locked
Endpoint Protection - How Does Client Report Back Installed Definition Version RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote

    Hello,

    Can anyone tell me what process is used by a client PC to report back to the SCCM server what client definition version is installed on it? We have some clients which when I check their local logs are correctly updating their definitions on a daily basis but when I look at  that client in the SCCM console it shows the definition version it thinks is on that client as being quite a bit older.

    Thank you for any help.

    Stephen

    Thursday, May 29, 2014 2:54 PM

Answers

All replies

  • Question
    Sign in to vote
    0
    Sign in to vote

    Are you saying that the majority of your clients are "Up to 3 days" even if your clients are up-to-date (when you log locally) ?

    Are you using SCCM and ADR to deploy your definition ? If so, at which frequency ?

    What's the "Check for Endpoint Protection Definition interval" in your EP Policy ?

    Usually this is caused because the WSUS sync frequency and the client application of the file is higher than 24h. (Up to 3 days is > 24h and less than 72h)

    Benoit Lecours | Blog: System Center Dudes

    Thursday, May 29, 2014 7:38 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hello,

    Thank you for your reply.

    The majority of our clients are up-to-date with their definitions and are correctly reporting back. The problem is that there are some clients that have been classified as having their definitions older than 7 days but when I actually look on the client I can see that it is in fact up-to-date and has the latest definitions installed.

    I was wanting to know which process the SCCM client uses to send the definition information from the client back to the SCCM server as for some of our clients it seems that the information held on the server is not up-to-date.

    Thank you.

    Friday, May 30, 2014 1:17 PM
  • Question
    Sign in to vote
    2
    Sign in to vote

    Evaluation is done through State Messages.

    This is poorly documented on Technet the only relevant information that I could find is this :

    http://blogs.msdn.com/b/steverac/archive/2011/01/07/sccm-state-messaging-in-depth.aspx

    http://blogs.technet.com/b/configmgrdogs/archive/2013/11/07/software-update-status-reports-detection-state-unknown.aspx

    http://technet.microsoft.com/en-us/library/bb632678.aspx (2007 but applied to 2012 also)

    The second post applies to software updates in general but it's the same for EndPoint Protection. Look for "Topic Type" 1901 and 2001. (2001 is the EP installation state and 1901 is the Antimalware health status)

    The Message State 0,1,2,3 looks to be the same as Software Update, this is only based on my investigation in my own environment.

    Also review that your EP Summarization is configured well and that your WSUS sync is frequent as EP definition are released 4 times a day.

    Benoit Lecours | Blog: System Center Dudes

    • Proposed as answer by Joyce L Monday, June 2, 2014 6:52 AM
    • Marked as answer by Stephen Grantham Tuesday, June 3, 2014 1:56 PM
    Friday, May 30, 2014 6:49 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Many thanks for your reply.

    There is some useful stuff there that should help.

    Kind Regards,

    Stephen

    Tuesday, June 3, 2014 1:56 PM