T23:57:58.214Z Task(SpyNetService -RestrictPrivileges -AccessKey 613C3C1F-F85A-BCED-39AF-C0B481FC03E0) launched
2014-03-17T00:00:31.917Z Task(Scan -ScheduleJob -RestrictPrivileges) is scheduled to run in 604800000(ms) from now with period 190246545(ms)
2014-03-17T00:00:31.917Z Task(SignatureUpdate -ScheduleJob -RestrictPrivileges) is scheduled to run in 86400000(ms) from now with period 1454570(ms)
2014-03-17T00:00:31.918Z Task(Scan -ScheduleJob -RestrictPrivileges -ScanType 2) is scheduled to run in 86400000(ms) from now with period 65506808(ms)
2014-03-17T00:00:32.197Z AutoPurgeWorker triggered with dwWork=0x3
2014-03-17T00:00:32.197Z Product supports installmode: 0
==========================================================================
A few minutes later at 23:55 (07:53 local time) the below happens in the WindowsUpdate.log where you can clearly see the client downloading the latest signatures from download.windowsupsate.com (i've removed some of the rows where the WU engine goes through
all the updates to get under the 60,000 character limit)
================================================================
2014-03-17 07:53:03:403 452 1398 Misc =========== Logging initialized (build: 7.6.7600.256, tz: +0800) ===========
2014-03-17 07:53:03:465 452 1398 Misc = Process: C:\windows\system32\svchost.exe
2014-03-17 07:53:03:480 452 1398 Misc = Module: c:\windows\system32\wuaueng.dll
2014-03-17 07:53:03:403 452 1398 Service *************
2014-03-17 07:53:03:480 452 1398 Service ** START ** Service: Service startup
2014-03-17 07:53:03:480 452 1398 Service *********
2014-03-17 07:53:04:351 452 1398 Agent * WU client version 7.6.7600.256
2014-03-17 07:53:04:351 452 1398 Agent * Base directory: C:\windows\SoftwareDistribution
2014-03-17 07:53:04:351 452 1398 Agent * Access type: No proxy
2014-03-17 07:53:04:366 452 1398 Agent * Network state: Connected
2014-03-17 07:53:17:688 452 bf4 Report CWERReporter::Init succeeded
2014-03-17 07:53:17:688 452 bf4 Agent *********** Agent: Initializing Windows Update Agent ***********
2014-03-17 07:53:17:688 452 bf4 Agent *********** Agent: Initializing global settings cache ***********
2014-03-17 07:53:17:688 452 bf4 Agent * WSUS server: HTTP://mySiteServer.domain.GLOBAL:8530
2014-03-17 07:53:17:688 452 bf4 Agent * WSUS status server: HTTP://mySiteServer.domain.GLOBAL:8530
2014-03-17 07:53:17:688 452 bf4 Agent * Target group: (Unassigned Computers)
2014-03-17 07:53:17:688 452 bf4 Agent * Windows Update access disabled: No
2014-03-17 07:53:17:719 452 bf4 DnldMgr Download manager restoring 0 downloads
2014-03-17 07:53:18:045 452 1398 Report *********** Report: Initializing static reporting data ***********
2014-03-17 07:53:18:045 452 1398 Report * OS Version = 6.1.7601.1.0.65792
2014-03-17 07:53:18:045 452 1398 Report * OS Product Type = 0x00000004
2014-03-17 07:53:18:061 452 1398 Report * Computer Brand = Hewlett-Packard
2014-03-17 07:53:18:061 452 1398 Report * Computer Model = HP Z210 Workstation
2014-03-17 07:53:18:061 452 1398 Report * Bios Revision = J51 v01.20
2014-03-17 07:53:18:061 452 1398 Report * Bios Name = Default System BIOS
2014-03-17 07:53:18:061 452 1398 Report * Bios Release Date = 2011-09-16T00:00:00
2014-03-17 07:53:18:061 452 1398 Report * Locale ID = 3081
2014-03-17 07:53:23:144 452 9fc Report CWERReporter finishing event handling. (00000000)
2014-03-17 07:53:23:362 4672 a50 Misc =========== Logging initialized (build: 7.6.7600.256, tz: +0800) ===========
2014-03-17 07:53:23:362 4672 a50 Misc = Process: C:\windows\CCM\CcmExec.exe
2014-03-17 07:53:23:362 4672 a50 Misc = Module: C:\Windows\system32\wuapi.dll
2014-03-17 07:53:23:362 4672 a50 COMAPI -------------
2014-03-17 07:53:23:362 4672 a50 COMAPI -- START -- COMAPI: Search [ClientId = CcmExec]
2014-03-17 07:53:23:362 4672 a50 COMAPI ---------
2014-03-17 07:53:23:470 452 9fc Agent *************
2014-03-17 07:53:23:470 452 9fc Agent ** START ** Agent: Finding updates [CallerId = CcmExec]
2014-03-17 07:53:23:470 452 9fc Agent *********
2014-03-17 07:53:23:470 4672 a50 COMAPI <<-- SUBMITTED -- COMAPI: Search [ClientId = CcmExec]
2014-03-17 07:53:23:470 452 9fc Agent * Include potentially superseded updates
2014-03-17 07:53:23:470 452 9fc Agent * Online = No; Ignore download priority = Yes
2014-03-17 07:53:23:470 452 9fc Agent * Criteria = "((DeploymentAction=* AND Type='Software' AND CategoryIDs contains 'E6CF1350-C01B-414D-A61F-263D14D133B4'))"
2014-03-17 07:53:23:470 452 9fc Agent * ServiceID = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7} Managed
2014-03-17 07:53:23:470 452 9fc Agent * Search Scope = {Machine}
2014-03-17 07:53:50:191 452 1398 AU ########### AU: Initializing Automatic Updates ###########
2014-03-17 07:53:50:378 452 1398 AU AU setting next sqm report timeout to 2014-03-16 23:53:50
2014-03-17 07:53:50:378 452 1398 AU # AU disabled through Policy
2014-03-17 07:53:50:378 452 1398 AU # Will interact with non-admins (Non-admins are elevated (User preference))
2014-03-17 07:53:50:409 452 1398 AU Initializing featured updates
2014-03-17 07:53:50:409 452 1398 AU Found 0 cached featured updates
2014-03-17 07:53:50:409 452 1398 AU Successfully wrote event for AU health state:0
2014-03-17 07:53:50:409 452 1398 AU Successfully wrote event for AU health state:0
2014-03-17 07:53:50:409 452 1398 AU AU finished delayed initialization
2014-03-17 07:53:50:409 452 1398 AU AU setting next sqm report timeout to 2014-03-17 23:53:50
2014-03-17 07:55:40:569 452 9fc Agent *************
2014-03-17 07:55:40:591 452 9fc Report CWERReporter finishing event handling. (00000000)
2014-03-17 07:55:40:592 4672 e6c COMAPI >>-- RESUMED -- COMAPI: Search [ClientId = CcmExec]
2014-03-17 07:55:40:936 4672 e6c COMAPI - Updates found = 96
2014-03-17 07:55:40:936 4672 e6c COMAPI ---------
2014-03-17 07:55:40:936 4672 e6c COMAPI -- END -- COMAPI: Search [ClientId = CcmExec]
2014-03-17 07:55:40:936 4672 e6c COMAPI -------------
2014-03-17 07:56:38:889 4672 1534 COMAPI -------------
2014-03-17 07:56:38:889 4672 1534 COMAPI -- START -- COMAPI: Search [ClientId = CcmExec]
2014-03-17 07:56:38:889 4672 1534 COMAPI ---------
