none
System Center 2012 Endpoint Protection - Definitions Installation and Updating

    Question

  • I've just stood up a System Center Configuration Manager 2012 SP1 Environment and as part of the "Default Client Settings" I've enabled "Install Endpoint Protection on Client Computers". Initially I had "Disable alternate sources (such as Microsoft Windows Server Update Services, or UNC shares) for the initial definition update on client computers" set to "Yes" thinking that the clients should be smart enough to go to Configuration Manager for the initial definition installation. As part of my "Default Antimalware Policy" I have "Set sources and order for Endpoint Protection definition updates" set to 2 sources. The sources and order are: 1. Updates distributed from Configuration Manager and 2. Updates distributed from Microsoft Malware Protection Center. Also, I have an "Automatic Deployment Rule" setup and enabled that deploys the definitions to a collection that contains all of my SCCM 2012 SP1 clients. The Automatic Deployment Rule is working.

    When I deploy the SCCM 2012 SP1 client to a PC or Server (which thereby deploys the Endpoint Protection Client) the definitions initially do not install. I've waited up to 20 minutes for the initial definition installation to occur to no avail. As well I restarted the PC/server. The only way to remedy this was either manually click the Update button on the client to force the Endpoint Protection client to update its definitions or set to NO "Disable alternate sources (such as Microsoft Windows Server Update Services, or UNC shares) for the initial definition update on client computers" as part of the "Default Client Settings".


    My questions are as follows:

    1. What is the proper configuration to ensure the clients install their definitions as soon as the Endpoint Protection 2012 client is installed?
    2. What is the difference between the "Automatic Deployment Rule" that pushes the Endpoint Protection Definitions, the setting in the Antimalware Policy that specifies the frequency in which the client checks for definitions and the definition sources it checks, and the "Update" button on the System Center 2012 Endpoint Protection Client?

    My understanding of the Automatic Deployment Rule is that Config Manager 2012 uses Configuration Manager Software Updates to DEPLOY the definitions to all of the clients, and that the "Definition Updates" settings in the Antimalware Policy and the "Updates" button on the System Center 2012 Endpoint Protection client use the settings and sources in the applied Antimalware policy you have specified. Is this correct?


    • Edited by Aray66 Wednesday, January 16, 2013 11:21 PM
    Wednesday, January 16, 2013 11:19 PM

Answers

  • In my experience and testing, the client policy setting "Disable alternate sources (such as Microsoft Windows Update, Microsoft Windows Server Update Services, or UNC shares) for the initial definition update on client computers" pertains ONLY to the very first definitions installation right after the Endpont Protection client is installed. I believe that "Alternate Sources" to SCCM 2012 SP1 are any sources OTHER than Configuration Manager. Review your Client and Antimalware polices and understand that the lower policy "Order" number wins. If you have the "Disable alternate sources" setting set to Yes, the clients will obtain their initial definitions from Configuration Manager BUT you need to have your Automatic Deployment Rule setup to deploy definitions first. Assuming that you have your Automatic Deployment Rule setup to deploy the Endpoint Protection Definitions and you have the "Disable alternate sources" set to "YES", in order for the Endpoint Protection client to execute its first (initial) definitions installation, the machine has to first run the SCCM client's "Software Updates Deployment Evaluation Cycle" to understand that it even requires the definitions in the first place. This can take up to an hour to occur. So it is useful to set the "Disable alternate sources" to No and then in the applicable Antimalware Policy configure the sources you would like to use and their order.

    If you do not want your clients going to the internet then make sure that "Updates distributed from Microsft Malware Protection Center" and "Updates distributed from Microsoft Update" are NOT checked. If you want your clients to get the defs right away but you don't want them going to the internet, select "Updates from UNC Shares" and place that at the top. Of course you then need to configure the UNC shares for your clients to go to for their initial definitions update.

    • Marked as answer by Aray66 Friday, March 15, 2013 6:22 PM
    Friday, March 15, 2013 4:47 PM

All replies

  • From your description, it sounds like you have everything configured correctly.

