Jump to content


Photo

using SCCM 2012 RC in a LAB - Part 5. Enable the Endpoint Protection Role and configure Endpoint Protection settings


  • Please log in to reply
89 replies to this topic

#1 anyweb

anyweb

    Administrator

  • Root Admin
  • PipPipPip
  • 5,871 posts
  • Gender:Male
  • Location:Sweden
  • Interests:Deploying Operating systems and more with System Center Configuration Manager

Posted 05 November 2011 - 01:11 PM

NOTE: This post is superseded by the following post for the RTM version of Configuration Manager 2012.

In Part 1 of this series we got our AD and SCCM servers ready, and then we installed System Center 2012 Configuration Manager as a standalone Primary site. In Part 2 we configured the SCCM server further by adding some Windows Server roles necessary for the following Configuration Manager 2012 functionality, Software Update Point (SUP) and Operating System Deployment. In Part 3 we configured the server further by Enabling some Discovery methods and creating Boundary's and Boundary Groups. In Part 4 we configured Client Settings, Added roles and Distributed the Configmgr Client to our Computers within the LAB, now we will enable the Endpoint Protection Role and configure Endpoint Protection settings and we will target All Windows 7 Computers with these settings and policies.

Note: In Part 2 we selected Definition Updates in the Classifications screen to support Endpoint Protection as part of the SUP role setup, if you havn't completed that part then do so now before continuing.


Below is an Introduction to Endpoint Protection in Configuration Manager, for more info see the following on Technet - http://technet.micro...y/hh508781.aspx

When you use Endpoint Protection with Configuration Manager, you benefit from the following:
  • You can configure antimalware policies and Windows Firewall settings to selected groups of computers, by using custom antimalware policies and client settings.
  • You can use Configuration Manager software updates to download the latest antimalware definition files to keep client computers up-to-date.
  • You can send email notifications, use in-console monitoring, and view reports to keep administrative users informed when malware is detected on client computers.
Endpoint Protection installs its own client, which is in addition to the Configuration Manager client. The Endpoint Protection client has the following capabilities:
  • Malware and Spyware detection and remediation.
  • Rootkit detection and remediation.
  • Critical vulnerability assessment and automatic definition and engine updates.
  • Integrated Windows Firewall management.
  • Network vulnerability detection via Network Inspection System.
Recommended Reading:-








Prerequisites for Endpoint Protection in Configuration Manager - http://technet.micro...y/hh508780.aspx
Best Practices for Endpoint Protection in Configuration Manager - http://technet.micro...y/hh508771.aspx
Administrator Workflow for Endpoint Protection in Configuration Manager - http://technet.micro...y/hh526775.aspx


Step 1. Configure the Endpoint Protection Role

Perform the following on the SCCM server as SMSadmin

Note: The Endpoint Protection point site system role must be installed before you can use Endpoint Protection or before you can set EndPoint Protection client settings. It must be installed on one site system server only and it must be installed at the top of the hierarchy on a central administration site or a standalone primary site.

In the configmgr console, click on Administration, expand Overview and expand Site Configuration, select Servers and Site System Roles and click on Home in the Ribbon and click on Add Site System Roles.

home in the ribbon.png

when the wizard appears click next

wizard next.png

Select the Endpoint Protection Point role and click next

select endpoint protection role.png

Read and then accept the License Agreement terms

eula for endpoint.png

Next you get some choices about Microsoft Active Protection service, you can opt in, or opt out, let's select Basic Membership.

microsoft active protection service.png

click next at the summary and review the status on the completion screen.

ep role added.png

within a few minutes you'll see the Endpoint Protection client appear in the System Tray of your ConfigMgr Server (this is normal behaviour and is expected, you must have the SCEP client installed on your ConfigMgr Server hosting the Endpoint Protection role).

ep client in systray.png

Note: you can review the EPSetup.log on the server to monitor role installation progress.



Step 2. Configure alerts for Endpoint Protection

Perform the following on the SCCM server as SMSadmin

Note: Alerts inform the administrator when specific events have occurred, such as a malware infection. Alerts can be displayed in the Configuration Manager console, through reports, or optionally can be emailed to specified users. You can configure Endpoint Protection alerts in System Center 2012 Configuration Manager to notify administrative users when specific security events occur in your hierarchy. Notifications display in the Endpoint Protection dashboard in the Configuration Manager console, in reports, and you can configure them to be emailed to specified recipients.