2014-03-17 07:56:38:891 452 9fc Agent *************
2014-03-17 07:56:38:891 452 9fc Agent ** START ** Agent: Finding updates [CallerId = CcmExec]
2014-03-17 07:56:38:891 452 9fc Agent *********
2014-03-17 07:56:38:891 4672 1534 COMAPI <<-- SUBMITTED -- COMAPI: Search [ClientId = CcmExec]
2014-03-17 07:56:38:891 452 9fc Agent * Include potentially superseded updates
2014-03-17 07:56:38:891 452 9fc Agent * Online = No; Ignore download priority = Yes
2014-03-17 07:56:38:891 452 9fc Agent * Criteria = "((DeploymentAction=* AND Type='Software' AND CategoryIDs contains 'E6CF1350-C01B-414D-A61F-263D14D133B4'))"
2014-03-17 07:56:38:891 452 9fc Agent * ServiceID = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7} Managed
2014-03-17 07:56:38:891 452 9fc Agent * Search Scope = {Machine}
279C58FA-1C7C-41B2-81F5-F9D92DD1D8E6}.200 to search result
2014-03-17 07:56:46:433 452 9fc Agent * Added update {B1D0B8FF-1023-438F-BE07-CD893F229A68}.200 to search result
2014-03-17 07:56:46:462 452 9fc Agent * Found 96 updates and 10 categories in search; evaluated appl. rules of 1952 out of 3516 deployed entities
2014-03-17 07:56:46:463 452 9fc Agent *********
2014-03-17 07:56:46:463 452 9fc Agent ** END ** Agent: Finding updates [CallerId = CcmExec]
2014-03-17 07:56:46:463 452 9fc Agent *************
2014-03-17 07:56:46:488 4672 a34 COMAPI >>-- RESUMED -- COMAPI: Search [ClientId = CcmExec]
2014-03-17 07:56:46:515 4672 a34 COMAPI - Updates found = 96
2014-03-17 07:56:46:515 4672 a34 COMAPI ---------
2014-03-17 07:56:46:515 4672 a34 COMAPI -- END -- COMAPI: Search [ClientId = CcmExec]
2014-03-17 07:56:46:515 4672 a34 COMAPI -------------
2014-03-17 07:59:28:666 4672 1ba0 COMAPI -------------
2014-03-17 07:59:28:666 4672 1ba0 COMAPI -- START -- COMAPI: Search [ClientId = CcmExec]
2014-03-17 07:59:28:666 4672 1ba0 COMAPI ---------
2014-03-17 07:59:28:668 4672 1ba0 COMAPI <<-- SUBMITTED -- COMAPI: Search [ClientId = CcmExec]
2014-03-17 07:59:28:668 452 9fc Agent *************
2014-03-17 07:59:28:668 452 9fc Agent ** START ** Agent: Finding updates [CallerId = CcmExec]
2014-03-17 07:59:28:668 452 9fc Agent *********
2014-03-17 07:59:28:668 452 9fc Agent * Include potentially superseded updates
2014-03-17 07:59:28:668 452 9fc Agent * Online = Yes; Ignore download priority = Yes
2014-03-17 07:59:28:668 452 9fc Agent * Criteria = "((DeploymentAction=* AND Type='Software' AND CategoryIDs contains 'A38C835C-2950-4E87-86CC-6911A52C34A3'))"
2014-03-17 07:59:28:668 452 9fc Agent * ServiceID = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7} Managed
2014-03-17 07:59:28:668 452 9fc Agent * Search Scope = {Machine}
2014-03-17 07:59:28:755 452 9fc PT WARNING: Cached cookie has expired or new PID is available
2014-03-17 07:59:28:755 452 9fc PT Initializing simple targeting cookie, clientId = 553c311c-66c6-4896-a549-521f549398a5, target group = , DNS name = mySiteServer.domain.global
2014-03-17 07:59:28:755 452 9fc PT Server URL = HTTP://mySiteServer.domain.GLOBAL:8530/SimpleAuthWebService/SimpleAuth.asmx
2014-03-17 07:59:29:227 452 9fc PT +++++++++++ PT: Starting category scan +++++++++++
2014-03-17 07:59:29:227 452 9fc PT + ServiceId = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}, Server URL = HTTP://mySiteServer.domain.GLOBAL:8530/ClientWebService/client.asmx
2014-03-17 07:59:29:406 452 9fc PT +++++++++++ PT: Synchronizing server updates +++++++++++
2014-03-17 07:59:29:406 452 9fc PT + ServiceId = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}, Server URL = HTTP://mySiteServer.domain.GLOBAL:8530/ClientWebService/client.asmx
2014-03-17 07:59:30:089 452 9fc PT +++++++++++ PT: Synchronizing extended update info +++++++++++
2014-03-17 07:59:30:089 452 9fc PT + ServiceId = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}, Server URL = HTTP://mySiteServer.domain.GLOBAL:8530/ClientWebService/client.asmx
2014-03-17 07:59:55:387 4672 1534 COMAPI ---------
2014-03-17 07:59:55:388 4672 1534 COMAPI <<-- SUBMITTED -- COMAPI: Search [ClientId = CcmExec]
2014-03-17 07:59:55:388 452 9fc Agent *************
2014-03-17 07:59:55:388 452 9fc Agent ** START ** Agent: Finding updates [CallerId = CcmExec]
2014-03-17 07:59:55:388 452 9fc Agent *********
2014-03-17 07:59:55:388 452 9fc Agent * Include potentially superseded updates
2014-03-17 07:59:55:388 452 9fc Agent * Online = Yes; Ignore download priority = Yes
2014-03-17 07:59:55:388 452 9fc Agent * Criteria = "((DeploymentAction=* AND Type='Software' AND CategoryIDs contains 'E0789628-CE08-4437-BE74-2495B842F43B'))"
2014-03-17 07:59:55:389 452 9fc Agent * ServiceID = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7} Managed
2014-03-17 07:59:55:389 452 9fc Agent * Search Scope = {Machine}
2014-03-17 07:59:55:433 452 9fc PT +++++++++++ PT: Starting category scan +++++++++++
2014-03-17 07:59:55:433 452 9fc PT + ServiceId = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}, Server URL = HTTP://mySiteServer.domain.GLOBAL:8530/ClientWebService/client.asmx
2014-03-17 08:00:02:360 452 9fc PT +++++++++++ PT: Synchronizing server updates +++++++++++
2014-03-17 08:00:02:360 452 9fc PT + ServiceId = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}, Server URL = HTTP://mySiteServer.domain.GLOBAL:8530/ClientWebService/client.asmx
2014-03-17 08:00:16:100 452 9fc Agent WARNING: Failed to evaluate Installed rule, updateId = {189A8F50-0C3A-4FDF-8BC2-BC23A3EB11FB}.101, hr = 80242013
2014-03-17 08:00:18:951 452 9fc PT +++++++++++ PT: Synchronizing extended update info +++++++++++
2014-03-17 08:00:18:951 452 9fc PT + ServiceId = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}, Server URL = HTTP://mySiteServer.domain.GLOBAL:8530/ClientWebService/client.asmx
2014-03-17 08:00:19:974 452 1398 AU Can not perform non-interactive scan if AU is interactive-only
2014-03-17 08:00:19:979 452 9fc Agent *************
2014-03-17 08:00:20:008 452 9fc Report REPORT EVENT: {B2A79652-BABC-46DE-B505-B6CB6D5CD9A8} 2014-03-17 08:00:19:978+0800 1
147 101 {00000000-0000-0000-0000-000000000000} 0 0 CcmExec Success Software Synchronization Windows Update
Client successfully detected 12 updates.
