SCEP Client

Similar Messages

• SCEP client not updating settings after policy retrieval

  I have a computer assigned a SCEP policy, that seems to have been found and Applied fine by the SCCM Client, looking at the registry.
  I find the policy in the regkey HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CCM\EPAgent\GeneratedPolicy, With the DWORD values
  Just a test to my computer (Excluded)                   REG_DWORD         0x00000002 (2)
  Just a test to my computer (Scan Schedule)           REG_DWORD         0x00000002 (2)
  What I have configured in this test policy is just "Limit CPU usage during scan to: 10%" and "Start the scheduled scan only when my PC is on but not in use"
  But the SCEP Client, in the settings, do not show the correct settings. The CPU limit setting is set to 20% and the "Start the scheduled scan" setting is unchecked, these settings come from the "Default Client Antimalware Policy"
  The EndpointProtectionAgent.log says:
  Endpoint is triggered by WMI notification. EndpointProtectionAgent 28.10.2014 16:54:39 3504 (0x0DB0)
  EP State and Error Code didn't get changed, skip resend state message. EndpointProtectionAgent 28.10.2014 16:54:39 3504 (0x0DB0)
  State 1, error code 0 and detail message are not changed, skip updating registry value EndpointProtectionAgent 28.10.2014 16:54:39 3504 (0x0DB0)
  Previous state is same with current one: 1, skip notification. EndpointProtectionAgent 28.10.2014 16:54:39 3504 (0x0DB0)
  File C:\Windows\ccmsetup\SCEPInstall.exe version is 4.5.216.0. EndpointProtectionAgent 28.10.2014 16:54:39 3504 (0x0DB0)
  EP version 4.6.305.0 is already installed. EndpointProtectionAgent 28.10.2014 16:54:39 3504 (0x0DB0)
  EP 4.6.305.0 is installed, version is higher than expected installer version 4.5.216.0. EndpointProtectionAgent 28.10.2014 16:54:39 3504 (0x0DB0)
  The trigger 10 doesn't make ANY state change. EndpointProtectionAgent 28.10.2014 16:54:39 3504 (0x0DB0)
  Handle EP AM policy. EndpointProtectionAgent 28.10.2014 16:54:39 3504 (0x0DB0)
  Policy group lose, group name: Scan Schedule, settingKey: {d6961d76-070d-46af-b898-6d24562fb219}_201_201 EndpointProtectionAgent 28.10.2014 16:54:39 3504 (0x0DB0)
  Policy deployment result: <?xml version="1.0"?><Group Name="Scan Schedule">    <Policy Name="Just a test to my computer" State=2/>    <Policy Name="Default Client Antimalware
  Policy" State=1/></Group><Group Name="Threat Default Action">    <Policy Name="Default Client Antimalware Policy" State=2/></Group><Group Name="Excluded">   
  <Policy Name="Default Client Antimalware Policy" State=2/>    <Policy Name="Just a test to my computer" State=2/></Group><Group Name="Realtime Config">    <Policy Name="Default
  Client Antimalware Policy" State=2/></Group><Group Name="Advance Setting">    <Policy Name="Default Client Antimalware Policy" State=2/></Group><Group Name="Spynet">   
  <Policy Name="Default Client Antimalware Policy" State=2/></Group><Group Name="Signature Update">    <Policy Name="Default Client Antimalware Policy" State=2/></Group><Group Name="Scan">   
  <Policy Name="Default Client Antimalware Policy" State=2/></Group> EndpointProtectionAgent 28.10.2014 16:54:39 3504 (0x0DB0)
  Generate Policy XML successfully at C:\Windows\CCM\EPAMPolicy.xml EndpointProtectionAgent 28.10.2014 16:54:39 3504 (0x0DB0)
  Generate AM Policy XML while EP is disabled. EndpointProtectionAgent 28.10.2014 16:54:39 3504 (0x0DB0)
  Any idea what happened to the New settings?
  Freddy

