Last Status Sent Date is in the Future
-
Monday, December 03, 2012 4:08 PM
I have had 4 computers over the last year that show up in the Forefront Endpoint Dashboard as the definitions being older than 1 week. When I go to the client everything is up to date. When I run Detail Computer Report on the machine the Last Updated date is in the future.
On 3 of the 4 if I wait until that future date rolls around they start updating normally and everything returns to normal. On 1 computer however when the date rolled around and I ran a Detail Computer Report the Last Updated date had changed to a week later. that date will be here on Dec 7 2012.
In the process of troublshooting these problems I have uninstalled and reinstalled the SCCM client, the Forefront Endpoint Protection client, deleted the computer from system center and let it re-discover and other things. Nothing has fixed the problem. It appears the record for the computer in the database has the wrong date.
I would like to know what is causing these computers or database records to report the wrong dates and what I can do to fix it. By the way there is nothing wrong with the dates on the computers.
- Edited by jtrimme Monday, December 03, 2012 4:09 PM
All Replies
-
Thursday, December 06, 2012 6:06 PM
Hi jtrimme!
Could you check if your Hardware Inventory for this client also reports a date in the future as well? To do this within the ConfigMgr 2007 Admin Console, please select and right-click the affected client from the All Systems collection, then select Start -> Resource Explorer. Once the Resource Source explorer opens for this client, then expand the Resource Explorer and Hardware sections and scroll to the bottom to select Workstation Status and review the Last Hardware Scan entry. I would like to understand if the future dates reported from FEP are also being reported as future dates by the ConfigMgr 2007 client.
I will continue researching to figure out where it is pulling the "Last Updated" date from within the Computer Details Report.
Thanks,
Angela
-
Thursday, December 06, 2012 7:20 PM
Hi again!
I did some further testing and found that the stored procedure, spFEP_GetComputerProtectionStatus, within the FEPDW database is what presents the data for the Protection Status section of the Computer Details Report. The date information is pulled from the function, dbo.fnFEP_Common_Report_GetUTCDate, which ultimately pulls its data from the table, dtFEP_Common_TimeDimension. It seems that the client may be sending this information to the ConfigMgr site database (SMS_<sitecode>) which then populates the FEPDW. I will do some additional testing to see where this information comes from on the client-side and update you as soon as I have more details.
Thanks,
Angela
-
Thursday, December 06, 2012 7:28 PMI have two clients with this problem at the moment. One has a Status Sent Date of 12/7/2012 and a Hardware Inventory Date of 12/5/2012. The other client however has a status Sent Date of 12/30/2012 and a Hardware Inventory Date of 12/28/2012.
-
Thursday, December 06, 2012 8:06 PMI want to ensure we are talking about the same thing. I see Last Updated in my Computer Details Report, is that what you are referencing when you say Status Sent Date?
-
Thursday, December 06, 2012 8:10 PM
Yes that is correct. Somewhere else I see it as status sent but I can't think of where off the top of my head.
-
Friday, December 07, 2012 1:32 PM
Hi!
Are there any changes to your time on these 2 systems, i.e. for testing or via time server?
Thanks,
Angela
-
Friday, December 07, 2012 4:54 PM
Hi again!
Can you also check for Event ID 4616 in your Security Event log which logs a time change event and event ID 1 in the system log too?
Thanks,
Angela
-
Friday, December 07, 2012 8:09 PMI did not see anything with those evnt ID's that had anything to do with time. This is an XP machine so I manually change the date and time and never did get an entry in either log. I tried it on a Windows 7 machine and got the entries you were talking about.
-
Friday, December 07, 2012 8:17 PMI looked up the event ID's for XP and they are 577 and 520 but there are no entries in the security log for those ID's either, even on the changes I made manually.
-
Friday, December 07, 2012 8:32 PMUnfortunately both machine with this problem are XP machines and auditing for those events are not turned on by default. One machine is back to normal now because the Date it was showing for Last Updated is today. The other one will not be normal until 30 December 2012. Is there a query I can run on a database that will reset the time back to a current date?
-
Monday, December 10, 2012 2:00 PMLet me see what information I can find. I would prefer to address root cause in the event this happens again. We are looking into the various namespaces within WMI on the client where the information may be stored and sent to the ConfigMgr site database. I will update you as soon as I have more information.
-
Tuesday, December 11, 2012 1:46 PMOn Friday one of my computers reported in and the Last Updated date on the computer went back to correct day and time. Today I noticed the same computer showing virus definitions out of date again. I ran a Computer Detail Report and now the Last Updated date is 12/21/2012 6:00 PM. Is there one of the logs I can check to see date and time. Just can't figure out where these odd dates are coming from.
-
Thursday, December 13, 2012 3:21 PM
Hi!
Looks like you may want to open a case with our Customer Support team, so we can collect logs and have a better understanding of where things are changing and causing this situation to occur.
Thanks,
Angela
.png)