2014-03-17 08:00:20:008 452 9fc Report CWERReporter finishing event handling. (00000000)
2014-03-17 08:00:20:008 4672 1534 COMAPI >>-- RESUMED -- COMAPI: Search [ClientId = CcmExec]
2014-03-17 08:00:20:013 4672 1534 COMAPI - Updates found = 12
2014-03-17 08:00:20:013 4672 1534 COMAPI ---------
2014-03-17 08:00:20:013 4672 1534 COMAPI -- END -- COMAPI: Search [ClientId = CcmExec]
2014-03-17 08:00:20:013 4672 1534 COMAPI -------------
2014-03-17 08:00:24:973 452 9fc Report CWERReporter finishing event handling. (00000000)
2014-03-17 08:24:46:620 5620 1890 Misc =========== Logging initialized (build: 7.6.7600.256, tz: +0800) ===========
2014-03-17 08:24:46:620 5620 1890 Misc = Process: c:\Program Files\Microsoft Security Client\MpCmdRun.exe
2014-03-17 08:24:46:620 5620 1890 Misc = Module: C:\Windows\system32\wuapi.dll
2014-03-17 08:24:46:620 5620 1890 COMAPI -------------
2014-03-17 08:24:46:620 5620 1890 COMAPI -- START -- COMAPI: Search [ClientId = System Center Endpoint Protection (DDEFDD14-250E-4DC8-A0B3-9D667EC5D8EB)]
2014-03-17 08:24:46:620 5620 1890 COMAPI ---------
2014-03-17 08:24:46:623 5620 1890 COMAPI <<-- SUBMITTED -- COMAPI: Search [ClientId = System Center Endpoint Protection (DDEFDD14-250E-4DC8-A0B3-9D667EC5D8EB)]
2014-03-17 08:24:46:623 452 1a78 Agent *************
2014-03-17 08:24:46:623 452 1a78 Agent ** START ** Agent: Finding updates [CallerId = System Center Endpoint Protection (DDEFDD14-250E-4DC8-A0B3-9D667EC5D8EB)]
2014-03-17 08:24:46:623 452 1a78 Agent *********
2014-03-17 08:24:46:623 452 1a78 Agent * Online = Yes; Ignore download priority = No
2014-03-17 08:24:46:623 452 1a78 Agent * Criteria = "(IsInstalled = 0 and IsHidden = 0 and CategoryIDs contains 'a38c835c-2950-4e87-86cc-6911a52c34a3' and
CategoryIDs contains 'e0789628-ce08-4437-be74-2495b842f43b')"
2014-03-17 08:24:46:623 452 1a78 Agent * ServiceID = {7971F918-A847-4430-9279-4A52D1EFE18D} Third party service
2014-03-17 08:24:46:623 452 1a78 Agent * Search Scope = {Machine}
2014-03-17 08:24:46:657 452 1a78 Misc Validating signature for C:\windows\SoftwareDistribution\WuRedir\9482F4B4-E343-43B6-B170-9A65BC822C77\muv4wuredir.cab:
2014-03-17 08:24:46:706 452 1a78 Misc Microsoft signed: Yes
2014-03-17 08:24:48:018 452 1a78 Misc Validating signature for C:\windows\SoftwareDistribution\WuRedir\9482F4B4-E343-43B6-B170-9A65BC822C77\muv4wuredir.cab:
2014-03-17 08:24:48:025 452 1a78 Misc Microsoft signed: Yes
2014-03-17 08:24:48:073 452 1a78 Agent Checking for updated auth cab for service 7971f918-a847-4430-9279-4a52d1efe18d at http://ds.download.windowsupdate.com/v10/1/microsoftupdate/redir/muauth.cab
2014-03-17 08:24:48:073 452 1a78 Misc Validating signature for C:\windows\SoftwareDistribution\AuthCabs\authcab.cab:
2014-03-17 08:24:48:083 452 1a78 Misc Microsoft signed: Yes
2014-03-17 08:24:48:644 452 1a78 Misc Validating signature for C:\windows\SoftwareDistribution\AuthCabs\authcab.cab:
2014-03-17 08:24:48:650 452 1a78 Misc Microsoft signed: Yes
2014-03-17 08:24:48:755 452 1a78 Misc Validating signature for C:\windows\SoftwareDistribution\WuRedir\7971F918-A847-4430-9279-4A52D1EFE18D\muredir.cab:
2014-03-17 08:24:48:762 452 1a78 Misc Microsoft signed: Yes
2014-03-17 08:24:49:139 452 1a78 Misc Validating signature for C:\windows\SoftwareDistribution\WuRedir\7971F918-A847-4430-9279-4A52D1EFE18D\muredir.cab:
2014-03-17 08:24:49:146 452 1a78 Misc Microsoft signed: Yes
2014-03-17 08:24:49:156 452 1a78 PT WARNING: Cached cookie has expired or new PID is available
2014-03-17 08:24:51:859 452 1a78 PT +++++++++++ PT: Starting category scan +++++++++++
2014-03-17 08:24:51:860 452 1a78 PT + ServiceId = {7971F918-A847-4430-9279-4A52D1EFE18D}, Server URL = https://update.microsoft.com/v6/ClientWebService/client.asmx
2014-03-17 08:24:52:293 452 1a78 Misc Validating signature for C:\windows\SoftwareDistribution\WuRedir\7971F918-A847-4430-9279-4A52D1EFE18D\muredir.cab:
2014-03-17 08:24:52:296 452 1a78 Misc Microsoft signed: Yes
2014-03-17 08:24:52:570 452 1a78 Misc Validating signature for C:\windows\SoftwareDistribution\WuRedir\7971F918-A847-4430-9279-4A52D1EFE18D\muredir.cab:
2014-03-17 08:24:52:577 452 1a78 Misc Microsoft signed: Yes
2014-03-17 08:24:52:584 452 1a78 PT +++++++++++ PT: Synchronizing server updates +++++++++++
2014-03-17 08:24:52:584 452 1a78 PT + ServiceId = {7971F918-A847-4430-9279-4A52D1EFE18D}, Server URL = https://update.microsoft.com/v6/ClientWebService/client.asmx
2014-03-17 08:24:52:584 452 1a78 PT WARNING: Cached cookie has expired or new PID is available