  Antimalware Client Version: 4.6.305.0
  Engine Version: 1.1.11104.0
  Antivirus definition: 1.187.618.0
  Antispyware definition: 1.187.618.0
  Network Inspection System Engine Version: 2.1.11005.0
  Network Inspection System Definition Version: 113.5.0.0
  Policy Name: Antimalware Policy
  Policy Applied: 02.09.2014 at 14:16
  The above is information in "About"
  This is the information about the Antimalware policies assigned to this computer
  Name                                             
  Collection name       Priority    Policy Application state Last update time         Policy Application Return code
  Default Client Antimalware Policy                                   10000     
  Succeeded                     02.09.2014 16:16:00      0x00000000  
  Just a test to my computer              VITN-SC-OSL-112  1
  This tells me that there is no policy Application Return code for the custom policy i am testing, and that is something I would like to solve. Any ideas? Thank you

• Alert for SCEP Clients at risk

  Hi there
  I've got some SCEP Clients in my Environment which are listed in the Endpoint Protection Dashboard with Status "At risk". These are Clients which were offline for an amount of time and now report an old Update Definition. Normally these
  Clients get's updated and disappear from the Dashboard.
  However in some case, the Clients Fails to get the newest update, and there are in our Network without being compliant. Is it possible to create an alert for Clients which doesn't have an up-to-date endpoint protection definitions (Those with Status "At
  risk").
  Now, i Need to manually check the Dashboard every morning if there are some new Clients with the Status at risk.
  Thank you in advance!
  Best regards, Simon

  I haven't done anything with alerts and SCEP, what I have done is create Device Collections with a membership rule based upon certain states of the SCEP client. I have a collection for Virus Definitions 3-7 days old, and 7+ days old, SCEP installation
  failed and SCEP Policy Application failed.
  On my collections with old definitions I deploy the full definition update package. I update the package source once a day with powershell, and have the package set to redistribute once a day. Alerts for deployment thresholds are pretty easy to create, so
  if the extra remediation of definitions doesn't fix non compliant computers, you can get alerts on those that fail...
  I know the above isn't quite the solution you was looking for, but perhaps it can help.

• SCEP manager is not showing current logs for any SCEP clients

  I have installed SCEP manager on one machine and it is managing one client, which is on another machine.
  Client is showing virus detected logs in SCEP client UI, but the same events/logs are not getting stored in SCEP manager database, i tried pulling out records from database, there is no entry for detected viruses in the database, and SCEP manager UI monitor
  tab is also not showing any detected events.

  Hi,
  Active means that it has been active and communicated with the MP within the last 7 days, not that it is active now.
  That means that you either haven't extended the Active Directory or created the System Management container in AD and delegated permission to that container and all the child object to the ConfigMgr Primary Site Server Computer account. But that isn't a
  requirement only a rekommendation.
  If you look in the client in ClientLocation.log file can the client find an MP to communicate with? Any more errors in the MPcontrol.log file on the server?
  Regards,
  Jörgen
  -- My System Center blog ccmexec.com -- Twitter
  @ccmexec

• FEP and SCEP Client updates

  There multible versions of client deployed at same time. I'm using stadard software updates deployment process to keep clients up to date. NOT talking about definitions, but client version!
  I have FEP and SCEP clients out there. When I go to All software updates and search for "endpoint protection client" I will have four FEP (4.1.552.0, 4.3.215.0, 4.5.236.0, 4.6.305.0) updates and three SCEP updates (4.3.215.0, 4.5.216.0, 4.6.305.0)
  to client deployed in the same update packages! All of them with various number of Required and Installed status.
  The obious reason for this is that older client update packages are not marked as superseeded updates. Any thoughts on why? I am going to exclude old ones with custom severity method, but is there a automatic method available?
  .Marko

  Multiple SCEP/FEP updates are required, because SCEP/FEP agent can update only N-2 versions e.g. you cannot install SCEP version 4.6.305.0 to a computer with SCEP 4.3.215.0. You need first to upgrade 4.3 to 4.5 and then to 4.6.Because there might be earlier
  versions in the environment, there must be multiple SCEP/FEP versions available.
  Check the following blog article for more details:
  http://blogs.technet.com/b/configmgrteam/archive/2014/03/27/anti-malware-platform-updates-for-endpoint-protection-will-be-released-to-mu.aspx
  Panu

• Including SCEP client in an image

  My manager would like us to include the SCEP Client in our base image. I did not find any best practices articles on this. If the computer image being captured is not managed in any way are there any GUID files to remove before capture?

