none
KB3025417 breaks SCEP reporting about malware

    Question

  • So, this is one of the odd ones.

    We have setup our SCCM/SCEP to send e-mails when new malware are found in selected collections (Alerts).

    During last week, I was surprised to see that our environment was without malware at all (according to the endpoint protection status in the SCCM console) . That's very unlikely to happen, so I started to go about test the SCEP client on a newly installed W81 machine. I did a few test with the following http://www.eicar.org/86-0-Intended-use.html

    SCEP instantly found the string as malware, which is what I hoped for. I waited to see if the client would report that back to SCCM as usually, but no. Nothing ever shows up in the console.

    Long story short; we went back to see when the last time we ever recieved an e-mail based on a malware-alert in SCCM. The last e-mail was dated march 14th 2015.

    So we went back to see what happened on our clients back in march, and during our troubleshooting we went through every software update we released in march, and it appears that KB3025417 is causing the trouble here. (Note: I also suspect that the update itself is unnecessary given we have SCEP, and the update is related to windows defender. However, the update is seen as required by all W81 clients)

    We ended up excluding the mentioned update, and reinstalled a client and voila; SCEP works fine again. The minute we install the update, SCEP on the client is no longer reporting the found malware back to SCCM. Also, uninstalling the update doesn't do anything. The damage is done.

    We found a few other reporting similar behaviour. While they don't mention the KB itself, I suspect it's very same issue: https://social.technet.microsoft.com/Forums/en-US/34903763-b423-41b4-8783-b75df94337d0/scep-email-alerts-stopped-working-in-sccm-2012-r2?forum=FCSNext

    The environment is SCCM 2012 R2 CU4, Antimalware Client Version: 4.8.204.0, Windows 8.1 x64

    Also, note that everything around the SCCM client seems healthy. Deployments are installing and reporting back as usual. Nothing else seems broken, and the SCEP component is also healthy.

    This is probably a case for MS Support, but given that I see a few others with the same issue, I also suspect that there's alot more out there with the same problem. They just don't know yet, or haven't figured out why it stopped working.

    Any pointers or comments to above is much appreciated.

    Thanks in advance.



    Martin Bengtsson | www.imab.dk







    Monday, June 01, 2015 7:19 AM

Answers

  • Hi Martin,

    Do you have any update on this?

    A blog released a few day ago which contain a script, you may want to have a try

    System Center Endpoint Protection Client reporting issues after installing KB3025417 on Windows 8.1


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, June 23, 2015 7:44 AM
    Moderator
  • Hi Martin,

    Do you have any update on this?

    A blog released a few day ago which contain a script, you may want to have a try

    System Center Endpoint Protection Client reporting issues after installing KB3025417 on Windows 8.1


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thanks Daniel, the mentioned script is actually a better solution.

    Fighting my way through 1st line Microsoft support was a struggle and never gave me more than I already figured out myself, so the script is actually a step in the right direction. I last spoke to the support friday, and by then, they didn't have any updates to share.

    So I guess we can close this thread with the solution provided by the ConfigMgr team;

    "Uninstalling KB3025417 from affected computers, followed by reinstalling the SCEP client, resolves the reporting issue. As an alternative to uninstalling the update, run the following command on the client to restore reporting functionality. Restart the computer afterward for the provider change to take effect."

    Register-CimProvider.exe -ProviderName ProtectionManagement -Namespace root\microsoft\ProtectionManagement -Path "C:\Program Files\Microsoft Security Client\ProtectionMgmt.dll" -Impersonation True -HostingModel LocalServiceHost -SupportWQL -ForceUpdate

    Thanks again.


    Martin Bengtsson | www.imab.dk

    Tuesday, June 23, 2015 7:52 AM

All replies

  • I would definitely open a case ASAP. I'm also going to forward this thread to the PG.

    Jason | http://blog.configmgrftw.com | @jasonsandys

    Monday, June 01, 2015 1:03 PM
  • Thanks Jason,

    Further troubleshooting tells us following:

    1) If I downgrade the SCEP client to version 4.6.305.0 the reporting works while the KB3025417 is installed.

    2) Once the SCEP client gets upgraded to 4.7.209.0 or 4.8.204.0 while KB3025417 is installed, the reporting stops working again.

    3) However, the SCEP reporting works with 4.7.209.0 or 4.8.204.0 as long as KB3025417 is not installed.

    I have opened a case with MS Support. I'll update this thread with more details.


    Martin Bengtsson | www.imab.dk

    Monday, June 01, 2015 2:22 PM
  • Hi Martin !

    We have same problem with KB3025417 and SCEP 4.8.204.0.

    Any respone with MS Support ?

    //Jens Andersson

    Wednesday, June 03, 2015 1:05 PM
  • Great stuff.

    No, we're not premiere support customers, so I have to fight my way through 1st line. I requested to speak with an senior engineer, and I'm still waiting for their reply.

    We found that it's not related to which version of SCEP you have, but rather that KB3025417 breaks it, and if you reinstall SCEP (to whatever version) it works again.

    However that's not an acceptable solution.

    The 1st line supporter even asked me why I installed KB3025417 in the first place. As he said: "it's for windows defender, and you use SCEP". I had to explain him, that all my W81 clients was requesting the update, and nothing directly tells me the update is for defender. Then he asked me to exclude the update, but that obviously doesn't do anything for my existing clients. So far an uphill battle.