2014-03-17 08:24:54:237 452 1a78 Misc Validating signature for C:\windows\SoftwareDistribution\WuRedir\7971F918-A847-4430-9279-4A52D1EFE18D\muredir.cab:
2014-03-17 08:24:54:241 452 1a78 Misc Microsoft signed: Yes
2014-03-17 08:24:54:851 452 1a78 Misc Validating signature for C:\windows\SoftwareDistribution\WuRedir\7971F918-A847-4430-9279-4A52D1EFE18D\muredir.cab:
2014-03-17 08:24:54:857 452 1a78 Misc Microsoft signed: Yes
2014-03-17 08:24:54:864 452 1a78 PT +++++++++++ PT: Synchronizing extended update info +++++++++++
2014-03-17 08:24:54:864 452 1a78 PT + ServiceId = {7971F918-A847-4430-9279-4A52D1EFE18D}, Server URL = https://update.microsoft.com/v6/ClientWebService/client.asmx
2014-03-17 08:24:55:403 452 1398 AU Can not perform non-interactive scan if AU is interactive-only
2014-03-17 08:24:55:405 452 1a78 Agent Update {59B2BB4D-839D-4719-8905-48902D4F9E0B}.200 is pruned out due to potential supersedence
2014-03-17 08:24:55:405 452 1a78 Agent Update {759CD48D-010A-42E7-84DE-AC43603E653D}.200 is pruned out due to potential supersedence
2014-03-17 08:24:55:405 452 1a78 Agent Update {B31982D9-2558-4A53-8EC7-9FF0E865698C}.200 is pruned out due to potential supersedence
2014-03-17 08:24:55:406 452 1a78 Agent Update {DB9D9C73-2729-4248-9314-663B427AF113}.200 is pruned out due to potential supersedence
2014-03-17 08:24:55:406 452 1a78 Agent Update {7AF502C1-C821-414B-9FD3-47F52F3FD523}.200 is pruned out due to potential supersedence
2014-03-17 08:24:55:406 452 1a78 Agent * Added update {33FBE82E-BE96-48C4-9C34-F6AEC8569DC7}.200 to search result
2014-03-17 08:24:55:406 452 1a78 Agent * Found 1 updates and 4 categories in search; evaluated appl. rules of 61 out of 76 deployed entities
2014-03-17 08:24:55:413 452 1a78 Agent *********
2014-03-17 08:24:55:413 452 1a78 Agent ** END ** Agent: Finding updates [CallerId = System Center Endpoint Protection (DDEFDD14-250E-4DC8-A0B3-9D667EC5D8EB)]
2014-03-17 08:24:55:413 452 1a78 Agent *************
2014-03-17 08:24:55:414 5620 1518 COMAPI >>-- RESUMED -- COMAPI: Search [ClientId = System Center Endpoint Protection (DDEFDD14-250E-4DC8-A0B3-9D667EC5D8EB)]
2014-03-17 08:24:55:416 5620 1518 COMAPI - Updates found = 1
2014-03-17 08:24:55:416 5620 1518 COMAPI ---------
2014-03-17 08:24:55:416 5620 1518 COMAPI -- END -- COMAPI: Search [ClientId = System Center Endpoint Protection (DDEFDD14-250E-4DC8-A0B3-9D667EC5D8EB)]
2014-03-17 08:24:55:416 5620 1518 COMAPI -------------
2014-03-17 08:24:55:419 5620 b4c COMAPI -------------
2014-03-17 08:24:55:419 5620 b4c COMAPI -- START -- COMAPI: Download [ClientId = System Center Endpoint Protection (DDEFDD14-250E-4DC8-A0B3-9D667EC5D8EB)]
2014-03-17 08:24:55:419 5620 b4c COMAPI ---------
2014-03-17 08:24:55:419 5620 b4c COMAPI - Forced: No; Download priority: 2
2014-03-17 08:24:55:419 5620 b4c COMAPI - Updates in request: 1
2014-03-17 08:24:55:419 5620 b4c COMAPI - ServiceID = {7971F918-A847-4430-9279-4A52D1EFE18D} Third party service
2014-03-17 08:24:55:422 5620 b4c COMAPI <<-- SUBMITTED -- COMAPI: Download [ClientId = System Center Endpoint Protection (DDEFDD14-250E-4DC8-A0B3-9D667EC5D8EB)]
2014-03-17 08:24:55:422 452 1a78 DnldMgr *************
2014-03-17 08:24:55:422 452 1a78 DnldMgr ** START ** DnldMgr: Downloading updates [CallerId = System Center Endpoint Protection (DDEFDD14-250E-4DC8-A0B3-9D667EC5D8EB)]
2014-03-17 08:24:55:422 452 1a78 DnldMgr *********
2014-03-17 08:24:55:422 452 1a78 DnldMgr * Call ID = {E0013492-D13F-43AB-896F-8521DE916FCD}
2014-03-17 08:24:55:422 452 1a78 DnldMgr * Priority = 2, Interactive = 1, Owner is system = 1, Explicit proxy = 1, Proxy session id = -1, ServiceId = {7971F918-A847-4430-9279-4A52D1EFE18D}
2014-03-17 08:24:55:422 452 1a78 DnldMgr * Updates to download = 1
2014-03-17 08:24:55:422 452 1a78 Agent * Title = Definition Update for Microsoft Endpoint Protection - KB2461484 (Definition 1.167.2113.0)
2014-03-17 08:24:55:422 452 1a78 Agent * UpdateId = {33FBE82E-BE96-48C4-9C34-F6AEC8569DC7}.200
2014-03-17 08:24:55:422 452 1a78 Agent * Bundles 3 updates:
2014-03-17 08:24:55:422 452 1a78 Agent * {7E4CD222-2348-4617-A8FD-4608CA0F5D9C}.200
2014-03-17 08:24:55:422 452 1a78 Agent * {85F7798B-FE1C-4AAB-8B5C-313B2ACB1778}.200
2014-03-17 08:24:55:422 452 1a78 Agent * {F7095866-6910-4D42-B4BE-AA4ECE02D6CA}.200
2014-03-17 08:24:55:441 452 1a78 DnldMgr *********** DnldMgr: New download job [UpdateId = {85F7798B-FE1C-4AAB-8B5C-313B2ACB1778}.200] ***********