  Unfortunately, my manager wants us to include the actual agent in the image, not deploy it as part of a TS. We are creating a shared base image and have to account for distributed support (who may not add SCEP deployment to their task sequences). We followed some
  steps in a presentation from TechEd last year (it involves cleaning up reg keys).
  @BryanCP:  Could you explain what you did to have the Endpoint Protection client in you base WIM.  I messed up and captured a 20 GB WIM with the client and don't want to redo it.  I normally install it during task sequence.  With it installed
  in my messes up my task at the SCEP install step.  I don't just want to assume and skip the step.
  I follow the steps laid out here normally to install during task. 
  http://blogs.technet.com/b/configmgrteam/archive/2012/04/12/operating-system-deployment-and-endpoint-protection-client-installation.aspx  At the bottom he talks about registry keys if it is included but no detail.  Can I just delete them during
  the task sequence?  He says SYSPREP, but I don't get that.
  Find this post helpful? Does this post answer your question? Be sure to mark it appropriately to help others find answers to their searches.

• Where is the download link for SCEP Client Offline installer for x86 & x64 altest greatest version (4.6.305 as of today)

  Where is the download link for SCEP Client Offline installer for x86 & x64 latest greatest version (4.6.305 as of today)?
  The answer IS NOT IT AND NEVER WILL BE "DOES NOT EXIST"!!!!!! MUST NEVER NEED TO RUN UPDATES TO GET IT!!!!!!!!! THE ONLY ACCEPTABLE ANSWER IS THE LINK!!!!! DUH GET YOUR ACT IN GEAR MS!!!!!!!!!!
  Ralph

  Thanks to all for the information. I work in higher ed. We have SCCM latest version, fully licensed. Unfortunately the individual who manages the SC does not have a clue as to where to find the SCEP installer. I sent him links from MS that shows him where
  it is supposed to be. The version he say's is on our SC Management server is 4.3. I, in the past, was able to get 4.5 independent of him and it has been working well for me but it is time to use the latest greatest version instead. I should just as easily
  be able to get 4.6. As far as licensing goes, if the product was correctly designed it should just work itself out just like it does for the 4.5 version I was able to easily find and download.
  As for the link given by KevinMJohnston, thanks by the way, its the closest I have come to getting what I need but all I get is a spinning wheel in Firefox, the only browser one should ever need. In IE I get prompted for an email address, which it should
  NEVER EVER DO!!!!!!!!!! I did give them my address, but alas, after waiting over 30 mins. I still don't have a link to the update or the CU4 Config MGR update mentioned. (Another reason I am not very nice to MS, along with, see below...) Please send me the
  link that they are suppose to send me in the email.
  As for the intensity of the request it comes from not being able to find the update on my own. (Amongst a million other complaints as MS makes my job harder and harder, just think of all the lost productivity and extra repair efforts needed because MS stopped
  allowing you to do upgrade/repair installs from the install discs. You have to have a working OS to do it, or you will lose your settings etc and will have to re-install all of your software etc. How STUPID IS THAT! Can't use it to fix a blown driver or BSOD
  problem like you could in XP.  There is no excuse for that, I know better. So you can see why I have nothing good to say about MS etc etc.) There is no excuse for that! If the MS updater has it available then IT MUST BE MADE AVAILABLE FOR STANDALONE DOWNLOAD
  PERIOD. That goes for ALL updates PERIOD.  I use these updates and many others etc so that once I seal an image for a PC it has the latest greatest version of everything. It is quicker to get it stand alone in advance and installing than waiting for MS
  updates to do so. Also I prefer to config my images so that the Av installs after first boot. These are cloned PCs. Many of these PC are used in labs and are frozen. Here, the settings for the SCEP AV being pushed from above can cause major problems for the
  users i.e. the scheduled scan feature. If it is on when students are taking tests and they take more than 5 or 10 mins on question MS is stupid enough to start scanning causing the system to become unresponsive. This has caused students to breakdown in tears
  thinking the system is hosed and they just lost their tests. I have to do some creative reg hack, setting owner as "Guest", a disabled account, etc. to keep these settings from being changed. (Our SC managers push policies that work for the faculty
  but break the lab systems which are frozen, so I have to out hack them, should not be, but it is, we are trying to get that fixed, but bureaucracy and people afraid to share power etc makes it hard.)  These settings unfortunately will prevent the AV from
  installing so I need to be able to manually do it after I have set the reg to allow it.  And I could go on. Who knows when or why someone may need to do a manual update of something. I just had 3 systems fail 12 updates, yet when I manually downloaded
  them and installed them they ALL installed without failure. I did NOTHING in between the auto update and the manual, yet it was the manual way that worked. Maybe if MS could fix those kind of issues then no one would need to get stand alone update files.)
  That is not for MS to worry about. It is, however, their responsibility to make it so that I can choose what will work best for my environment, which only I could know. DUH. I have had issues in the past with MS AV and other brands being installed before "sealing"
  the images. etc. etc. etc.
  As you can see, there is not enough space on the world wide web to list all thousands of legitimate reasons to give Microsoft a hard time so I will do so on a case by case bases knowing I am probably spitting in to the wind, but hey somebody has to have
  the guts to do it. MS MUST NEVER BE ALLOWED TO SIMPLY GET AWAY WITH IT! They Must be called to the proverbial carpet.
  Maybe if people who are MVPs would not be afraid to join the choruses they would be embarrassed, (though it should be done out of moral obligation not embarrassment), enough to fix these obviously fixable problems etc. etc. etc. I have over 30 years in the
  IT business, the IBM XT did not exist until my senior year in college. You are not going to be able to convince me that there is a legitimate reason, copy protection IS NOT IT, to prevent me from fixing blown OS via re-install using install disc when OS will
  not boot. Nor are you going to be able to find legitimate reason for the SCEP 4.6.305 update to be so hard to get.
  Thanks again for the help, still waiting for email from MS, NOT COOL MS! NO EXCUSE!!!!!
  Ralph

