Kevin79

I did as you suggested and taking everything out but the SCCM server from the update list didn't seem to help and neither did telling it to download the definition in the console. I looked at the file EndpointProtectionAgent.log doesn't seem to have anything worth while in it. Here is part of the log: Endpoint is triggered by message. EndpointProtectionAgent 6/12/2012 6:43:00 AM 3536 (0x0DD0) File C:\WINDOWS\ccmsetup\SCEPInstall.exe version is 2.2.903.0. EndpointProtectionAgent 6/12/2012 6:43:00 AM 3536 (0x0DD0) EP version 2.2.903.0 is already installed. EndpointProtectionAgent 6/12/2012 6:43:00 AM 3536 (0x0DD0) Expected Version 2.2.903.0 is exactly same with installed version 2.2.903.0. EndpointProtectionAgent 6/12/2012 6:43:00 AM 3536 (0x0DD0) AM Policy XML is ready. EndpointProtectionAgent 6/12/2012 6:43:00 AM 3536 (0x0DD0) Handle EP Deployment Policy. EndpointProtectionAgent 6/12/2012 6:43:00 AM 3536 (0x0DD0) EP Policy Endpoint Protection on Servers - Antimalware is already applied. EndpointProtectionAgent 6/12/2012 6:43:00 AM 3536 (0x0DD0) EP Client is already installed, will NOT trigger reinstall for now. EndpointProtectionAgent 6/12/2012 6:43:00 AM 3536 (0x0DD0) Firewall provider is installed. EndpointProtectionAgent 6/12/2012 6:43:00 AM 3536 (0x0DD0) Installed firewall provider meet the requirements. EndpointProtectionAgent 6/12/2012 6:43:00 AM 3536 (0x0DD0) I can post the rest if you want but it is just a repeat of the stuff above.

I have SUP syncing every 4 hours so that should be good. Even if it was more, that wouldn't explain why servers and some clients are so far behind, would it?

I have a test group of about 40 servers and desktops that have SCEP installed on them. I have 2 antimalware policies, 1 for desktops and 1 for servers, 1 Deployment package for the updates and 3 Automatic Deployment Rules, 1 for desktops, 1 for regular servers and 1 for SCCM servers. (I'll post the configuration of all of them below). For some reason, my SCCM servers don't seem to update definitions until they are 3 days old and my other servers and desktops are sporadic on the definition updates. Some are current (under a day old, but not the most current definitions) and some are 3 days old. What logs should I look at to troubleshoot? I want them all to be current at all times. Below are my configuratons: Antimalware Policies Desktops Definition updates Check for Endpoint Protection definitions at specific intervals: 8 Check for Endpoint Protection definitions daily at: 9 AM Force a definition update if the client computer is offline....: True Set sources: 4 sources selected Updates distributed from Configuration Manager Updates distributed from WSUS Updates distributed from Microsoft Update Updates distributed from Microsoft Malware Protection Center [*]If Configuration Manager is used as a source for definition....: 72 [*]If UNC file shares are selected....: (none) [*]Servers Definition updates Check for Endpoint Protection definitions at specific intervals: 4 Check for Endpoint Protection definitions daily at: 2 AM Force a definition update if the client computer is offline....: False Set sources: 4 sources selected Updates distributed from Configuration Manager Updates distributed from WSUS Updates distributed from Microsoft Update Updates distributed from Microsoft Malware Protection Center [*]If Configuration Manager is used as a source for definition....: 72 [*]If UNC file shares are selected....: (none) Deployment Packages Endpoint Protection Updates General Package source: A source on my SCCM server [*]Distribution Settings Distribution priority: Medium [*]Content Locations All my SCCM servers at listed Automatic Deployment Rules (I'm just going to list a few of the tabs) SCCM servers - Last Error Description: Success Evalution Schedule Run every 4 hours [*]Deployment Schedule Time based on: UTC Software available time: As soon as possible Installation deadline: As soon as possible [*]Desktops - Last Error Description: Success Evalution Schedule Run every 4 hours [*]Deployment Schedule Time based on: Client local time Software available time: 4 hours Installation deadline: As soon as possible [*]Servers - Last Error Description: Success Evalution Schedule Run every 4 hours [*]Deployment Schedule Time based on: Client local time Software available time: 4 hours Installation deadline: As soon as possible Anyone have any suggestions?

I just did that and it didn't seem to help any. Other clients are getting updates without an issue.

The only thing configured in my gpo is to "Allow signed updates from an intranet Microsoft update service location". All other settings are Not Configured.