2014-03-17 08:24:55:492 452 1a78 DnldMgr * BITS job initialized, JobId = {774F570F-FF72-408E-B8F9-1A9EC2A9DFEC}
2014-03-17 08:24:55:492 452 1a78 DnldMgr BITS job {774F570F-FF72-408E-B8F9-1A9EC2A9DFEC} using proxy = nzpr01.domain.co.nz:8080;proxy.domain.co.nz:8080, bypass = <NULL>
2014-03-17 08:24:55:539 452 1a78 DnldMgr * Downloading from http://download.windowsupdate.com/msdownload/update/software/defu/2014/03/nis_delta_patch_35110c44392d4ed2952852248b7d4e98730d59d7.exe
to C:\windows\SoftwareDistribution\Download\5d16f20387cc485e8ab3f76cf00d482d\35110c44392d4ed2952852248b7d4e98730d59d7 (full file).
2014-03-17 08:24:55:617 452 1a78 DnldMgr *********** DnldMgr: New download job [UpdateId = {F7095866-6910-4D42-B4BE-AA4ECE02D6CA}.200] ***********
2014-03-17 08:24:55:676 452 1a78 DnldMgr * BITS job initialized, JobId = {34C6823B-B255-429F-ABB3-31D850C69994}
2014-03-17 08:24:55:676 452 1a78 DnldMgr BITS job {34C6823B-B255-429F-ABB3-31D850C69994} using proxy = nzpr01.domain.co.nz:8080;proxy.domain.co.nz:8080, bypass = <NULL>
2014-03-17 08:24:55:792 452 1a78 DnldMgr * Downloading from http://download.windowsupdate.com/msdownload/update/software/defu/2014/03/am_delta_4561a4006e1295d251371592cbebc2c18adcca43.exe
to C:\windows\SoftwareDistribution\Download\8439bb6ce5944930522a2c27c57de50e\4561a4006e1295d251371592cbebc2c18adcca43 (full file).
2014-03-17 08:24:55:943 452 1a78 Agent *********
2014-03-17 08:24:55:943 452 1a78 Agent ** END ** Agent: Downloading updates [CallerId = System Center Endpoint Protection (DDEFDD14-250E-4DC8-A0B3-9D667EC5D8EB)]
2014-03-17 08:24:55:943 452 1a78 Agent *************
2014-03-17 08:25:00:411 452 1a78 Report REPORT EVENT: {4215F4AF-AAF5-4BB5-BE2C-BB09A9BA6176} 2014-03-17 08:24:55:412+0800 1
147 101 {00000000-0000-0000-0000-000000000000} 0 0 System Center Endpoint Protecti Success Software Synchronization
Windows Update Client successfully detected 1 updates.
2014-03-17 08:25:00:411 452 1a78 Report CWERReporter finishing event handling. (00000000)
2014-03-17 08:25:17:443 452 134c DnldMgr BITS job {774F570F-FF72-408E-B8F9-1A9EC2A9DFEC} completed successfully
2014-03-17 08:25:17:486 452 134c Misc Validating signature for C:\windows\SoftwareDistribution\Download\5d16f20387cc485e8ab3f76cf00d482d\35110c44392d4ed2952852248b7d4e98730d59d7:
2014-03-17 08:25:17:496 452 134c Misc Microsoft signed: Yes
2014-03-17 08:25:17:499 452 134c DnldMgr Download job bytes total = 76056, bytes transferred = 76056
2014-03-17 08:25:17:500 452 134c DnldMgr *********** DnldMgr: New download job [UpdateId = {85F7798B-FE1C-4AAB-8B5C-313B2ACB1778}.200] ***********
2014-03-17 08:25:17:501 452 134c DnldMgr * All files for update were already downloaded and are valid.
2014-03-17 08:25:22:501 452 1a78 Report CWERReporter finishing event handling. (00000000)
Hibs Ya Bass! -
Endpoint Protection Definition Update Source
I need to determine where an Endpoint Protection Client is getting updates from, whether it's the SCCM server, WSUS, or Microsoft's Windows Update. Is there a log file somewhere that I could use to determine that information?
Vincent SpragueHave a look in C:Windows\Windowsupdate.log.
-
Forefront Endpoint Protection 2010 updates are not listed as expired
Hello, so I am working on getting the right update groups setup within SCCM2012.
I ran into a bunch of updates for FEP2010 that should be expired, but they are not, how do I expire them?
To be more specific, these are listed as good updates but should be expired in my opinion -
KB2461484 (Definition 1.123.832)
KB2461484 (Definition 1.145.1695)
KB2461484 (Definition 1.155.997)
KB2461484 (Definition 1.175.1328)
The latest definitions update as of today is KB2461484 (Definition 1.191.3456) which is in green which is normal.Perhaps, somehow, I have no idea how, they were missed is your catalog update process.
See the answer from Lawrence Garvin in this thread:
Windows 8
Defender Showing Hundreds of Needed Definitions After Most Recent Definition Installed
"This is a known issue. It's caused by the limited number of *superseded* updates that can be listed
on the newest update."
Rolf Lidvall, Swedish Radio (Ltd) -
System Center Endpoint Protection Definition Updates
Hi can anyone advise deploying definitions via SCCM 2012 and selecting the source as being "Updates distributed from Configuration Manager" does that mean each client will go to the Primary Site to get updates? Or by using ADR will it ensure that
definitions come via distribution points?