    Do you have any maintenance windows configured? If so, go into the settings of your auto deployment rule and go to User Experience -> Deadline behavior and make sure the software installation box is checked so that the maintenance window is ignored for EP updates.

    Also, on the deployment schedule tab, make sure that "as soon as possible" is checked for both available time and deadline.

    EP definitions are just like any other software update that you push, so for them to install through SCCM, a software updates scan must be initiated. The EP client should do this on install. The EndpointProtectionAgent.log in the CCM\Logs folder should have an entry that says "Sending EvaluateAssingments Trigger to Updates Deployment Agent"

    If there is no maintenance window to interfere, the update should be deployed from SCCM soon after that.

    Your question in #2 is something that confused me when I first started using FEP 2010. The definition update schedule you set in the antimalware policy is for when the EP client initiates a definition check. This is the same as if you push the update button in the EP GUI. Both of these actions initiate an unmanaged update, meaning that it will try to download directly from Microsoft Update or MMPC (it also may try to download through WSUS if you have that configured as an option, though why would you since you are using SCCM, right?)

    The auto deploy rule schedule is a software update deployment that is initiated from SCCM. When a new update becomes available and it is newer than the version that is already on the EP client, it pushes down and installs through SCCM. However, if the EP client update schedule is more frequent than the auto deploy rule, the updates will never be able to come from SCCM because they will always be out of date.

    For this reason, your client update schedule needs to be a longer window that your auto deploy rule. For example, I have the client checking for updates every 24 hours, but the auto deploy rule running every 12. This gives ample time for SCCM to update my EP clients before they perform an unmanaged update and grab them from another source.



    Thursday, January 17, 2013 12:34 AM
  • Do you have any maintenance windows configured?  - No

    Also, on the deployment schedule tab, make sure that "as soon as possible" is checked for both available time and deadline. -  Already is

    EP definitions are just like any other software update that you push, so for them to install through SCCM, a software updates scan must be initiated. The EP client should do this on install.   -  The Endpoint Protection Client I don't believe has anything to do with client Software Update Scans. Thats entirely the responsibility of the SCCM client assuming you have "Software Updates" enabled as part of your SCCM client policy.

    The EndpointProtectionAgent.log in the CCM\Logs folder should have an entry that says "Sending EvaluateAssingments Trigger to Updates Deployment Agent" - No such entry in the EndpoingProtectionAgent.log on any of my SCCM 2012 SP1 clients. Are we sure this is the log that should contain this entry? Note that I'm on SP1 for SCCM 2012. Again it's my understanding that the SCCM Client and the client policy are dictating software updates scans and not the Endpoint Protection client. I understand that the Automatic Deployment Rule is pushing the Definitions using Software Updates but it's the SCCM Client that is initiating the Software Updates Scan.

    Summary: The Automatic Deployment Rule that I have setup works fine. Once a client is installed and has definitions, thereafter the rule deploys the definitions without issue. The issue is that when I first push the SCCM 2012 SP1 client (which is then followed by the automatic deployment of the Endpoint Protection client), the System Center 2012 Endpoint Protection client sits there without any definitions and is essentially crippled. I've waited for up to 30 minutes for the defs to come down and restarted the PC all to no avail. The only way I can get the defs to come down right after the client is installed is to set to NO, "Disable alternate sources (such as Microsoft Windows Server Update Services, or UNC shares) for the initial definition update on client computers" as part of the "Default Client Settings. The problem with this is the clients are hitting the internet for the FIRST installation of the defs. Don't want that. If i initiate the "Update" button on the EP client the defintions will as well come down that way.

    As well is there any log that logs the Definition update process of the EP client when you use the "Update" button on the EP Client? The Automatic Deplopyment Rule like all other Software Updates is loged in the Upates Store.log and other Update xxx Logs, but not when the EP client goes after alternate sources for its Defs.

