CDosRun Posted October 2, 2013 Report post Posted October 2, 2013 This issue haunted me for days, but I finally solved it and wanted to post it for posterity. BACKGROUND System Center Endpoint Protection 2012 rolled out successfully to workstations via SCCM 2012 SP1. All workstations are receiving SCEP definition updates through WSUS. Workstations are domain joined Windows 7 Ultimate SP1. SCEP policy successfully applied to all workstations. ISSUE A few workstations were not displaying the definition version in the SCCM console. Problematic workstations would indicate only a "Managed" status in SCCM, but all other SCEP information was blank or empty. In the workstation Summary tab in SCCM, "Endpoint Protection Deployment Information" section is blank except for "Managed" status. SCEP Client Version is blank. "Endpoint Protection Remediation Information" is also completely blank. See attached picture. When physically logged into the workstations, SCEP displays the latest definition version but something was stopping it from reporting it to SCCM. Hardware and Software Inventory were successful, and displays properly in SCCM. SCEP-related logs seemed normal. SCCM logs were normal. SYMPTOMS We noticed the following similarities among the problematic workstations: When using Computer Management (compmgmt.msc) to manage the workstations remotely, I would get "Access Denied" warning message prior to Computer Management populating Event Viewer would be empty or blank when viewing it remotely Windows Event Log service was always stopped When attempting to start the Windows Event Log service, the following error message appeared: "Windows could not start the Windows Event Log service on <FQDN of workstation>. Error 4201: The instance name passed was not recognized as valid by a WMI data provider." SOLUTION The security permissions on the folder C:\Windows\System32\LogFiles\WMI\RtBackup was incorrectly set to full control to Domain Admins. The permissions were changed to SYSTEM with Full Control. The owner was also changed to the local administrators group. A restart is necessary after making the change. SCCM console finally started displaying the SCEP definition version and other SCEP information. OTHER ACTIONS TAKEN THAT FAILED TO FIX ITI performed the following in an attempt to fix the issue before finding the final solution, so these things may or may not be a factor in getting it to work: Uninstalled and reinstalled SCCM agent Uninstalled and reinstalled SCEP Repaired .NET Framework 4 Client Rebuilt, reset, and salvaged the WMI repository 1 Quote Share this post Link to post Share on other sites More sharing options...
