Kevin79 Posted June 11, 2012 Report post Posted June 11, 2012 I have a test group of about 40 servers and desktops that have SCEP installed on them. I have 2 antimalware policies, 1 for desktops and 1 for servers, 1 Deployment package for the updates and 3 Automatic Deployment Rules, 1 for desktops, 1 for regular servers and 1 for SCCM servers. (I'll post the configuration of all of them below). For some reason, my SCCM servers don't seem to update definitions until they are 3 days old and my other servers and desktops are sporadic on the definition updates. Some are current (under a day old, but not the most current definitions) and some are 3 days old. What logs should I look at to troubleshoot? I want them all to be current at all times. Below are my configuratons: Antimalware Policies DesktopsDefinition updatesCheck for Endpoint Protection definitions at specific intervals: 8 Check for Endpoint Protection definitions daily at: 9 AM Force a definition update if the client computer is offline....: True Set sources: 4 sources selectedUpdates distributed from Configuration Manager Updates distributed from WSUS Updates distributed from Microsoft Update Updates distributed from Microsoft Malware Protection Center [*]If Configuration Manager is used as a source for definition....: 72 [*]If UNC file shares are selected....: (none) [*]Servers Definition updatesCheck for Endpoint Protection definitions at specific intervals: 4 Check for Endpoint Protection definitions daily at: 2 AM Force a definition update if the client computer is offline....: False Set sources: 4 sources selectedUpdates distributed from Configuration Manager Updates distributed from WSUS Updates distributed from Microsoft Update Updates distributed from Microsoft Malware Protection Center [*]If Configuration Manager is used as a source for definition....: 72 [*]If UNC file shares are selected....: (none) Deployment Packages Endpoint Protection UpdatesGeneralPackage source: A source on my SCCM server[*]Distribution Settings Distribution priority: Medium[*]Content Locations All my SCCM servers at listed Automatic Deployment Rules (I'm just going to list a few of the tabs) SCCM servers - Last Error Description: SuccessEvalution ScheduleRun every 4 hours[*]Deployment Schedule Time based on: UTC Software available time: As soon as possible Installation deadline: As soon as possible [*]Desktops - Last Error Description: Success Evalution ScheduleRun every 4 hours[*]Deployment Schedule Time based on: Client local time Software available time: 4 hours Installation deadline: As soon as possible [*]Servers - Last Error Description: Success Evalution ScheduleRun every 4 hours[*]Deployment Schedule Time based on: Client local time Software available time: 4 hours Installation deadline: As soon as possible Anyone have any suggestions? Quote Share this post Link to post Share on other sites More sharing options...
willisj318 Posted June 11, 2012 Report post Posted June 11, 2012 I have discussed this with a few colleagues but we dont use SCEP so I'm not sure if this is 100% accurate. But check your automatic Sync rule for updates, it needs to be on at least the same schedule as your auto deployment rules. For example. If you want to update scep every 8 hours, your updates need to sync every 8 hours, and preferrably they sync BEFORE your deployment rule runs. Now this was done in Beta, so that might have changed with the production release. Quote Share this post Link to post Share on other sites More sharing options...
Kevin79 Posted June 11, 2012 Report post Posted June 11, 2012 I have SUP syncing every 4 hours so that should be good. Even if it was more, that wouldn't explain why servers and some clients are so far behind, would it? Quote Share this post Link to post Share on other sites More sharing options...
willisj318 Posted June 11, 2012 Report post Posted June 11, 2012 You are right. Are you sure the ones up to date are updating from SCCM and not going out to MS? I would take that part out of the policy first to make sure that is not happening. What if you tell the machine to download the definition updates via the console (Right click on the machine, endpoint, download)? I believe the log you are looking for is under the nomral CCM Logs folder and is named EndpointProtectionAgent.log Quote Share this post Link to post Share on other sites More sharing options...
