none
FEP Updates via Config Manager

    Domanda

  • I am struggling to get FEP updating correctly when I apply the FEP Client either from a task sequence, or place the FEP on the image as shown here.

    Once the image is complete, the FEP client works fine. But the updates don't end up downloading from the SCCM Software Update Point. The problem seems to be shown in the WUAHandler.log and found the following:

    Update (Missing): Definition Update for Microsoft Endpoint Protection - KB2461484 (Definition 1.121.794.0) (8d872ba4-6bf3-4129-810f-50546cce73cf, 100)          WUAHandler     3/2/2012 10:12:18 AM    2404 (0x0964)

        Leaf: 365fe498-cd95-4980-b097-64dbaa5322b2, 100   Status: Installed  WUAHandler     3/2/2012 10:12:18 AM    2404 (0x0964)

            Leaf: b983761e-ca44-47eb-9e0d-8f7b4597abf1, 100   Status: Installed              WUAHandler     3/2/2012 10:12:18 AM    2404 (0x0964)

        Leaf: 4a0fc03f-41f1-4f95-b41c-1b262f5f07f9, 100   Status: Installed        WUAHandler     3/2/2012 10:12:18 AM    2404 (0x0964)

            Leaf: c403361f-12a7-4efe-a7e8-8e7ceb18bf4e, 100   Status: Installed               WUAHandler     3/2/2012 10:12:18 AM    2404 (0x0964)

            Leaf: dd7b275f-c97e-4bc1-a2c8-7bd4371cf411, 100   Status: Installed               WUAHandler     3/2/2012 10:12:18 AM    2404 (0x0964)

            Leaf: d4040d67-9ff4-4ea8-89bd-bbf9275b1621, 100   Status: Installed              WUAHandler     3/2/2012 10:12:18 AM    2404 (0x0964)

            Leaf: 8d363dcf-82b2-4845-9d2d-67b695f6e469, 100   Status: Installed              WUAHandler     3/2/2012 10:12:18 AM    2404 (0x0964)

        Leaf: 0e3100a5-0e21-48ee-943c-

    1aff3fd0ac9f, 100   Status: Missing       WUAHandler     3/2/2012 10:12:18 AM    2404 (0x0964)

    The missing leaf update at the bottom is a delta update. I have continued to manually install the delta's until I eventually get the machine up to date. But I don't know why sccm won't deploy the needed delta files to update FEP to the current Definitions after imaging.

    I am attempting to update from Microsoft, and then wait for a new update to come out that hopefully sccm will deploy over the weekend. But while I wait, are there any ideas on this problem? THANKS


    venerdì 2 marzo 2012 17:58

Risposte

  • Hello Spidey24,

    The "WUAHandler.log" is not the only log to be reviewed in order to fully comprehend and isolate the cause of the updating failure.  Check also the Application and System Event logs, as well as the "RepReport*.log", the "MSSecurityClient_Setup_mp_ambits_Install.log" and the "windowsupdate.log", of which the latter is found in the %windir% (generally c:\Windows).  Look especially for errors beginning with "0x8" (i.e. 0x80070645)

    Your issue could be that the FEP Definition update files (like the Deltas) were not fully downloaded from the Microsoft Update site to WSUS due to a proxy issue on the server or firewall, which can cause partial downloads of definitions.

    To resolve this type of problem, run a network trace to determine if there are any network traffic issues between between the edge firewall and/or Proxy server and the WSUS server.

    Another reason could be that the Products/Classifications options for the SUP are corrupt and not syncing for Delta updates.

    To fix such a problem use these steps below:

    1 Remove the SUP role from SCCM console.
    2 Uninstall windows server update services from Add and remove components.
    3 Delete the Update Services folder from c:\program Files\
    4 Install WSUS 3.0 Sp2 again.
    5 Install Software point role.
    6 Synchronize SCCM with WSUS


    In cases where you need to install the latest definitions immediately, go to http://www.microsoft.com/security/portal/Definitions/HowToForeFront.aspx and download the Forefront defintion package and install by doubleclicking the package file:

    See: Knowledge Base Article: How to manually download the latest definition updates for Microsoft Forefront Client Security and Forefront Endpoint Protection 2010.
    http://go.microsoft.com/fwlink/?LinkID=87588&clcid=0x409

    Should your issue continue to occur, even after applying the sugested troubleshooting, please call Microsoft at 1-800-936-4900 to open a support incident for Forefront Endpoint Protection 2010, as additional troubleshooting will require the downloading and running of several data collection tools.



    With sincere regards,

    Al

    Al Knecht, MCSE 2008, MCTS Server 2008 & FCS, MCITP Server 2008, MCSA 2003, CISSP®

    Microsoft CTS Security Support Engineer


    • Proposto come risposta Al Knecht mercoledì 28 marzo 2012 23:38
    • Contrassegnato come risposta Rick TanModerator giovedì 5 aprile 2012 01:37
    mercoledì 28 marzo 2012 23:38

Tutte le risposte

  • Hi,

    When you write "after imaging" have you included the FEP client in the image? and if so have you done the necessary steps outlined on technet before taking the image:

    http://technet.microsoft.com/en-us/library/gg193355.aspx

    Regards,
    Jörgen


    -- My System Center blog ccmexec.com -- Twitter @ccmexec

    sabato 3 marzo 2012 02:08
  • Yes, as you can see in my post. I linked the article on the word "here" with that same article you referenced.
    lunedì 5 marzo 2012 22:23
  • Hello Spidey24,

    The "WUAHandler.log" is not the only log to be reviewed in order to fully comprehend and isolate the cause of the updating failure.  Check also the Application and System Event logs, as well as the "RepReport*.log", the "MSSecurityClient_Setup_mp_ambits_Install.log" and the "windowsupdate.log", of which the latter is found in the %windir% (generally c:\Windows).  Look especially for errors beginning with "0x8" (i.e. 0x80070645)

    Your issue could be that the FEP Definition update files (like the Deltas) were not fully downloaded from the Microsoft Update site to WSUS due to a proxy issue on the server or firewall, which can cause partial downloads of definitions.