I have SCCM 2012 running as per Anyweb's guides. I'm having a couple issues with updates. The first is with a Windows 7 computer. For whatever reason, it won't install any updates. I looked in the log files and found the following in WUAHandler.log: Its a WSUS Update Source type ({96C47559-2881-482F-A258-574B0934592E}), adding it. WUAHandler 6/4/2012 2:38:20 PM 13960 (0x3688) Unable to read existing resultant WUA policy. Error = 0x80070002. WUAHandler 6/4/2012 2:38:20 PM 13960 (0x3688) Enabling WUA Managed server policy to use server: http://holland-sccm.ad.saf-holland.biz:80 WUAHandler 6/4/2012 2:38:20 PM 13960 (0x3688) Waiting for 2 mins for Group Policy to notify of WUA policy change... WUAHandler 6/4/2012 2:38:20 PM 13960 (0x3688) Unable to read existing WUA resultant policy. Error = 0x80070002. WUAHandler 6/4/2012 2:38:23 PM 13960 (0x3688) Group policy settings were overwritten by a higher authority (Domain Controller) to: Server and Policy NOT CONFIGURED WUAHandler 6/4/2012 2:38:23 PM 13960 (0x3688) Failed to Add Update Source for WUAgent of type (2) and id ({96C47559-2881-482F-A258-574B0934592E}). Error = 0x87d00692. WUAHandler 6/4/2012 2:38:23 PM 13960 (0x3688) Anyonw know how to fix it? The second issue is that my test servers aren't installing updates. My test group have some 2008R2 servers (one being the SCCM server itself) and Winows 2003R2 servers. Looking in the logs, it doesn't even look like the servers are seeing that there are updates but when I look at the computer in the console, it shows the updates as needed to install on the servers. Any idea's why it isn't working?

I'm not sure I understand what you are saying... I have enabled a couple rules but the counts are still zero.

In order to use the reports under "Software - Companies and Products" in SCCM 2012, do I need to have Asset Intelligence enabled? What about the reports under "Software - Files" and "Install base for all metered software programs" under "Software Metering"? It shows the file names but the counts are all 0.

I have SCEP deployed to some workstations and servers. I followed this guide for setting up the policies, with the only difference being that I currently have WSUS in use on a different server and have group policy setup to point my clients to that WSUS server. (WSUS is not SCCM integrated). My workstations and servers aren't consistently getting the updates. The Automatic Deployment Rules run fine but my clients never upgrade. How do I have them update from my SCCM server on a regular basis?

Anyone?

narcoticmind, did you ever find a deploy Applications though AD groups in SCCM 2012?

Thanks. Is there a report that I can run that shows how many approved updates each computer needs? I.E. List each computer and the number of needed updates next to it.

I currently use WSUS to deploy updates and have the servers and settings set with group policy. I'm starting to test the method with SCCM. What do I need to change in my group policy so that it uses my SCCM servers for updates instead of WSUS? I don't want to undo all the settings since I don't want my clients going to Microsoft for updates, nor do I want them being notified of them before I approve the updates. How do I do this?

I have a package that I'm try to update the distribution points. When I tell it to update it, I get a "Not enough free disk spare" error. If I look at the details it says I checked my servers and my parent server has 36GB free on its C drive and 56GB free on the data drive. A secondary site (that is failing) has 36GB free on the C drive and 42GB free on the data drive so free space is not an issue. What else could cause this?

Potentially stupid question. How do you see what updates are needed for a specific computer?

Anyone?

On some of my clients, the SCCM client is failing to install. Looking in the log, I see "This operating system does not contain the correct version of BITS. BITS 2.5 or later is required." Is there a way to have it automatically install BITS 2.5 or can I push it out via WSUS? What is the best way to get around this error without having to go to each computer and manually install BITS?

I just changed to SCCM 2012 with a fresh install (no side-by-side migration). Some of my clients (around 5% or 75 clients) aren't reporting their hardware inventory. I had SCCM reinstall the client but that didn't seem to fix the issue. What can I do to fix this? Is there a log file that I should look in to?

I am setting up SCCM 12 and creating groups to install software. I have a collection set up to deploy Adobe Reader. In that collection, I have two queries set up, 1 that checks for 10.0.0 and one that checks for 10.1.0. It seems like they are an "and" collection so all of the clients are showing up because they only have one. How do I create a query (or collection) that will check for the software and be satisfied if it finds one of the two versions? Is there a way to put a minimum value and anything greater than that is considered installed? Attached is a screen shot of what my collection looks like. Below are the two queries. Adobe Reader X 10.0.0 - English Adobe Reader X 10.1.0 - English

For the RTM version of SCCM 2012 and Endpoint Protection, do I still select "Forefront Endpoint Protection 2010" in the Software Update Point Component?

In SCCM 2007, you could browse to the smspkgm$ share and see all of the deployed packages on the server. Can you do the same in SCCM 2012? I don't see a smspkgm$ share listed.

If I do that, the computers that I don't want to test with but are discovered will still report to the 2007 server, correct?

I'm starting to plan my migration from SCCM 2007 to SCCM 2012 but have some questions I would like answered first. Does SCCM 2012 collect the same type of information about software that is installed? If so, is it kept in the same tables? I have collections based on installed software and want to make sure they keep working. Does SCCM 2012 deploy software based on collection membership? I have software being pushed out based on collection membership (that are based on Active Directory group membership). Will I still be able to deploy software this way? Is there a way to move just a couple computers to SCCM 2012 without moving my whole site? I can put them in a seperate OU but the Subnet, AD Site, etc. will be the same as other clients that I want to stay in SCCM 2007 for the time being. Thanks!

What is the difference between Applications and Packages in SCCM 2012?

I too would be like to know this. We use this method to push out software with SCCM 2007 and would like to do it that same way with 2012.