    Thursday, January 17, 2013 6:01 PM
  • Digging further into this issue I again set to YES, "Disable althernate sources (such Microsoft Windows Update, Microsoft Windows Server Update Services, or UNC Shares) for the initial definition update on client computers." I then deployed a SCCM 2012 SP1 client (and Endpoint Protection 2012 client) to another PC and closely watched many different logs. Because of the client setting mentioned at the beginning of this paragraph, clients are NOT allowed to travel to alternate sources for their INITIAL definition updates. Initial is the key word here (subsequent updates will work with the Automatic Deployment Rule) and therefore they MUST depend on the Automatic Deployment Rule to obtain their initial definition installtion. Therefore a successfull software updates scan (as we mentioned before) must first execute. In order for the first scan to execute it appears that it takes the SCCM 2012 SP1 client some time to pick itself up by its bootstraps and successfully perform that first Software Updates Scan.

    In my latest test I deployed the SCCM 2012 SP1 client (and Endpoint Protection 2012 Client) to a Windows 7 SP1 PC. SCCM client installation completed successfully at 1:15PM. Nearly 30 minutes later the client tries its first Software Updates Scan and fails. This is the error in the WUAHandler.log:

    <![LOG[Unable to read existing resultant WUA policy. Error = 0x80070002.]LOG]!><time="14:14:47.422+360" date="01-17-2013" component="WUAHandler" context="" type="2" thread="2204" file="sourcemanager.cpp:920"> Then a minute later another error

    <![LOG[Scan failed with error = 0x80244015.]LOG]!><time="14:15:29.121+360" date="01-17-2013" component="WUAHandler" context="" type="3" thread="2204" file="cwuahandler.cpp:3520">

    Taking no action on my part the client then at 1:45 PM appears to have finished building itself and successfully performs its first Software Updates Scan which then allows the Automatic Deployment Rule to execute and perform the initial definitions install on the EP client. From this point on we are fine. Nearly 1 hour to run the first Software Updates Scan successfully? Is that typical behavior?

    See this article http://support.microsoft.com/kb/2688242 Sounds like a known issue.

    Therefore if you are doing a large deployment and you don't want your internet bandwidth consumed by EP clients going for a full download of the defs for their initial installation, it appears that you may want to setup a UNC Share and specify that as your althernate source.  

    In SCCM 2012 SP1, what is the difference between "Updates distributed from Configuration Manager" and "Updates distributed from WSUS" since Config Manager uses WSUS to distrbute updates?

    Thursday, January 17, 2013 9:50 PM
  • Hadn't had a chance to reply again until now, but I did some deeper digging on the client where I got the info from the EndpointProtectionAgent.log and, contrary to what I previously thought, it was actually about an hour until the EP definition update came down through SCCM. The UNC share workaround you suggested would probably be your best bet for an initial mass rollout and then maybe change the behavior so that alternative sources are not disabled. I guess that doesn't help if you never want your client hitting the Internet for updates though.

    As well is there any log that logs the Definition update process of the EP client when you use the "Update" button on the EP Client? The Automatic Deplopyment Rule like all other Software Updates is loged in the Upates Store.log and other Update xxx Logs, but not when the EP client goes after alternate sources for its Defs. - When you click the update button, you should see activity in the C:\Windows\WindowsUpdate.log. That should tell you exactly what update path/url it's checking

    In SCCM 2012 SP1, what is the difference between "Updates distributed from Configuration Manager" and "Updates distributed from WSUS" since Config Manager uses WSUS to distrbute updates? - SCCM is not using WSUS to distribute updates. The only role WSUS plays is to synchronize the update catalog metadata into SCCM. Once it's there, SCCM handles everything else.