Kevin79 Posted June 12, 2012 Report post Posted June 12, 2012 I did as you suggested and taking everything out but the SCCM server from the update list didn't seem to help and neither did telling it to download the definition in the console. I looked at the file EndpointProtectionAgent.log doesn't seem to have anything worth while in it. Here is part of the log: Endpoint is triggered by message. EndpointProtectionAgent 6/12/2012 6:43:00 AM 3536 (0x0DD0) File C:\WINDOWS\ccmsetup\SCEPInstall.exe version is 2.2.903.0. EndpointProtectionAgent 6/12/2012 6:43:00 AM 3536 (0x0DD0) EP version 2.2.903.0 is already installed. EndpointProtectionAgent 6/12/2012 6:43:00 AM 3536 (0x0DD0) Expected Version 2.2.903.0 is exactly same with installed version 2.2.903.0. EndpointProtectionAgent 6/12/2012 6:43:00 AM 3536 (0x0DD0) AM Policy XML is ready. EndpointProtectionAgent 6/12/2012 6:43:00 AM 3536 (0x0DD0) Handle EP Deployment Policy. EndpointProtectionAgent 6/12/2012 6:43:00 AM 3536 (0x0DD0) EP Policy Endpoint Protection on Servers - Antimalware is already applied. EndpointProtectionAgent 6/12/2012 6:43:00 AM 3536 (0x0DD0) EP Client is already installed, will NOT trigger reinstall for now. EndpointProtectionAgent 6/12/2012 6:43:00 AM 3536 (0x0DD0) Firewall provider is installed. EndpointProtectionAgent 6/12/2012 6:43:00 AM 3536 (0x0DD0) Installed firewall provider meet the requirements. EndpointProtectionAgent 6/12/2012 6:43:00 AM 3536 (0x0DD0) I can post the rest if you want but it is just a repeat of the stuff above. Quote Share this post Link to post Share on other sites More sharing options...
willisj318 Posted June 12, 2012 Report post Posted June 12, 2012 Yeah i was looking at our lab and the log is pretty bland. Can you tell if it is finding the update and not downloading it, or just not finding the update at all? Is the auto deployment rule downloading the patches correct and adding them to the update group, etc? Quote Share this post Link to post Share on other sites More sharing options...
Kevin79 Posted June 12, 2012 Report post Posted June 12, 2012 The ADR seems to be downloading the updates fine. How do I tell if the clients are downloading the updates? Quote Share this post Link to post Share on other sites More sharing options...
willisj318 Posted June 12, 2012 Report post Posted June 12, 2012 First take a look at Windowsupdate.log in c:\windows and see if you see anything in there about Definition updates. This will tell us if it is even detecting the updates. You will see it scan, tell you there is 1 update to install, it will look something like this. If it is not detecting the update, then something else is going on. If it is detecting it, then it is probably a downloading issue. 2012-06-12 05:00:01:058 2144 e34 COMAPI -- START -- COMAPI: Search [ClientId = CcmExec] . 2012-06-12 05:00:01:105 988 b38 Agent ** START ** Agent: Finding updates [CallerId = CcmExec] . 2012-06-12 05:00:09:404 988 b38 PT + ServiceId = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}, Server URL = http://your server name.pcsupport.lab.com:80/ClientWebService/client.asmx . 2012-06-12 05:00:42:024 988 b38 Agent * Added update {4AE85C00-0EAA-4BE0-B81B-DBD7053D5FAE}.104 to search result <---- you should see a bunch of these .. 2012-06-12 05:01:09:901 988 a0c Agent * Updates to install = 1 2012-06-12 05:01:09:901 988 a0c Agent * Title = Definition Update for Microsoft Endpoint Protection - KB2461484 (Definition 1.127.1762.0) . 2012-06-12 05:01:30:648 2144 ea4 COMAPI - Install call complete (succeeded = 1, succeeded with errors = 0, failed = 0, unaccounted = 0) 2012-06-12 05:01:38:573 988 b38 Report REPORT EVENT: {04173AD4-F25B-41BE-A968-74B20858E4F8} 2012-06-12 05:01:30:243-0400 1 183 101 {51B0BB1A-AF0B-4F89-960D-39F20D0752A6} 100 0 CcmExec Success Content Install Installation Successful: Windows successfully installed the following update: Definition Update for Microsoft Endpoint Protection - KB2461484 (Definition 1.127.1762.0) Quote Share this post Link to post Share on other sites More sharing options...
Kevin79 Posted June 12, 2012 Report post Posted June 12, 2012 I looked in my WindowsUpdate.log and I don't see anything in the log files but I'm not sure I would since I have updates disabled from WSUS... Quote Share this post Link to post Share on other sites More sharing options...