Also another question, as sccm 2012 is not rolled out to all sites yet, and will be deploying unmanaged clients, when I deploy the SCEP client offline un-managed with a policy file, is there a way then later to change policy on the client by command line?You could configure updating SCEP in many ways, including:
Updates distributed from Configuration Manager – This method uses Configuration Manager software updates to deliver definition and engine updates to computers in your hierarchy.
Updates distributed from Windows Server Update Services (WSUS) – This method uses your WSUS infrastructure to deliver definition and engine updates to computers.
Updates distributed from Microsoft Update – This method allows computers to connect directly to Microsoft Update in order to download definition and engine updates. This method can be useful for computers that are not often connected to the business network.
Updates distributed from Microsoft Malware Protection Center – This method will download definition updates from the Microsoft Malware Protection Center.
Updates from UNC file shares – With this method, you can save the latest definition and engine updates to a share on the network. Clients can then access the network to install the updates.
For more details, please refer to:
http://technet.microsoft.com/en-us/library/jj822983.aspx -
SCCM 2012 Endpoint Protection Definition Update
Hi Guys, can you please help me out with this, some of the clients are not pulling or seeing the latest definition updates from the server.
What do I check?Again - Start with the EndpointProtectionAgent.log file on the clients
http://technet.microsoft.com/en-us/library/c6675aac-4bb8-4b4b-9075-06b4ecec2a18#BKMK_ClientOpLogs
Nick Moseley | http://t3chn1ck.wordpress.com
What do I look for in the CIDownloader.log? -
Endpoint Protection error: The source folder for content does not exist.
I have a single SCCM 2012 SP1 CU4 server running on Windows Server 2012.
I have been using this for a little more than a month for Endpoint Protection and Windows Updates.
I just recently started seeing that my Endpoint Deployment Package has Failed. I click on "Content Status" and select the Endpoint package (which again shows Failed). I click on "View Status" and I get this
message in the "Error" tab:
The source folder for content does not exist.
The Asset Details point to the exact location that does not exist:
The source directory "\\<server>\updates\endpoint\6bd81fde-3a3f-4aa9-bf70-ba007891ca68" for package "<package>" does not exist.
I didn't change anything related to this, and that directory path (\\server\updates\endpoint) is
shared and is populated with a lot of other folders.
Is this possibly just a bad update file? Should I manually create that sub-folder that it says is missing?
Any help would be great! Thanks!Thanks for the quick reply, Torsten. (I often forget which logs to check for certain things).
There are six lines (3 errors -- in italics below) in the log around the same time frame. They read:
The source directory \\sccm-corp\updates\endpoint\6bd81fde-3a3f-4aa9-bf70-ba007891ca68 doesn't exist or the SMS service cannot access it, Win32 last error = 2 SMS_DISTRIBUTION_MANAGER 5/27/2014 11:54:46 AM
5920 (0x1720)
STATMSG: ID=2306 SEV=E LEV=M SOURCE="SMS Server" COMP="SMS_DISTRIBUTION_MANAGER" SYS=SCCM-Corp.pdcarea.lcl SITE=PDC PID=6008 TID=5920 GMTDATE=Tue May 27 16:54:46.962 2014 ISTR0="\\sccm-corp\updates\endpoint\6bd81fde-3a3f-4aa9-bf70-ba007891ca68" ISTR1="PDC00063"
ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=1 AID0=400 AVAL0="PDC00063" SMS_DISTRIBUTION_MANAGER 5/27/2014 11:54:46 AM 5920 (0x1720)
Failed to take snapshot of one or more contents in package PDC00063 SMS_DISTRIBUTION_MANAGER 5/27/2014 11:54:46 AM 5920 (0x1720)
CDistributionSrcSQL::UpdateAvailableVersion PackageID=PDC00063, Version=10, Status=2302 SMS_DISTRIBUTION_MANAGER 5/27/2014 11:54:46 AM 5920 (0x1720)
STATMSG: ID=2302 SEV=E LEV=M SOURCE="SMS Server" COMP="SMS_DISTRIBUTION_MANAGER" SYS=SCCM-Corp.pdcarea.lcl SITE=PDC PID=6008 TID=5920 GMTDATE=Tue May 27 16:54:46.990 2014 ISTR0="Endpoint Protection Definition Updates" ISTR1="PDC00063" ISTR2="" ISTR3=""
ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=1 AID0=400 AVAL0="PDC00063" SMS_DISTRIBUTION_MANAGER 5/27/2014 11:54:46 AM 5920 (0x1720)
Failed to process package PDC00063 after 33 retries, will retry 67 more times SMS_DISTRIBUTION_MANAGER 5/27/2014 11:54:47 AM 5920 (0x1720) -
Forefront Endpoint Protection Definitions Not Updated via SCCM (SCCM 2012 SP1)
Hi All
We have an issue of FEP definitions not updating correctly.
1. Clients getting definitions updates from the internet, not SCCM. Any solution?
2. Currently, we have around 20 workstations installed with FEP but having more than 7 different definitions versions within those. Waited for a couple of days but still not updating.. kind of random.
Any advice where to check or what is to be done?
Regards,
Xavier(Assuming you are using ConfigMgr 2012)
Part of the Antimalware policy is the tab Definition Updates, in this tab you can define the update location(s). Also, in the normal client settings you can disable the client from going online for their initial definitions.
Make sure you are deploying the latest updates via ConfigMgr (either via an ADR, or a custom Software Update Group).
My Blog: http://www.petervanderwoude.nl/
Follow me on twitter: pvanderwoude -
We upgraded SCCM SP1 to CU5. We got one primary site, on which we had no problems with running the CU setup. After the upgrade we pushed the new administrator console and client.
SP1 CU5 - console update -> Updated on all administrator users (50 computers)
SP1 CU5- x64 and x86 client update -> Updated on pilot group (50 computers)
No problems so far.
We are having troubles updating the Endpoint Protection Client version. This was V4.1.522.0 before the upgrade. When we enroll a new computer, it receives the new V4.5.216.0, which is the last version.
But we can't update our older clients. We try to deploy the software update (Update for Forefront Endpoint Protection 2010 Client - 4.5.216.0 (KB2952678)) but it doesn't install. After 20 minutes, if I look in the Deployment logs, it says the installation
was successfull; but it isn't, it's still the old version.
Strange thing is, we can upgrade to an inbetween version (Update for Forefront Endpoint Protection 2010 Client - 4.3.215.0 (KB2864366)). Which installs on a test client.
If I look to the cache files of the new EP Client update, and use the UpdateInstall.exe manually, the update does install. Then I see in the logfile EndpointProtectionAgent.log it still refers to the version 4.1.522.0.
