SCEP 2012 clients kicking off random scans

Similar Messages

• SCEP 2012 Client in Windows 8 / 2012 - in Windows 2008 Domain- Not Syncing -/ Not Compatiable

  Dear All ,
  With lots of Hardship I had installed SCEp 2012 in Windows 2012 Virtual machine in WIndows 2008 Domain.
  SCCM 2012 Server in Windows 2008 Server with Sql 2008 was - performing well and there was no issues until our COmpany planned to Convert the Windows 2008 Server to  Windows 2012 Server ( AD is 2008)
  WSUS is not Fully synching with SCCM 2012 ( previously it was )
  Software Updates not pushing properly and to top all the SCEP client is not compatible with win 8.1 pro or win 2012 server
  Error: Failed to download content id 16787046. Error: Access is denied.
  Package:
    Success: The software updates were placed in the existing package:
  •     Deployment Package(JUN2014)
  Software updates that will be downloaded from the internet
    Error: Update for Forefront Endpoint Protection 2010 Client - 4.1.522.0 (KB2780435)
  Errors
      Failed to download content id 16787046. Error: Access is denied.
  Language Selection:
   English
  But the service account has full access - administrative rights and the administrator of the system
  please advise on this

  Hi,
  All the software updates downloaded failed?
  Are there any errors in PatchDownloader.log? If you use Automatic deployment rule, please also check ruleengine.log.
  Please add the account with Full rights to the source share (both NTFS and Share permissions) where the Deployment Package is located.
  Best Regards,
  Joyce
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• SCEP 2012 client in captured WIM image

  I screwed up. I forgot to uninstall SCEP 2012 from my image as I normally do and then install during the task sequence with updated definition install tasks as described:
  http://blogs.technet.com/b/configmgrteam/archive/2012/04/12/operating-system-deployment-and-endpoint-protection-client-installation.aspx. 
  The image I captured is 20 GB with some hefty software and don't want to capture it again.  At the bottom of that article it mentions some registry keys and that I should delete them if it is embedded, but it says during SYSPREP.  I don't know
  how to do that?  Has anyone done this?  Can I just add a command line step to the task sequence and import a REG to delete the entries?
  HELP!
  Find this post helpful? Does this post answer your question? Be sure to mark it appropriately to help others find answers to their searches.

  I tried manually deleting the InstallTime entry and it said Access Denied.  Are these protected?  Will an import actually work since I can't delete them?  I am afraid there may be something to the article saying "during SYSPREP", but I don't
  know if/how to do that.
  Find this post helpful? Does this post answer your question? Be sure to mark it appropriately to help others find answers to their searches.

• Windows XP PCs installed SCEP 2012 R2 Client hanging

  All of a sudden since today morning we are keep getting calls for Windows XP PCs are hanging with issues related SCEP 2012 client. I am not sure if any recent definition update is causing ,this problem.
  Is it a known issue or is there any fix for it? I have tried many options, googling but none of any help.
  Thanks
  Regards,
  Mohammad Anwar
  InfoSeeker

  There is already a thread that deals with this issue:
  http://social.technet.microsoft.com/Forums/en-US/043515cb-2746-43dc-94e0-441f70fd50b8/system-center-endpoint-protection-error-0x80004005?forum=configmanagergeneral
  Locking this one.
  Torsten Meringer | http://www.mssccmfaq.de

• SCEP 2012 and GP Update

  SCEP 2012 Client settings currently have "Install Endpoint Protection client on computers" set to Yes. This is deployed to quite a few machines. The client installs just fine, everything updates, and we are set. In the Endpoint Protection Agent
  log shows periodic checks for if SCEP needs to be installed. Which technically isn't an issue and eventually I'll flip this setting to No and leave it Manage only.
  However, around the times it checks the client I notice a GP Update kicking off. Does anyone know if installing SCEP or having the client check to see if it is installed kicks off a GP Update?