    Thursday, January 17, 2013 10:06 PM
  • A few follow-up questions and one issue to resolve:

    1. to use the "Updates from UNC file shares" option in the "Configure Definition Update Sources" under the "Default Antimalware Policy", I downloaded the latest definitions and network inspection definitions for both 32 and 64 bit clients from the Malware Protection Center at: http://www.microsoft.com/security/portal/definitions/howtoforefront.aspx

    Referencing this article on setting up a UNC File Share for definitions, http://technet.microsoft.com/en-us/library/jj822983.aspx (To configure definition downloads from a file share) it states nothing about the kind of Directory Tree that's required to host the definition updates. Since there are both 32 and 64 bit versions of the same files (mpam-fe.exe and nis_full.exe) I created an x86 folder and a x64 folder. Then in "Configure Definition Update UNC Paths" in the "Default Antimalware Policy" I added \\servername\sharename\x64 and \\servername\sharename\x86 and inside both directories I placed the mpam-fe.exe and nis_full.exe that were appropriate for that architecture. Is this the correct process to use the UNC File Share as a Definiton Source?

    2. Issue - in the "Configure Definition Update Sources" in my "Default Antimalware Policy" I unchecked everything except "Updates from UNC file shares". Clicking the Update Button on the Update tab of a EP client generates the error "Virus and Spyware definition update failed" as part of the message it states "System Center Endpoint Protection couldn't check for virus and spyware definition updates. Check your Internet or network connection and try again". Makes sense right since I selected ONLY UNC File Share as my source for definition updates. Now the issue. In addition to "Updates from UNC File Shares" I went ahead and checked "Updates distributed from Configuration Manager" and "Updates distributed from Microsoft Malware Protection Center" thinking the Default Antimalware Policy would be reapplied and clicking the Updates button on the EP client would then allow the client to traverse the internet to check for defs. Same issue. "Virus and Spyware definition update failed" as part of the message it states "System Center Endpoint Protection couldn't check for virus and spyware definition updates. Check your Internet or network connection and try again". I've restarted the PC and initiated several "Machine Policy Evaluation and Retrieval Cycles". No affect. It appears to me that the Default Antimalware Policy is not being reapplied after I made the changes to allow for additional sources for definition retrieval. Any idea?

    Friday, January 18, 2013 4:33 PM
  • I believe I have found an issue with the setting "Set sources and order for Endpoint Protection Definition Updates" in the "Definition Updates" section of any Antimalware Policy. If you set to the very top of the order "Updates from UNC File Shares" regardless of your other selections, you will get the message "Virus and Spyware definition update failed" when you click the Update button on your EP client. This tells me that the EP client is ignoring searching any sources you have listed AFTER "Updates from UNC file shares". You can have all of the sources selected and if you have "Updates from UNC File shares" at the top of your search order and it's selected, you'll get the above error. Can anyone else repro this? I can repro it til the cows come home in my environment.

    Friday, January 18, 2013 6:29 PM
  • Hello, I was just wondering about this same scenario. I just deployed this to about 45 clients and maxed our internet for about 30 minutes which was a bad thing. So I have about 600 more clients to go but want to insure this won't happen again. I have SCCM 2012 SP1 and the setting for my Endpoing Custom client setting set to Yes for Disable alternate sources for the initial definition updates. So I'm just curious as to why it would use the internet. Also is there a way to see where a client received it's last updates from.

    After the last deployment that maxed our internet pipe I just changed the Endpoint policy for the source updates to only be Configuration manager and Wsus. I want to test on a few pc's before mass deploying that it won't go to the internet and would like to know how to see where a client pulled it's updates from to confirm. The KB talks about just being the initial install and not getting updates. I'm obviously getting updates but not from SCCM. Any help would be appreciated.

    Friday, March 08, 2013 4:11 PM
  • Hello, I was just wondering about this same scenario. I just deployed this to about 45 clients and maxed our internet for about 30 minutes which was a bad thing. So I have about 600 more clients to go but want to insure this won't happen again. I have SCCM 2012 SP1 and the setting for my Endpoing Custom client setting set to Yes for Disable alternate sources for the initial definition updates. So I'm just curious as to why it would use the internet. Also is there a way to see where a client received it's last updates from.

    After the last deployment that maxed our internet pipe I just changed the Endpoint policy for the source updates to only be Configuration manager and Wsus. I want to test on a few pc's before mass deploying that it won't go to the internet and would like to know how to see where a client pulled it's updates from to confirm. The KB talks about just being the initial install and not getting updates. I'm obviously getting updates but not from SCCM. Any help would be appreciated.