EP 4.5.216.0 is installed, version is higher than expected installer version 4.1.522.0. EndpointProtectionAgent 13/01/2015 14:54:00 7808 (0x1E80)
Re-apply EP AM policy. EndpointProtectionAgent 13/01/2015 14:54:00 7808 (0x1E80)
Apply AM Policy. EndpointProtectionAgent 13/01/2015 14:54:00 7808 (0x1E80)
Create Process Command line: "c:\Program Files\Microsoft Security Client\\ConfigSecurityPolicy.exe" "C:\Windows\CCM\EPAMPolicy.xml". EndpointProtectionAgent 13/01/2015 14:54:00 7808 (0x1E80)
Applied the C:\Windows\CCM\EPAMPolicy.xml with ConfigSecurityPolicy.exe successfully. EndpointProtectionAgent 13/01/2015 14:54:02 7808 (0x1E80)
Save new policy state 1 to registry SOFTWARE\Microsoft\CCM\EPAgent\PolicyApplicationState EndpointProtectionAgent 13/01/2015 14:54:02 7808 (0x1E80)
State 1 and ErrorCode 0 and ErrorMsg and PolicyName Antimalware Policy and GroupResolveResultHash D277339FA77A9017801399D96266BAD42DE74F38 is NOT changed. EndpointProtectionAgent 13/01/2015 14:54:02 7808 (0x1E80)
Skip sending state message due to same state message already exists. EndpointProtectionAgent 13/01/2015 14:54:02 7808 (0x1E80)
Firewall provider is installed. EndpointProtectionAgent 13/01/2015 14:54:02 7808 (0x1E80)
Installed firewall provider meet the requirements. EndpointProtectionAgent 13/01/2015 14:54:02 7808 (0x1E80)
This is the WindowsUpdate.log when I try to push the new EP client.
2015-01-14 11:24:13:651 7416 1c44 Handler :::::::::
2015-01-14 11:24:13:651 7416 1c44 Handler : Updates to install = 1
2015-01-14 11:24:21:716 7416 1c44 Handler : WARNING: Command line install completed. Return code = 0x8004ff25, Result = Failed, Reboot required = false
2015-01-14 11:24:21:716 7416 1c44 Handler : WARNING: Exit code = 0x8024200B
2015-01-14 11:24:21:716 7416 1c44 Handler :::::::::
2015-01-14 11:24:21:716 7416 1c44 Handler :: END :: Handler: Command Line Install
2015-01-14 11:24:21:732 7416 1c44 Handler :::::::::::::
2015-01-14 11:24:21:794 1096 c18 Agent *********
2015-01-14 11:24:21:794 1096 edc AU Can not perform non-interactive scan if AU is interactive-only
2015-01-14 11:24:21:794 1096 c18 Agent ** END ** Agent: Installing updates [CallerId = CcmExec]
2015-01-14 11:24:21:794 1096 c18 Agent *************
2015-01-14 11:24:21:794 2296 fac COMAPI >>-- RESUMED -- COMAPI: Install [ClientId = CcmExec]
2015-01-14 11:24:21:794 2296 fac COMAPI - Install call complete (succeeded = 0, succeeded with errors = 0, failed = 1, unaccounted = 0)
2015-01-14 11:24:21:794 2296 fac COMAPI - Reboot required = No
2015-01-14 11:24:21:794 2296 fac COMAPI - WARNING: Exit code = 0x00000000; Call error code = 0x80240022
2015-01-14 11:24:21:794 2296 fac COMAPI ---------
2015-01-14 11:24:21:794 2296 fac COMAPI -- END -- COMAPI: Install [ClientId = CcmExec]
2015-01-14 11:24:21:794 2296 fac COMAPI -------------
2015-01-14 11:24:21:794 1096 1620 AU Can not perform non-interactive scan if AU is interactive-only
2015-01-14 11:24:26:739 1096 1424 Report REPORT EVENT: {ED287668-4BEF-46FD-BB57-CA17680E5D3B} 2015-01-14 11:24:21:732+0100 1 182 101 {A90C3005-7B59-4268-8B11-12D9BE5C8EA0} 201 80070643 CcmExec Failure Content Install Installation Failure: Windows failed to install the following update with error 0x80070643: Update for System Center Endpoint Protection 2012 Client - 4.5.216.0 (KB2952678).
2015-01-14 11:24:27:207 1096 1424 Report CWERReporter::HandleEvents - WER report upload completed with status 0x8
2015-01-14 11:24:27:207 1096 1424 Report WER Report sent: 7.5.7601.17514 0x80070643 A90C3005-7B59-4268-8B11-12D9BE5C8EA0 Install 101 Managed
2015-01-14 11:24:27:207 1096 1424 Report CWERReporter finishing event handling. (00000000)
Thanks in advance!Hello,
According to
kb2952678:
To apply this update, you must have one of the following installed:
System Center 2012 R2 Configuration Manager Cumulative Update 4 for System Center 2012
Configuration Manager Service Pack
Service Pack 2 for System Center Configuration Manager 2007 and Update Rollup 1 for
Forefront Endpoint Protection 2010
Do you have Update Rollup 1 for Forefront Endpoint Protection 2010?
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected] -
Report to show Endpoint Protection last time updated?
Hello,
I am trying to create a report to show the Endpoint Protection version and the last time it updated. I found this page of different views but non of them include last update:
http://technet.microsoft.com/en-us/library/dn581986.aspx
Does anyone know a way of doing this or is it not possible?
ThanksFor Custom End Point Report, You can check below link
http://blogs.technet.com/b/configmgrteam/archive/2012/03/28/building-custom-endpoint-protection-reports-in-system-center-2012-configuration-manager.aspx
Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question, please click "Mark As Answer"
Mai Ali | My blog: Technical | Twitter:
Mai Ali -
System Center Endpoint Protection creates TEMP Folders / Reinstallation not possible
Hi all,
After I updated from SCCM 2012 RTM to SCCM 2012 R2 CU2 I have an issue on several Servers, which havin System Center Endpoint Protection 2012 installed (provided through SCCM Agent).
There are hourly Temp Folders created in C:\Windows\...:
The Temp-Folders are including SCEP 2012 Content...
This files are filling up my System drive C:\. I always have to delte those files.
I think System Center Endpoint Protection is trying to reinstall or update itself, and failes...
If I try to uninstall "System Center 2012 Endpoint Protection" manually from the sever, i get the following popup (file not found):
I cannot find the correct Version of this msi-File "fepclient.msi", so I click Cancel, and then I get the Error 0x8007064C (Cannot complete uninstall wizard).
I have this Problem on 4 different Servers right now (FileServer, two Citrix Server, SCCM-Server).