  Interesting. I didn't think to check that specific log. I do see activity in there for other GP objects besides SCEP. Perhaps it runs the equivalent of gpupdate /target:computer
  I don't think I see any user items in there.
  This reminds me of an issue I ran into before. Take the scenario of a domain joined machine that is currently connecting via the Internet. You have an IBCM server set up, so Internet connected machines are able to receive policy and software. You would think
  that would include changes to SCEP policy too. However, if you make a change to SCEP policy and then try to update policy on the client, it won't actually apply the SCEP policy changes until it's back on the domain. I guess that's because whatever ConfigSecurityPolicy.exe
  is doing requires a connection to be made to a domain controller and even though the SCEP content is stored locally in an XML file, it can't finish the process of getting it into Registry.pol and then into the Registry itself until it can connect to the DC
  again.
  Seems like it would make more sense to just import it directly into the Registry and bypass the GP client entirely. Anyway, I don't mean to hijack the thread but it would be nice to see Microsoft clarify exactly what's going on in both cases :-)

• FEP 2010 Admin Template Breaks GPResult /H on SCCM 2012 clients

  We have both FEP 2010 clients, which are being managed by a GPO created from the FEP2010 Admin Template in our Central store, and SCCM 2012/SCEP clients which are being managed by
  SCCM but we have noticed when running GPResult /h on the SCCM clients, you get an error in the Administrative Template section:
  An error has occurred while collecting data for Administrative Templates.
  The following errors were   encountered:
  Registry   value "%windir%\SoftwareDistribution\Datastore\Logs\Edb.chk" is of   unexpected type.
  We have discovered the SCCM/SCEP client local policy creates the exclusion paths in the registry as a DWORD but the FEP2010 Admin Template creates the exclusion paths
  as a REG_SZ on the FEP 2010 clients. When you run GPResult /h, the templates from the Central Store are used and since the value types are different on the SCCM/SCEP 2012 client, GPResult /H fail.
  The current work-around is to create a GPO using the FEP 2010 Admin Template with the exclusion paths that are the same as your SCCM 2012 settings and apply that GPO to the SCCM Clients. That changes the registry keys from DWORD to REG_SZ
  and GPResult start working again!!
  Running GPResult /Z also works!! 
  Any one else experience this behavior?

  Hi,
  I tried and found that the value type is different too. The DWORD value for Forefront Client also works, so the workaround you are currently using is applicable. Anyway, I will record the situation that the ADMX template has a different value type with SCEP
  policy value.
  Juke Chou
  TechNet Community Support

• Wsus + Scep 2012 Defenition Updates

  Hi 
  Im using Wsus to manage Pattern file updates for my scep 2012 clients an my proplem is that most Pattern files do get applied to my machines but like today my computers had
  Pattern file (1.185.908.0)  but when I check on Microsoft website they say the latest pattern file is (1.185.926.0) so I
  synced my wsus to see if there where any new files available and it return with nothing new... so I manualy ran "mpam-feX64" and my client got update to (1.185.933.0)  so it seems that my Wsus server is missing every other updates,,
   Can it be that MS is slow to update there Wsus Store or is something wrong with my wsus.. it is configured to check for updates every hour..  I also tested to let my workstation check online for updates and the result was the same "no new pattern
  files"  
  Best Regards 
  Jon G
  Jón G Sævarsson

  Can it be that MS is slow to update there Wsus Store or is something wrong with my wsus.. it is configured to check for updates every hour..
  Configured for "every hour" is probably a bit excessive, but much more likely is that you've not properly configured your WSUS server and your WSUS clients to be able to get Definition Updates in a timely manner.
  In addition to synchronizing WSUS at least 3x daily (every 8 hours), you also need to do the following:
  Create an Automatic Approval rule for the Definition Updates update classification for the "All Computers" target group.
  Enable the policy setting "Allow Automatic Updates immediate installation".
  Set the CLIENT Detection Interval to 6 hours.
  Lawrence Garvin, M.S., MCSA, MCITP:EA, MCDBA
  SolarWinds Head Geek
  Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2014)
  My MVP Profile: http://mvp.microsoft.com/en-us/mvp/Lawrence%20R%20Garvin-32101
  http://www.solarwinds.com/gotmicrosoft
  The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

• Replacing FCS with SCEP 2012

  I'm in the pilot phase of replacing FCS on our workstations, servers with SCEP 2012.
  The FCS client was uninstalled as soon as the SCEP 2012 client appeared, SCEP Definitions are updated, but I'm getting prompted in the Software Center for http://support.microsoft.com/kb/2508824.
  Why would I even need (be offered) this if FCS is not on the machine? If I try to install it it fails.
  EDIT: am I right in assuming Client Update for Microsoft Forefront Client Security (1.0.1736.0) is not needed if SCEP is being used and I can just remove it from my Software Updates Group?