    Any luck? Any more info you can share. Ours are doing the same, maxing out the internet
    Tuesday, March 12, 2013 6:49 PM
  • I have the same issue in my lab - the clients do not have Internet access - at all - so they fail to setup the initial policy.

    If i have to resort to using the UNC approach does not that negate the whole need for a DP in this senario ?


    Growing old with SCCM

    Friday, March 15, 2013 2:58 AM
  • In my experience and testing, the client policy setting "Disable alternate sources (such as Microsoft Windows Update, Microsoft Windows Server Update Services, or UNC shares) for the initial definition update on client computers" pertains ONLY to the very first definitions installation right after the Endpont Protection client is installed. I believe that "Alternate Sources" to SCCM 2012 SP1 are any sources OTHER than Configuration Manager. Review your Client and Antimalware polices and understand that the lower policy "Order" number wins. If you have the "Disable alternate sources" setting set to Yes, the clients will obtain their initial definitions from Configuration Manager BUT you need to have your Automatic Deployment Rule setup to deploy definitions first. Assuming that you have your Automatic Deployment Rule setup to deploy the Endpoint Protection Definitions and you have the "Disable alternate sources" set to "YES", in order for the Endpoint Protection client to execute its first (initial) definitions installation, the machine has to first run the SCCM client's "Software Updates Deployment Evaluation Cycle" to understand that it even requires the definitions in the first place. This can take up to an hour to occur. So it is useful to set the "Disable alternate sources" to No and then in the applicable Antimalware Policy configure the sources you would like to use and their order.

    If you do not want your clients going to the internet then make sure that "Updates distributed from Microsft Malware Protection Center" and "Updates distributed from Microsoft Update" are NOT checked. If you want your clients to get the defs right away but you don't want them going to the internet, select "Updates from UNC Shares" and place that at the top. Of course you then need to configure the UNC shares for your clients to go to for their initial definitions update.

    • Marked as answer by Aray66 Friday, March 15, 2013 6:22 PM
    Friday, March 15, 2013 4:47 PM
  • Also, you still need Distibution Points because after the initial Endpoint Protection definitions installation, you want Configuration Manager to push the definitions to your clients via Software Updates. You do this by creating an Automatic Deployment Rule just for your Endpoint Protection Definitions. Because Software Updates is what is pushing your definitions in this scenario, the definitions are replicated to the DP's so that your clients can install them directly from the DP they are assigned to. As well DP's are not just used for Software Updates but other deployments as well.

    In terms of trying to see where your clients are going for their Defs I have been unable to find this in any log. It may exist somewhere but I haven't found it. But if your clients are using Configuration Manager for their source (which is really software updates), you'll see this in the "Updates Deployment.log".


    • Edited by Aray66 Friday, March 15, 2013 5:11 PM
    Friday, March 15, 2013 5:07 PM
  • Thanks, I know this is not my post - sorry to piggy back onto your original.

    This discussion has helped me out a lot.

    Ive changed the source to unc but the client has not recognised the change - the windows update logfile still refers to www no mention of the unc ive supplied.

    oh,,, but wait ... maybe i have to refresh the policy at the server and not just a machine policy retrevial cycle.....

    BRB

     


    Growing old with SCCM

    Friday, March 15, 2013 5:57 PM
  • If your Endpoint client is already deployed and has already performed its INITIAL definitions installation and you now want it to use the UNC source instead of Config Manager (Software Updates) then you need to 1. Either delete your Automatic Deployment Rule or 2 set the execution frequency of the Automatic Deployment Rule to be greater than the setting in your particular Antimaleware Policy "Check for Endpoint Protection definitions at a specific interval". That's discussed in one of the posts further up on this same thread.

    Also, I'm not sure you are going to see any entries in any logs that indicate your SCCM clients are going after a UNC share for their EP defs. Like I stated before, they may be logging it but I haven't found where it's logged. One of the users in this thread stated they logged alternate source hits at C:\Windows\WindowsUpdate.log but I believe awhile back I checked that and didn't find any entries. At that point I didn't pursue it any further as I figured out how SCCM and EP  operates pertaining to definitions.