I tried several steps on the SCCM Server:
- Manual Uninstall
- Re-Installation with "scepinstall.exe" from the SCCM Client Source (same error)
- Re-Installation from SCCM Console (Push)
I am not getting rid of this error... I do not want to delete registry keys and testing arround because this are productive Servers... Any ideas how to resolve this one???
If you Need more Details about the infrastructure / OS, just ask.
PatrikReinstalling the SCCM Agent did not help to get any additional log-Information.
But I did no found a log-file in C:\ProgramData\Microsoft\Microsoft Security Client\Support\MSSecurityClient_Setup_4.5.216.0_epp_install.log
I find the following warnings / Errors:
TEMP Folder which is created in C:\Windows\...:
MSI-Missing:
But that does not really help me... -
Endpoint Protection Client not running run scheduled scan
Hi,
We are running SCCM 2012 R2 CU1 on our site system and clients, having upgraded from SCCM 2012 sp1 12 months ago.
A few of our clients will not run a scheduled scan, even though it displays the Scan date and time in the client properties.
Someome did create a new EP policy and pointed the clients at it, but that didn't fix this problem.
The AV engine and AV definitions are upto date and the real time monitor is running.
In the SCCM console, Active Clients at Risk, the client has Endpoint Protection Enabled showing as Disabled, nothing in the Endpoint Protection Engine Version, nothing for Last Full Scan Start Time, Endpoint Protection Pending Full Scan - No.
The MPLog-xxxx-xxx.log shows:
Signature updated on 02-11-2015 05:57:13
Product Version: 4.7.205.0
Service Version: 4.7.205.0
Engine Version: 1.1.11302.0
AS Signature Version: 1.191.4588.0
AV Signature Version: 1.191.4588.0
2015-02-11T05:57:15.492Z IWscAVStatus::UpdateStatus() succceeded writing instance with state (1) and up-to-date state(1)
2015-02-11T05:57:15.492Z IWscASStatus::UpdateStatus() succceeded writing instance with state (1) and up-to-date state(1)
2015-02-11T05:57:40.982Z Process scan (postsignatureupdatescan) started.
2015-02-11T05:57:50.420Z Process scan (postsignatureupdatescan) completed.
2015-02-11T06:06:47.173Z AutoPurgeWorker triggered with dwWork=0x3
2015-02-11T06:06:47.173Z Product supports installmode: 0
2015-02-11T06:06:47.173Z Task(Scan -ScheduleJob -RestrictPrivileges) is scheduled to run in 604800000(ms) from now with period 21957080(ms)
2015-02-11T06:06:47.173Z Task(SignatureUpdate -ScheduleJob -RestrictPrivileges) is scheduled to run in 28800000(ms) from now with period 28800000(ms)
2015-02-11T06:06:47.173Z Task(Scan -ScheduleJob -RestrictPrivileges -ScanType 2) is scheduled to run in 86400000(ms) from now with period 70114864(ms)
2015-02-11T06:06:47.844Z Detection State: Finished(0) Failed(0) CriticalFailed(0) Additional Actions(0)
The EndpointProtectionAgent.log shows:
Endpoint is triggered by message. EndpointProtectionAgent 11/02/2015 12:12:00 2692 (0x0A84)
File C:\WINDOWS\ccmsetup\SCEPInstall.exe version is 4.5.216.0. EndpointProtectionAgent 11/02/2015 12:12:00 2692 (0x0A84)
EP version 4.7.205.0 is already installed. EndpointProtectionAgent 11/02/2015 12:12:00 2692 (0x0A84)
EP 4.7.205.0 is installed, version is higher than expected installer version 4.5.216.0. EndpointProtectionAgent 11/02/2015 12:12:00 2692 (0x0A84)
Re-apply EP AM policy. EndpointProtectionAgent 11/02/2015 12:12:00 2692 (0x0A84)
Apply AM Policy. EndpointProtectionAgent 11/02/2015 12:12:00 2692 (0x0A84)
Create Process Command line: "c:\Program Files\Microsoft Security Client\\ConfigSecurityPolicy.exe" "C:\WINDOWS\CCM\EPAMPolicy.xml". EndpointProtectionAgent 11/02/2015 12:12:00 2692 (0x0A84)
Applied the C:\WINDOWS\CCM\EPAMPolicy.xml with ConfigSecurityPolicy.exe successfully. EndpointProtectionAgent 11/02/2015 12:12:01 2692 (0x0A84)
Save new policy state 1 to registry SOFTWARE\Microsoft\CCM\EPAgent\PolicyApplicationState EndpointProtectionAgent 11/02/2015 12:12:01 2692 (0x0A84)
State 1 and ErrorCode 0 and ErrorMsg and PolicyName Default Client Antimalware Policy
SCEP Standard Desktop EP Policy and GroupResolveResultHash 5E75089B490B85DD66BBA85BC91E15A5EA853B9C is NOT changed. EndpointProtectionAgent 11/02/2015 12:12:01 2692 (0x0A84)
Skip sending state message due to same state message already exists. EndpointProtectionAgent 11/02/2015 12:12:01 2692 (0x0A84)
Firewall provider is installed. EndpointProtectionAgent 11/02/2015 12:12:01 2692 (0x0A84)
Installed firewall provider meet the requirements. EndpointProtectionAgent 11/02/2015 12:12:01 2692 (0x0A84)
Could anyone provide any pointers on why the scheduled scan wont work?
JazHi,
Please verify if any GPO applied and overwrite the setting, you can check registry key:
http://blogs.technet.com/b/mspfe/archive/2013/11/13/system-center-configuration-manager-2012-scep-policy-behavior.aspx
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]
Maybe you are looking for
-
Why do website links to documents stored on another server work in IE but not firefox?
here is the line of code that works fine in IE: <td><div align="left"><b><a ref="file://sndpdps.ess.ad.addp.com/opssupport/FLOWCHARTS/Batch_Processing/PDF format/BKUP_FACKS_PROD_Daily.pdf" target="_Top">FACKS_PROD Backup</a></b></div></td>
-
Within the last few days, Messages on my Macbook Pro (Retina, 15") is showing the "could not be delivered" red circle with a white "!" after every message I send out to another Messages user. I can see that the messages were delivered by looking at t
-
Music videos; how far have you increased the default volume?
I'm sure you've all noticed that when listening to music videos through the regular playlist (ie: not via videos list) the quality of the sound is rather poor in comparison to regular music. I've done a "Get Info" on each of my music videos (purchase
-
Sort array(list) of files on filename
Hey all, Is there a way to sort an array(list) of files on the names of those files. (the files are not in same directory) Thanks
-
Problems deleting a string from an external file.
hi! I am working on a program but am having problems deleting a string of information from an external file. The code I have managed to do only seems to be deleting the surname. The rest of the string remains and the Surname from the string bellow th