Jump to content


xc3ss1v3

URGENT! Endpoint Protection Out-of-date on ALL Clients

By xc3ss1v3, in Configuration Manager 2012

Recommended Posts

xc3ss1v3 Newbie

xc3ss1v3

Posted
Posted

Just to to make sure. Is the update group of your ADR holding a valid definition file?

I remember a similar situation in our environment, when the upstream WSUS ran out of disk space and could not download the newest definitions anymore.

If by that you mean is the deployment up to date and available on the distribution server, then Yes. But, I might not be understanding exactly what you're asking.

Share this post

Link to post
Share on other sites
anyweb Proficient

anyweb

Posted
Posted

One thing I just noticed... It appears as if Default Client Antimalware Policy AND Endpoint Protection - Managed Device Policy are both deployed to clients even though I don't have Default Client Antimalware Policy actually deployed? Is that one that is applied no matter what? If so, do the settings in my custom policy override it? I currently have the custom policy order set to 1 and Default is set to 10000.

 

highest priority always wins so don't worry, if you scroll down the gui even more you might see other policies applied also

Share this post

Link to post
Share on other sites
xc3ss1v3 Newbie

xc3ss1v3

Posted
Posted

 

highest priority always wins so don't worry, if you scroll down the gui even more you might see other policies applied also

 

Do you happen to have any other ideas of what I might be able to try to test with or look at in regard to what's going on? I asked my network guys to allow clients out to update definitions, which all have done, so all is okay on that front. But, that's not something they want to continue to allow. I can't help but think that this is being caused by something on their end, but I can't say that without having some kind of proof. I need to be able to show that 1) the definition updates are available for clients to receive and 2) an error of some kind showing that the client is attempting pull definitions from ConfigMgr and cannot.

Share this post

Link to post
Share on other sites
anyweb Proficient

anyweb

Posted
Posted

well we'll need the logs from a client with the issue, zip them up and attach them to this thread, they'll be in c:\windows\ccm\logs and attach the c:\windows\windowsupdate.log also

 

can you also confirm if normal software distribution is working on these clients or has that stopped also ? and what version of Configuration Manager are you running ?

Share this post

Link to post
Share on other sites
xc3ss1v3 Newbie

xc3ss1v3

Posted
Posted

well we'll need the logs from a client with the issue, zip them up and attach them to this thread, they'll be in c:\windows\ccm\logs and attach the c:\windows\windowsupdate.log also

 

can you also confirm if normal software distribution is working on these clients or has that stopped also ? and what version of Configuration Manager are you running ?

 

Here you go. Note that this system (like all others) was successfully updated yesterday via Microsoft's update. We did that to make sure all clients are back to current for the time being. But, we have initiated the block on that access again and now systems, such as this, are not showing updates for today's definition.

 

We're using R2

 

Oh.. and other software updates do appear to be working. Windows updates were pushed last night and they seem to be installing without incident.

WindowsUpdate.zip

Logs.zip

post-20332-0-42319000-1405008294_thumb.png

Share this post

Link to post
Share on other sites
anyweb Proficient

anyweb

Posted
Posted

i need more logs, do the below please and attach the logs here

 

The following Log files will also aid in troubleshooting definition updates retrieval. Browse to C:\Windows\Temp and look for the following log files...:-

  • MpCmdRun.Log
  • MpSigStub.Log

To get extensive logfiles open an administrative command prompt and CD to the following directory on the client,

C:\Program Files\Microsoft Security Client\Antimalware

and execute the following command

MpCmdRun.exe -getfiles

the following will be output

post-1-0-54221800-1349032895.png

the log files are store in C:\ProgramData\Microsoft\Microsoft Antimalware\Support and that directory in turn will contain a CAB file (MPSupportFiles.cab) which has several relevant log files to examine.

Share this post

Link to post
Share on other sites
anyweb Proficient

anyweb

Posted
Posted

ok if you look at the Content Status for the package that contains your Endpoint Protection Definition Updates, what is the status ?

Share this post

Link to post
Share on other sites
xc3ss1v3 Newbie

xc3ss1v3

Posted
Posted

ok if you look at the Content Status for the package that contains your Endpoint Protection Definition Updates, what is the status ?

 

Everything looks good in that regard. And, it seems all my clients are now updating properly. The only thing I can think of is that policy that was keeping clients from updating via ConfigMgr after being out of date for X days. Did you see any thing out of sorts in the logs?

post-20332-0-18900900-1405347597_thumb.png

Share this post

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.