Configure Email Notification (Optional)

If you have access to an SMTP server then you can optionally configure Email Notification Alerts. In the configmgr console, click on Administration, expand Overview and expand Site Configuration, select Sites and click on Settings in the ribbon and click on Configure Site Components and select Email Notification.

email notification.png

enter your desired settings for SMTP and click Apply. Note that you can test your SMTP settings also.

test smtp connection.png

Configure Alerts for Collections

Next let's configure Alerts for a Collection, but first let's create a collection called All Windows 7 Computers (in a LAB this is fine for what we want to do, in Production you should create EndPoint Protection specific Collections).

Note:- You cannot configure alerts for User Collections.Click on Assets and Complicance in the console,click on Device Collections and in the ribbon click on Create Device Collection.

create device collection.png

Call the collection All Windows 7 Computers and limit it to All Systems

create device collection wizard.png

click next, choose Query Rule from the drop down menu and fill in a Query like so (edit query statement, criteria, show query language and replace the code with the below)

select * from SMS_R_System where SMS_R_System.OperatingSystemNameandVersion like "%Workstation 6.1%"

query rule properties.png

set the schedule as follows (it's a LAB)

custom schedule.png

click next through the wizard, the collection is now created.

collection created.png

In Assets and Compliance select Devices and choose Device Collections, select the All Windows 7 Computers collection (we have no computers in this collection yet but we will have soon), choose properties

properties of collection.png

Click on the Alerts tab and place a checkmark in View this collection in the Endpoint Protection Dashboard

alerts tab.png

click on Add and select all the options

alerts options.png

click ok and leave the other Alert settings as they are

alerts tab configured.png



Step 3. Configure the SUP Products to Sync and Perform a Sync

Perform the following on the SCCM server as SMSadmin

Click on Administration, expand Overview and expand Site Configuration, select Sites and click on Settings in the ribbon and click on Configure Site Components and select Software Update Point.

software update point components.png

In the Products tab ensure that the product Forefront Endpoint Protection 2010 check box is selected.

forefront endpoint protection.png

change the Sync Schedule to 1 days

1 day sync.png

Click on Software Library, Software Updates, right click on All Software Updates and choose Synchronize Software Updates

sync now.png

answer Yes to the Sync

yes to sync.png

at this point you can review the Wsyncmgr.log in CMtrace

done syncing.png



Step 4. Configure SUP to deliver Definition Updates using an Automatic Deployment Rule

Perform the following on the SCCM server as SMSadmin

In the Configuration Manager console, click Software Library, expand Software Updates and click on Automatic Deployment Rules

Automatic Deployment Rules.png

in the Ribbon click on Create Automatic Deployment Rule and the wizard appears, give the rule a suitable name like Automatic Deployment Rule for Endpoint Protection and point it to our previously created All Windows 7 Computers collection, select add to an exisiting software update group

add to an existing software update group.png

On the Deployment Settings page of the wizard select Minimal from the Detail level drop-down list and then click Next this reduces State Messages returned and thus reduces Configuration Manager server load

detail level minimum.png

on the Software Updates page select Date Released or Revised

value to find.png

in the Search Criteria pane, click on Value to find and select Last 1 day

last 1 day.png

In the Products tab ensure that the product Forefront Endpoint Protection 2010 check box is selected.
product = forefront endpoint protection 2010.png

for Evaluation Schedule, click on Customize and set it to run every 1 days,

Tip: notice that the Synchronization Schedule is listed below, make sure that this occurs at least 2 hours before you evaluate for Forefront Endpoint Protection definition updates, there is no point checking for updates if we haven't synchronized yet.

every 1 days.png

for Deployment Schedule set Time based on: UTC (if you want all clients in the hierarchy to install the latest definitions at the same time. This setting is a recommended best practice.), for software available select 2 hours to allow sufficient time for the Deployment to reach all Distribution Points and select As soon as possible for the installation Deadline.

adr deployment schedule.png

for the User Visual Experience select Hide from the drop down menu

hide user visual experience.png

for Alerts enable the option to generate an alert

generate an alert.png

for download settings as the definition updates are important let's download them even if on slow networks

download settings.png

For Deployment Package we are creating a new one so give it a suitable name like Endpoint Protection Definition Updates and point it to a previously created folder

