locked
Active clients at risk RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote

    I'm troubleshooting a problem at a customer with clients showing up in the temporary Collection "Active clients at risk" looking in the SCCM console.

    Several clients have the "Endpoint Protection Product Status" like "Service not running" or "Service started without any malware protection engine; AV signatures out of date; AS signatures out of date".

    When connecting to these clients with RDP and looking in the SCEP Client UI I can see that they are working as expected and have the latest definitions.

    The question are why are they not reporting correct.

    I’m looking in StateMessage.log and can see “Successfully forwarded State Messages to the MP”

    At a couple of clients it seems that state messages like “State message(State ID : 1) with TopicType 1901 and TopicId AntimalwareHealthStatus has been recorded for SYSTEM” where missing and i tried to kill the WMI provider and restarted the SCCM-client. This worked but I don’t know why.

    Anyone seen this behaviour and got a good solution or troubleshooting technique?

    Tuesday, June 23, 2015 2:44 PM

Answers

  • Question
    Sign in to vote
    0
    Sign in to vote
    The clients might be waiting for a restart after installing Update for System Center Endpoint Protection 2012 Client  - 4.8.204.0 (KB304956). Check the Application log for MsInstaller event 1029: "Product: Microsoft Security Client. Restart required. The installation or update for the product required a restart for all changes to take effect.  The restart was deferred to a later time." I had some clients this morning that reported "Service not running", but a restart fixed them. 
    • Proposed as answer by Joyce L Thursday, June 25, 2015 9:54 AM
    • Marked as answer by JonasM2 Thursday, June 25, 2015 2:33 PM
    Wednesday, June 24, 2015 4:16 PM

All replies

  • Question
    Sign in to vote
    0
    Sign in to vote
    The clients might be waiting for a restart after installing Update for System Center Endpoint Protection 2012 Client  - 4.8.204.0 (KB304956). Check the Application log for MsInstaller event 1029: "Product: Microsoft Security Client. Restart required. The installation or update for the product required a restart for all changes to take effect.  The restart was deferred to a later time." I had some clients this morning that reported "Service not running", but a restart fixed them. 
    • Proposed as answer by Joyce L Thursday, June 25, 2015 9:54 AM
    • Marked as answer by JonasM2 Thursday, June 25, 2015 2:33 PM
    Wednesday, June 24, 2015 4:16 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Yes there is events with id 1029:
    "
    Product: Microsoft Security Client. Restart required. The installation or update for the product required a restart for all changes to take effect.  The restart was deferred to a later time.
    "
    and also id 1038:
    "
    Windows Installer requires a system restart. Product Name: Microsoft Security Client.
    Product Version: 4.7.0209.0. Product Language: 1033. Type of System Restart: 2.
    Reason for Restart: 1.
    "

    Of what reason does the client stop reporting when having a pending reboot?

    Thursday, June 25, 2015 11:17 AM
  • Question
    Sign in to vote
    0
    Sign in to vote
    That's a good question, but I'm afraid you would have to ask Microsoft. I just know that after that update was released we saw a big jump in the number of "Active Clients at Risk", but once the machines restarted they were removed from the list.
    Thursday, June 25, 2015 1:49 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    After the reboot after 4.7 upgrade I got a new pending reboot form the 4.8 upgrade...

    "
    Windows Installer
    requires a system restart. Product Name: Microsoft Security Client. Product
    Version: 4.8.0204.0. Product Language: 1033. Manufacturer: Microsoft
    Corporation. Type of System Restart: 2. Reason for Restart: 1.
    "

    Today we are deploying the client upgrades together with the definition updates created by the ADR but maybe we should consider changing this, how do you manage SCEP client updates?

    Thursday, June 25, 2015 2:39 PM
  • Question
    Sign in to vote
    1
    Sign in to vote

    I always do definition updates with an ADR, since they're released so frequently that you'd never want to manually manage the process. For client updates I usually use ADRs as well and sometimes pending reboots do interfere with reporting.

    If accurate reporting is a priority then you could certainly just use ADRs for definitions and manually deploy client updates that coincide with scheduled maintenance windows when you know your clients will be rebooting or you can at least force a reboot with the client installation.

    Thursday, June 25, 2015 3:34 PM