    If you change Client Policy or Antimaware Policy it's only neccessary to refresh Machine Policy Retrieval and Evaluation on the SCCM client you wish to expedite the policy retrieval on, not the server. Also, with the UNC make sure you have later defs than are already on your clients (assuming your clients already have definitions installed). To force the update, click Update on the EP Client Update tab. If you have UNC checked and it's at the top of the list for your source, your clients won't hit the net even if you have Microsoft Updates and Malware Protection Center checked for possible sources. You'll get an error on the EP client when you click Update. See my post on this thread further up.

    Hope this helps

    Friday, March 15, 2013 6:20 PM
  • Sorry for the delay. Forgot to setup alerts so I didn't realize anyone replied. Have them setup now ;)

    Come to find out my scenario was caused from a previous attempt to install WSUS that I was unaware of since I'm new to this company. All of the pc's were set to use a pc that was set with the attempt at WSUS. So all of the pc's tried to contact this WSUS server which wasn't working and therefore went to the internet. This Default Domain GPO was overriding the SCCM client policy to look at the DP for updates. Once I changed this and disabling auto updating all clients are now getting their updates from the internet.

    Hope this helps others and thank you all for your help.

    Tuesday, March 26, 2013 5:45 PM
  • I've just stood up a System Center Configuration Manager 2012 SP1 Environment and as part of the "Default Client Settings" I've enabled "Install Endpoint Protection on Client Computers". Initially I had "Disable alternate sources (such as Microsoft Windows Server Update Services, or UNC shares) for the initial definition update on client computers" set to "Yes" thinking that the clients should be smart enough to go to Configuration Manager for the initial definition installation. As part of my "Default Antimalware Policy" I have "Set sources and order for Endpoint Protection definition updates" set to 2 sources. The sources and order are: 1. Updates distributed from Configuration Manager and 2. Updates distributed from Microsoft Malware Protection Center. Also, I have an "Automatic Deployment Rule" setup and enabled that deploys the definitions to a collection that contains all of my SCCM 2012 SP1 clients. The Automatic Deployment Rule is working.

    When I deploy the SCCM 2012 SP1 client to a PC or Server (which thereby deploys the Endpoint Protection Client) the definitions initially do not install. I've waited up to 20 minutes for the initial definition installation to occur to no avail. As well I restarted the PC/server. The only way to remedy this was either manually click the Update button on the client to force the Endpoint Protection client to update its definitions or set to NO "Disable alternate sources (such as Microsoft Windows Server Update Services, or UNC shares) for the initial definition update on client computers" as part of the "Default Client Settings".


    My questions are as follows:

    1. What is the proper configuration to ensure the clients install their definitions as soon as the Endpoint Protection 2012 client is installed?
    2. What is the difference between the "Automatic Deployment Rule" that pushes the Endpoint Protection Definitions, the setting in the Antimalware Policy that specifies the frequency in which the client checks for definitions and the definition sources it checks, and the "Update" button on the System Center 2012 Endpoint Protection Client?

    My understanding of the Automatic Deployment Rule is that Config Manager 2012 uses Configuration Manager Software Updates to DEPLOY the definitions to all of the clients, and that the "Definition Updates" settings in the Antimalware Policy and the "Updates" button on the System Center 2012 Endpoint Protection client use the settings and sources in the applied Antimalware policy you have specified. Is this correct?


    I found that having "Disable alternate sources (such as Microsoft Windows Server Update Services, or UNC shares) for the initial definition update on client computers" set to NO in the client policy and making sure that "Updates distributed from Microsoft Update" was checked as a source in the Antimalware Policy allowed the client to go to the ConfigMgr WSUS server for updates as shown in the C:\Windows\WindowsUpdate.log.  Without this combination, the client would take approximately an hour to get the initial update (system tray icon would be red) and the manual update button in the client would error.

    Thanks

    Friday, November 08, 2013 5:53 PM