• Managing Standalone SCEP Client in Workgroup Computer

  Hello,
          I recently configured one SCEP client in WorkGroup computer where I dont have any internet access. To update the definitons, I created a policy to download the definitions from UNC share in SCCM server, but its working.
  Question: Do I must to have internet access to update Definitons or using SCCM or UNC source can i achieve that?

  Thanks Jason, for your response.
  So you mean to say the Standalone SCEP client (Workgroup computer) will support WSUS or COnfig Mgr as well correct?
  I tried mapping the SCCM server portal (http://SCCM.ABC.in:8530) using custom policy..
  In client event vwr also its showing the correct URL but couldn't download any updates. with an Error ID 2000
  When Tried giving Internet connection and mapped the Microsoft as source, its working fine.
  AM i missing something, Kindly help me troubleshoot this issue.

• SCCM Client and SCEP Client Uninstall

  Hi, I have below questions with regard to the SCCM client software and the SCEP client software.
  Does SCCM client uninstallation removes SCEP client as well? If not, how does the Endpoint Protection get the updates after SCCM client is removed? How to remove/uninstall SCEP client?
  If the SCCM client uninstallation removes the SCEP client as well (by running ccmsetup.exe /uninstall), how to make it to NOT uninstall the SCEP client?
  Thanks.
  NM

  Yes, your SCEP client should still be able to update.
  If you're installing the ConfigMgr client again, and have manage SCEP client enabled in the ConfigMgr client settings, it does more then just adding the update source. It allows you to manage the SCEP client configuration (like scan settings, exclusions,
  etc), perform remote actions (like initiating a scan) and report about them.
  My Blog: http://www.petervanderwoude.nl/
  Follow me on twitter: pvanderwoude

• How to convert Unmanaged SCEP clients to Managed in SCCM 2012 SP1

  We recently started installing SCEP clients from the .exe and a preconfigured .xml file to client machines in a domain setting.  This was done from a USB drive, going from machine to machine, with a  .bat file.
  This was a stop-gap until we were able to install and configure SCCM 2012 SP1.
  PCs that already had the SCEP client (prior to SCCM coming into production) are showing up as unmanaged.  PCs that have had SCCM install SCEP all are listed as managed.
  I've searched, but have yet to find a definitive answer as to how get the manually installed SCEP clients to register as managed in SCCM.
  AD Domain with WIN 2008 R2 DC, SQL 2012 Standard, SCCM 2012 SP1