    I'll let you know when I know more. Perhaps you could open a similar case with MS, to let them know that the KB is breaking stuff? Thanks.


    Martin Bengtsson | www.imab.dk




    Wednesday, June 03, 2015 1:20 PM
  • I know the top tier of CSS is aware of this thread and are investigating. That's the most I can offer.

    Jason | http://blog.configmgrftw.com | @jasonsandys

    Wednesday, June 03, 2015 1:27 PM
  • Thanks Jason :-)

    Martin Bengtsson | www.imab.dk

    Wednesday, June 03, 2015 1:40 PM
  • I have started a case and hope for more information.
    Wednesday, June 03, 2015 1:41 PM
  • I have a case With Permier Support at the moment and the solution i got was basically "restart the Configmanager agent".
    Seems to be resolving some issues with pending changes to the WMI.
    The SCEP client should be reporting to Config manager after this.
    Our Config manager agents is reporting to SCOM as well, and this is not enough to make the SCEP client "Healthy".

    Another indication that there was a missing reboot was that the installed Productversion in the running SCEP agentversion was updated to 4.8.204.0. The installed product referred to the previous version.

        Get-WmiObjectWin32_Product|whereName-like"Microsoft End*"

    After boot the versions matched.

    The description of the problem i got was:
        There is an issue with the Update and a missing reboot flag/Notification.

    Reboot the hosts with SCEP and you should be ok!

    Lets hope the product team can fix an update to the patch soon.

    Cheers!

    Vidar Thomassen


    • Edited by VidarTho Thursday, June 04, 2015 12:05 PM
    Thursday, June 04, 2015 11:35 AM
  • I have a case with MS premier Support and solution is this.

    Block KB3025417 in SCCM/SUP (wsus)

    Uninstall KB3025417

    Reinstall SCEP client

    Are we only one that have WD and SCEP client simultaneous and patch WD with KB3025417 ?

    I am certain that WD is disabled when SCEP client is installed.

    Hope that there is no other KB that "crash" SCEP client in the future.

    One more thing to test before deploying SUP-patches.......

    Friday, June 05, 2015 8:45 AM
  • I have a case with MS premier Support and solution is this.

    Block KB3025417 in SCCM/SUP (wsus)

    Uninstall KB3025417

    Reinstall SCEP client

    Are we only one that have WD and SCEP client simultaneous and patch WD with KB3025417 ?

    I am certain that WD is disabled when SCEP client is installed.

    Hope that there is no other KB that "crash" SCEP client in the future.

    One more thing to test before deploying SUP-patches.......

    I've been given the same solution, but that's not acceptable for us. I even wrote that originally, that if I reinstall SCEP, it works again, and they use that as their own solution. Great work.

    I'm still in dialogue with their support though, and I'm stubborn for a better solution. Removing the KB, Reinstall SCEP and a reboot is to say the least a sh**** solution.


    Martin Bengtsson | www.imab.dk

    Monday, June 15, 2015 9:25 AM
  • I have a case With Permier Support at the moment and the solution i got was basically "restart the Configmanager agent".
    Seems to be resolving some issues with pending changes to the WMI.
    The SCEP client should be reporting to Config manager after this.
    Our Config manager agents is reporting to SCOM as well, and this is not enough to make the SCEP client "Healthy".

    Another indication that there was a missing reboot was that the installed Productversion in the running SCEP agentversion was updated to 4.8.204.0. The installed product referred to the previous version.

        Get-WmiObjectWin32_Product|whereName-like"Microsoft End*"

    After boot the versions matched.

    The description of the problem i got was:
        There is an issue with the Update and a missing reboot flag/Notification.

    Reboot the hosts with SCEP and you should be ok!

    Lets hope the product team can fix an update to the patch soon.

    Cheers!

    Vidar Thomassen



    Reboot is not enough in our end. Our clients has been rebooted several times since KB3025417 was released and installed.

    Martin Bengtsson | www.imab.dk

    Monday, June 15, 2015 9:26 AM
  • Hi Martin,

    Do you have any update on this?

    A blog released a few day ago which contain a script, you may want to have a try

    System Center Endpoint Protection Client reporting issues after installing KB3025417 on Windows 8.1


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, June 23, 2015 7:44 AM
    Moderator
  • Hi Martin,

    Do you have any update on this?

    A blog released a few day ago which contain a script, you may want to have a try

    System Center Endpoint Protection Client reporting issues after installing KB3025417 on Windows 8.1


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thanks Daniel, the mentioned script is actually a better solution.

    Fighting my way through 1st line Microsoft support was a struggle and never gave me more than I already figured out myself, so the script is actually a step in the right direction. I last spoke to the support friday, and by then, they didn't have any updates to share.

    So I guess we can close this thread with the solution provided by the ConfigMgr team;

    "Uninstalling KB3025417 from affected computers, followed by reinstalling the SCEP client, resolves the reporting issue. As an alternative to uninstalling the update, run the following command on the client to restore reporting functionality. Restart the computer afterward for the provider change to take effect."

    Register-CimProvider.exe -ProviderName ProtectionManagement -Namespace root\microsoft\ProtectionManagement -Path "C:\Program Files\Microsoft Security Client\ProtectionMgmt.dll" -Impersonation True -HostingModel LocalServiceHost -SupportWQL -ForceUpdate

    Thanks again.


    Martin Bengtsson | www.imab.dk

    Tuesday, June 23, 2015 7:52 AM