  Yes, I know this is an old post, but I’m trying to clean them up. Did you solve this problem, if so what was the solution?
  Garth Jones | My blogs: Enhansoft and
  Old Blog site | Twitter:
  @GarthMJ

• Randomly kicked off wireless even with Snow Leopard.

  I had 10.5.8 and was suddenly being kicked off wireless repeatedly. Several groups said upgrading to Snow Leopard would fix the problem but it hasn't. I still get kicked off wi-fi randomly. It reconnects on its own after a few minutes, then starts again. It's not my internet service as Ethernet connectivity works fine. Does this sound like a software issue? The router itself?

  Have you tried a different channel on the router?

• Problem using Java Webstart to kick off CORBA Client

  Dear all,
  I am currently having a problem in using the Java Webstart to kick off
  the CORBA Client, I set up the JNLP file jvm properties as following:
  <resources>
  <j2se version="1.4*" java-vm-args="-Xms64m -Xmx256m -verbose -esa
  -Xnoclassgc -client -Dswing.useSystemFontSettings=false ">
       <resources>
       <property name="vbroker.orb.initRef"
  value="NameService=corbaloc::10.35.55.82:20005/NameService"/>
  </resources>
  </j2se>
  </resources>
  The problem I have is that when the webstart starting the client, the
  client just simply dies during the startup and I find the log message
  following:
  org.omg.CORBA.ORBPackage.InvalidName
       at com.inprise.vbroker.orb.ORB.resolve_initial_references(ORB.java:943)
  So it is showing that there is problem with the vbroker.orb.initRef
  setting, know that if I don't use the webstart to start the client and
  simply use the windows batch file, using the jvm properties as:
  java -Dvbroker.orb.initRef=NameService=corbaloc::10.31.51.80:20001/NameService
  It would work perfectly.
  Could you tell if I miss anything when configuing the webstart jnlp
  file on this regard? Currently, I think that the only way I can set
  the JVM properties in the JNLP file is to use its properties tag to
  set the system properties for the application.
  Thanks heaps in advance for any help you can give here !!!
  Victor

  Hi, Andre,
  No, I have tried both of your suggestion and there was no joy. I still have the following error and the client jvm just crashes during starting up:
  org.omg.CORBA.ORBPackage.InvalidName
       at com.inprise.vbroker.orb.ORB.resolve_initial_references(ORB.java:943)
  I believe it is still related to the jvm properties:
  <property name="vbroker.orb.initRef" value="NameService=corbaloc::10.35.55.82:20005/NameService"/>
  And know that when I used "-Dvbroker.orb.initRef=NameService=corbaloc::10.35.55.82:20005/NameService" in the windows batch file, the client runs ok.
  Is this indicating that there is the limitation of using the webstart to invoke CORBA client?
  Any further help would be very appreciated!
  Victor

• SCEP 2012 definitions not updating on few clients

  Hi!
  The SCEP 2012 definitions are not updating on few clients. It works for all other machines.
  In MPLog i can only see that Signature update on date but not a line saying Signature updated via ...
  Its not telling me where it got the updates in past and why its not updating now..
  The definitions are pushed via SCCM, WSUS and MS not unc shares.
  Which log file i should look for to get some answers why its not updating.
  Thanks

  Hi,
  You can check C:\Windows\WindowsUpdate.log file to find the related error information.
  In addition, did you configure an automatic deployment rule to deliver definition updates? If yes, I recommend you to make sure that all the clients are in the collection.
  Best regards,
  Susie

• Mac book pro mid 2012 turn off randomly

  when not plugged in my mid 2012 mac book pro just turns off randomly and I just replaced the battery a month ago the old battery gave me the same problem and the new one was fine until  about 2 weeks ago now it just shuts off randomly and I have no idea why because the battery has only 36 cycles on it
    Model Information:
    Serial Number: W03065AG7D3LC
    Manufacturer: SMP
    Device Name: bq20z451
    Pack Lot Code: 0
    PCB Lot Code: 0
    Firmware Version: 201
    Hardware Revision: 000a
    Cell Revision: 165
    Charge Information:
    Charge Remaining (mAh): 4858
    Fully Charged: No
    Charging: Yes
    Full Charge Capacity (mAh): 5058
    Health Information:
    Cycle Count: 36
    Condition: Normal
    Battery Installed: Yes
    Amperage (mA): 140
    Voltage (mV): 12338

  I have made a strange observation too  I decided to clean out the dust and once the bottom was off I propped the computer up with pens so it was not touching the desk and turned it on but the computer has not shut off without warning  anymore