  Also, make sure the Endpoint Protection Point is installed properly on SCCM and the Client Setting for SCEP is enabled.
  Juke Chou
  TechNet Community Support

• Updating SCEP Clients

  Hi,
  We are currently running SCEP 4.1 client and I want to update them to the latest version.  Our server is SCCM 2012 SP1
  We have no applied cumulative updates to the server.  Am I required to apply the CUs to the server before I can update the clients? or how does it work?
  When I apply the CUs to the server is it updating the Endpoint Protection piece of the server as well, then I deploy out the updates to the clients?
  Thanks,
  Travis

  Hi,
  Yes, when you install the CU on the server then the SCEPinstall.exe which is used to install the SCEP client is updated as well. Probably not to the latest version as that was released just a couple weeks ago but the version before that, the latest version
  is available through Windows Update/WSUS.
  Regards,
  Jörgen
  -- My System Center blog ccmexec.com -- Twitter
  @ccmexec

• SCEP Client Activity Logs Files - Retention Policy?

  In SCEP 2012....
  1. Where are client activity log files stored?  
  2. What is the default retention policy?  
  I remember with FCS, I think the historical data was stored for 14 months (by default).  Is that the same for SCEP?
  Andrew Marcos

  Logs are in c:\program data\Microsoft\Microsoft Antimalware\Support.
  Not sure on retention as I am working in non-persistent VDI's that get their logs reset after a log off!
  Cheers
  Paul | sccmentor.wordpress.com

• Manage SCEP client risk

  hi, i have a problem with client risk in end point protection status.
  i was deploy scep on client, some of client get in into client risk.
  how to manage that client dont get status client risk again.
  thank you

  Do you have multiple Clients with failed Client checks? If there are only a few, you can try to manually executed the Scheduled Task "Configuration Manager Health Evaluation" on those Clients or follow the steps described in the Cireson Blog
  Post.
  Best regards, Simon

• SCEP client "virus and spyware definitions created 2 days ago"

  Hi,
  I sometime see on the "virus and spyware definitions created 2 days ago" and some times some days longer. If I look some days later the client is up to date. I have configure an ADR to get definitions 3 times per day, and also update the DP after
  SUP schedule.
  What make the client to not have the latest definitions?
  /SaiTech

  Hi,
  Please verify if there is any temperary conncection issue between client and server. We may get some clue in windowsupdate.log.
  According to your description, I think the issue just occur occasionally. Review the log and notice the timestamp scheduled for installation.
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• SCEP 2012 Client in Windows 8 / 2012 - in Windows 2008 Domain- Not Syncing -/ Not Compatiable

  Dear All ,
  With lots of Hardship I had installed SCEp 2012 in Windows 2012 Virtual machine in WIndows 2008 Domain.
  SCCM 2012 Server in Windows 2008 Server with Sql 2008 was - performing well and there was no issues until our COmpany planned to Convert the Windows 2008 Server to  Windows 2012 Server ( AD is 2008)
  WSUS is not Fully synching with SCCM 2012 ( previously it was )
  Software Updates not pushing properly and to top all the SCEP client is not compatible with win 8.1 pro or win 2012 server
  Error: Failed to download content id 16787046. Error: Access is denied.
  Package:
    Success: The software updates were placed in the existing package:
  •     Deployment Package(JUN2014)
  Software updates that will be downloaded from the internet
    Error: Update for Forefront Endpoint Protection 2010 Client - 4.1.522.0 (KB2780435)
  Errors
      Failed to download content id 16787046. Error: Access is denied.
  Language Selection:
   English
  But the service account has full access - administrative rights and the administrator of the system
  please advise on this

  Hi,
  All the software updates downloaded failed?
  Are there any errors in PatchDownloader.log? If you use Automatic deployment rule, please also check ruleengine.log.
  Please add the account with Full rights to the source share (both NTFS and Share permissions) where the Deployment Package is located.
  Best Regards,
  Joyce
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.