    To resolve this type of problem, run a network trace to determine if there are any network traffic issues between between the edge firewall and/or Proxy server and the WSUS server.

    Another reason could be that the Products/Classifications options for the SUP are corrupt and not syncing for Delta updates.

    To fix such a problem use these steps below:

    1 Remove the SUP role from SCCM console.
    2 Uninstall windows server update services from Add and remove components.
    3 Delete the Update Services folder from c:\program Files\
    4 Install WSUS 3.0 Sp2 again.
    5 Install Software point role.
    6 Synchronize SCCM with WSUS


    In cases where you need to install the latest definitions immediately, go to http://www.microsoft.com/security/portal/Definitions/HowToForeFront.aspx and download the Forefront defintion package and install by doubleclicking the package file:

    See: Knowledge Base Article: How to manually download the latest definition updates for Microsoft Forefront Client Security and Forefront Endpoint Protection 2010.
    http://go.microsoft.com/fwlink/?LinkID=87588&clcid=0x409

    Should your issue continue to occur, even after applying the sugested troubleshooting, please call Microsoft at 1-800-936-4900 to open a support incident for Forefront Endpoint Protection 2010, as additional troubleshooting will require the downloading and running of several data collection tools.



    With sincere regards,

    Al

    Al Knecht, MCSE 2008, MCTS Server 2008 & FCS, MCITP Server 2008, MCSA 2003, CISSP®

    Microsoft CTS Security Support Engineer


    • Proposto come risposta Al Knecht mercoledì 28 marzo 2012 23:38
    • Contrassegnato come risposta Rick TanModerator giovedì 5 aprile 2012 01:37
    mercoledì 28 marzo 2012 23:38
  • Thanks Flextone,
    I actually figured out the solution to my problem just yesterday afternoon. GRRR. It was my fault however. I had checked the FEP Definition templates in the Software Updates of sccm. Verified that the template was pointing to All Systems. However, I failed to check the properties of the defenitions under Deployment Management. Inside of this setting, it was only pointing to my "TestFEP" collection. So I was seeing things work when I added machines to this "TestFEP" collection. But I was assuming there was something special with using the built in Microsoft installer for FEP that was advertised to the TestFEP collection. Once I made the change to have this deployment to to all systems, def's began to work. DUH!

    Thanks for your detailed troubleshooting however.

    • Contrassegnato come risposta spidey24 giovedì 29 marzo 2012 16:34
    • Contrassegno come risposta annullato spidey24 martedì 3 aprile 2012 19:12
    giovedì 29 marzo 2012 16:34
  • Follow-up...

    This isn't fixed!!! :(

    After moving the Deployment management target from the TestFEP to the ALLSystems collection, any machine that had previously been deployed by any means, (Task Sequence or software deployment package) began to pull the def's. However, I am pulling my hair out still. Newly built winXP machines can deploy FEP and the Def's will deploy. But on new windows 7 machines, I can deploy the FEP client, by either a Task Sequence, or a deployment package, and the newly installed Win7 machines won't pull the def's from SCCM. Policies do apply. SCCM shows the newly deployed machines in the Deployment Succeeded collection. I have pointed the Deployment Management to the Succeeded Deployment collection, but no luck. I have rebuilt the Definition deployment in SCCM, and the results are the same. Machines that were deployed before my change from teh TestFEP to ALLSystems pull the new def's. But Win7 machines deployed after the change won't download the updates. I have a case open with MS and am awaiting their call back. But wonder if anyone else would have any ideas...

    martedì 3 aprile 2012 19:19
  • I think I am experiencing the same issue.  Could you please post back what your found out from Microsoft?
    martedì 10 aprile 2012 19:19
  • Well, after dealing with Microsoft's tier 1 rep for a week, getting transferred to Tier 2 for another week, I have now been transferred to Tier 1 FEP support. What is being explained to me is that there is an issue wth the softwareUpdateAutomation tool that causes issues updating the database for more and more machines. I don't have all the details yet, but in talking to the FEP support rep, it really sounds like pushing updates via SCCM was not the best option in deploying the def's. I was told that if I wanted to run the updates via sccm, I should do the following monthly.

    1. Go into the wsus server (something I have read many times to stay out of and let sccm handle it) and clean up old updates.

    2. Run a script found here: http://trevorsullivan.net/2011/11/29/configmgr-cleanup-software-updates-objects/ monthly. However, the script errored out anyway.

    Why Microsoft is referring me to external sites to solve my problem is pretty frustrating. Sounds like there is a known issue that they don't want to admit to.

    I was then told that the BEST method is to forget deploying def's via sccm, and deploy them using WSUS. Again, this called for going into WSUS and creating an auto-approve for FEP def's. Modifying my FEP policies to use WSUS, and I was done. I am still testing this now. But so far, all machines that I've been testing with that had 22-30 day old defs, waiting for SCCM to push the updates, now have updates being pulled. The updates still come from SCCM since that's where my WSUS box is, but the sccm isn't used for FEP updates anymore.

    So there's my update. Let me know if you find the same issue/resolution if you can jebusch

    mercoledì 2 maggio 2012 19:59