SCCM 2012 Endpoint Protection initial update not downloaded

[DBayPlaya2k3]

Hello,

 

Im new to this forum and also new to SCCM.

 

I recently started deploying SCCM 2012 Endpoint Protection to all of our domain computers.

 

This was working well except some of our clients (a mixture of windows xp and windows 7) do not get the initial detonation update after installation.

 

Due to this those clients remain unprotected and the History and Settings screen is grayed out.

 

If I click update manually then it downloads the update, Turns to being Green Icon and Protected. Also the History and Settings Icon are then accessible.

 

 

The odd part is some clients work just fine while others run into this issue.

 

I have tried some of the procedures listed here in the troubleshooting section but with no avail: http://www.windows-noob.com/forums/index.php?/topic/6106-using-system-center-2012-configuration-manager-part-6-adding-the-endpoint-protection-role-configure-alerts-and-custom-antimalware-policies/

 

The clients have an Automatic Deployment Rule and also custom malware polices.

 

Some clients download updates just fine others never get them at all.

 

 

Their is one primary site/server that has the Distribution Point and Software Update Role and another server that is just being used as a Distribution Point.

 

 

Has anyone else ran into this issue before?

 

If I need to upload any logs just let me know.

 

Many thanks for any help.

[Rocket Man]

If you want ConfigMgr to look after your updates via ADRs then would it not be best to just have the Updates distributed from Configuration Manager checked and not all the others?

 

It may not be the solution to your problem but it may not be helping having all the others checked too as the client may be getting mixed up as to where to get the initial update from!

[anyweb]

are these Configuration Manager 2012 SP1 clients ? have you verified what antimalware policy they have applied ?

[DBayPlaya2k3]

are these Configuration Manager 2012 SP1 clients ? have you verified what antimalware policy they have applied ?

 

Sorry for the late reply i apparently am not subscribed to this thread so i got no notification about replies.

 

To answer your question yes these are all Config Mgr 2012 SP1 clients.

 

As far as what antimalware policy they have they do in fact seem to have the correct policy being applied.

 

I checked this post you listed: http://www.niallbrady.com/2013/02/17/how-can-i-determine-what-antimalware-policy-is-applied-to-my-scep-2012-sp1-client/

 

 

Her are the results of verifying using the registry method (ive also verified looking at the ccm console for the specific client) .

 

 

The odd part like i said was that i have clients that work just fine and download the initial update and then others that don't.

 

 

Are there any specific logs I should be looking at for this problem?

[DBayPlaya2k3]

If you want ConfigMgr to look after your updates via ADRs then would it not be best to just have the Updates distributed from Configuration Manager checked and not all the others?

 

It may not be the solution to your problem but it may not be helping having all the others checked too as the client may be getting mixed up as to where to get the initial update from!

 

Never thought of that might be something to look into. The reason i had more than one checked is because we also have mobile clients that don't come into the organization for months.

 

In cases like that I would like them to at least be able to download updates directly from Microsoft.

 

The order of operations means Config Mgr should be checked first before it moved down the list.