• DPM 2012 R2 long backup to tape job randomly fail after installing SCCM 2012 Client

  Hello,
  I'm managing a two nodes 2012 R2 file server cluster that contains a 16To CSV. I'm using DPM 2012 R2 to backup this entire shared volume directly to LTO 4 tapes, the job last about 55h.
  Since SCCM 2012 client has been installed(I don't manage it), the tape jobs are failing ramdomly after several hours with the error:
  Type: Tape backup
  Status: Failed
  Description: The DPM service was unable to communicate with the protection agent on serverX.xxxx.xxx . (ID 52 Details: The semaphore timeout period has expired (0x80070079))
   More information
  End time: 19/07/2014 03:11:06
  Start time: 18/07/2014 22:00:00
  Time elapsed: 05:11:05
  Data transferred: 768 289,56 MB
  Cluster node serverX.xxxx.xxx
  Source details: G:\
  Protection group members: 1
   Details
  Protection group: File Server Tape Protection
  Library: Quantum PX500 Series Medium Changer
  Tape Label (Barcode): File Server Tape Protection-00000230 (000043L4)
  If I uninstall SCCM 2012 client, no more issue, backups succeed. I've asked our SCCM team, no specific task has been scheduled or deployed in SCCM.
  I can't see anything abnormal in logs.
  Any idea?

  I have disabled "Configuration Manager Maintenance" and I have also tried to set the registry value HKLM\Software\Microsoft\CCM\CcmEval\NotifyOnly to TRUE and still the same issue.
  I can't find any correlated errors in the Windows event logs, task scheduler history neither in the DPM logs.
  I've increased the log level of DPM by following the following procedure
  http://blogs.msdn.com/b/george_bethanis/archive/2013/11/04/how-to-collect-dpm-verbose-logs.aspx
  Now i'm suspecting the maintenance job of Windows 2012 R2, i'll try to disabled this task. But the fact is that I don't have this backup issue if SCCM 2012 client is not installed.
  I'm waiting for next logs and will keep you informed

• Deploying the SCCM 2012 Client to WES 7 devices that are locked down with the FBWF using 2007 task sequence via WEDM.

  I'm wondering how people are migrating their embedded devices that are using the FBWF. I've done some googling and it seems like most people are just re-imaging the devices and after migrating a single device i see why. Its not a pretty process. This will
  be a long description but ultimately my question stems more from trying to find a better way to execute the device migration from 2007 to 2012.
  Some back ground on my situation might be in order here. I'm in the process of wrapping up our 2007 to 2012 migration. We have a 2007 infrastructure that was a central server with 2 primaries and 286 secondary site servers. I've consolidated that to a single
  2012 primary site server that hosts all the main roles. There are 2 more servers in the data centers both operating solely as push distribution points I'll refer to them as 2012 01 02 and 03. I'm over half way through the migration and so far haven't needed
  to offload any site roles. There are almost 10,000 clients now reporting to the 2012 site server and almost a 100 field servers pulling content from 2012 02 as their source dp as pull dp is the only way forward for this many devices. I've read the horror stories
  of trying spin up 200 plus push dps. We are running PKI. I'm at the point now where i need to start migrating the Windows Embedded Seven Standard clients that have the 2007 sccm client on them with WEDM for write filter handling.
  What i'm wondering is if anyone has any pointers for me regarding migrating the WES 7 devices. My plan that i've come up with is to somehow script the process using a 2007 WEDM Task Sequence to try and migrate them over to 2012. Things are complicated as
  I need to somehow script the install, the policy checkin, hardware inventory, software inventory, and validate the SCEP client installs before I reboot the device one last time to enable the FBWF. How I handled the SCCM 2007 client install on these devices
  when they were provisioned was to just create a batch file that would sleep for ten minutes then check to see if the inventoryagent.log file had been created yet. I realize now that is inefficient as i can kick off the inventory using a WMI method once the
  client has installed. Also I need to make sure the machine gets its first policy as that is how it creates the communication using PKI through that first policy transfer and that also finalizes the client install. The biggest piece i'm uncertain about in this
  regard is the SCEP client.
  I had to change the SCEP client install from yes to no in the default client settings as we have some Mcaffee servers that can't have the SCEP client on them. I have incremental updates enabled on the collection that has the policy that installs the SCEP
  client but this will take an unknown amount of time unless i force the environment to update as the device starts in 2012 install, or if I could kick off the SCEP isntall... IDK. I'm also wondering if i should keep the device in the migration process until
  i validate it has its proper scep policy applied which I believe can be validated by a registry key somewhere.
  Once the 2012 client gets installed will that cause it to lose its place within the 2007 Task Sequence? Considering its going to take a minimum of 2 reboots I'd normally use the task sequence to handle its progression through the process.
  I'm also considering trying to use an Orchestrator runbook, as that would be a good way to keep track of the migration process as each device migrates. Especially since this might take several seperate scripts.
  I'm going to take a stab at scripting the migration process, but if anyone has any pointers that might make this a less complicated I'd really appreciate it as I've got about 3000 of these devices that need to be migrated over. The other things i've learned
  the hard way is any time you have something this complicated over the course of 3000 devices you will run into unknowns and the failure rate increases. I'm in the precarious position of having to not only build this process out but in some situations have
  it complete in the shortest amount of time possible as we have sites running 24x7. I know the end users behavior all to well and they will just keep hitting the power button sometimes even though their not supposed to so they can get their device functional
  again. In those situations i'd end up, if i'm lucky with a device that no longer has a healthy SCCM client in either environment and the write filter disabled.
  So like i said any pointers anyone could throw my way i'd really appreciate. I manually went through the migration process on a single device for proof of concept and ended up with almost 2 pages of pseudo code for my migration script/scripts.
  Thanks,
  -K.R.

  Hi,
  In R2 there are some new variables you can use to solve this,
  http://ccmexec.com/2014/12/smstsmplistrequesttimeout-value-in-milliseconds/
  In Sp1 though adding a step to sleep for 2-5 minuter after reboot and before the application install step is a common workaround.. a powershell command with "Start-Sleep
  -s 120" should do it. 
  /Jörgen
  -- My System Center blog ccmexec.com -- Twitter
  @ccmexec

• SCEP 2012 and VDI offline servicing

  I've seen this question being asked before in another thread (Best practice to run Microsoft Endpoint Protection client in VDI environment) however the answer doesn't provide enough information (for me at least)
  We are planning to use a Citrix XenDesktop environment with Provisioning services providing VDI clients. As far as I know the SCCM client will be installed in the VDI golden image and after some adjustments SCCM client registration will go well. We will
  also use SCCM 2012 and deploy SCEP 2012 for anti-malware scanning.
  SCCM 2012 provides offline servicing for Software Updates in WIM images, but what is a best practice in keeping the VDI's up-to-date? I can't find any good information about this, so maybe the answer is very simple?... Is there a way to offline service the
  VDI image so Software Updates and Anti-Malware updates are injected in the image?
  Or do the VDI's get updated as physical systems, at the time they are logged in to the network, discarding all changes when logging off. This doesn't seem the right way to go.
  Any help would be appreciated.
  thx. Niels

  I struggled with this same problem for a while, and likewise didn't find a great answer anywhere. In our case, this is for an RDS VDI environment, but the solution I ended up employing should work anywhere.
  First, set up SCCM/WSUS to download the updates to a UNC share (if you haven't already; here's a helpful guide:
  http://blog.thesysadmins.co.uk/sccm-2012-scep-unc-definition-updates-automation-powershell.html). Also, create an antimalware policy for the VDI machines with the definition updates source set to UNC only, and set the UNC Path section accordingly.
  Here's the key part: create a scheduled task in your master image to run based on boot or resume (RDS puts the VDI VMs in a Saved state rather than Off). Here are the settings I used for the task:
  General tab: I set it to run as the SCCM Network Access Account; Run whether user is logged on or not
  Triggers tab: Begin the task On an event; Basic; Log: System; Source: Kernel-General; Event ID: 1 (this pops up on a startup or resume event); Delay task for: 5 minutes (during VM creation, it boots the machine for just a couple minutes, and I
  didn't want this task to be interrupted by a shutdown halfway through); Enabled
  Actions tab: Action: Start a program; Program/script: "C:\Program Files\Microsoft Security Client\MpCmdRun.exe"; Add arguments: -SignatureUpdate
  I left the other tabs with their defaults
  In RDS, the VMs on creation are spun up briefly and then put into a Saved state. It then spins up just a few, waiting for users to connect. By the time a user logs in, the machine should have the latest updates, but even if it doesn't, it should be
  no more than ~5 minutes before it does.
  Hope this helps!
  Ryan