Note: Make sure that \\sccm\sources\updates\Endpoint (or whatever path you choose) exists otherwise the wizard will fail below when it tries to Download as the Network Path won't exist. In addition Everytime this ADR runs it will want to create a new deployment package as specified above, we do not want this to happen so after running the ADR once, retire it and create a new ADR except this time point the deployment package to the packaged which is now created called Endpoint Protection Definition Updates.


create a new deployment package.png

click your way through the rest of the Wizard till completion

adr done.png

if you scroll to the right you'll see nothing has been downloaded, yet...(because our Automatic Deployment Rule hasn't run yet since the sync)

not downloaded.png

so let's force the Automatic Deployment Rule to run now, right click on our ADR and choose Run Now

automatic deployment rules run now.png

and after a few minutes look at our Definition Updates again, notice the difference ?

downloaded yes.png


Step 5. Configure Custom Client Settings for Endpoint Protection

Perform the following on the SCCM server as SMSadmin

Note: Do not configure the default Endpoint Protection client settings unless you are sure that you want these applied to all computers in your hierarchy.

Below is an explanation of the EndPoint Protection settings available:-


Manage Endpoint Protection client on client computers

  • Select True if you want to manage existing Endpoint Protection clients on computers in your hierarchy.
  • Select this option if you have already installed the Endpoint Protection client and want to manage it with Configuration Manager.
  • You should also select this option if you want to create a script to uninstall an existing antimalware solution, install the Endpoint Protection client and deploy this script using a Configuration Manager application or package and program.
Install Endpoint Protection client on client computers
  • Select True to install and enable the Endpoint Protection client on client computers where it is not already installed.
Automatically remove previously installed antimalware software before Endpoint Protection is installed
  • Select True to uninstall existing antimalware software.
Posted ImageNote Endpoint Protection uninstalls the following antimalware software only:


















All current Microsoft antimalware products except for Windows InTune and Microsoft Security Essentials
Symantec AntiVirus Corporate Edition version 10
Symantec Endpoint Protection version 11
Symantec Endpoint Protection Small Business Edition version 12
Mcafee VirusScan Enterprise version 8
Trend Micro OfficeScan

Suppress any required computer restart after the Endpoint Protection client installed
  • Select True to suppress a computer restart if it is required after the Endpoint Protection client installs.
Allowed period of time users can postpone a required restart to complete the Endpoint Protection installation (hours)
  • Specify the number of hours that users can postpone a computer restart if this is required after the Endpoint Protection client installs.
Disable alternate sources (such as Windows Update, Microsoft Windows Server Update Services or UNC shares) for the initial definition update on client computers
  • Select True if you want to allow only Configuration Manager to install the initial definition update on client computers. This setting can be helpful to avoid unnecessary network connections and reduce network bandwidth during the initial installation of the definition update.





















In the Configuration Manager console, click Administration, click Client Settings and on the Home tab in the Create group, click Create Custom Client Device Settings.

create customclient device settings.png

Select Endpoint Protection and call it Custom Client Device Endpoint Protection Settings

custom client device endpoint protection settings.png

click on Endpoint Protection and review the settings, change them to as follows:-
  • Manage Endpoint Protection Client on Client Computers = True
  • Install Endpoint Protection Client on Client Computers = True
  • Automatically remove previously installed antimalware software before Endpoint Protection is installed = True
  • Suppress any required computer restart after the Endpoint Protection client installed = False
  • Allowed period of time users can postpone a required restart to complete the Endpoint Protection installation (hours) = 1
  • Disable alternate sources (such as Windows Update, Microsoft Windows Server Update Services or UNC shares) for the initial definition update on client computers = True

endpoint protection manage clients.png

click ok when done, right click on the new custom settings and choose Deploy

deploy custom client settings.png

select our All Windows 7 Computers collection and choose Ok.

deploy to all windows 7 computers.png



Step 6. Configure Custom AntiMalware Policies

Perform the following on the SCCM server as SMSadmin

Note: Do not configure the default client Malware Policy unless you are sure that you want these applied to all computers in your hierarchy.

There are several pre-created AntiMalware Policies available, to review/use them click on Import. (see screenshot below)

import antimalware policies.png

We will create our own policy in this LAB so in the Configuration Manager console, click Assets and Compliance, click Endpoint Protection, select Antimalware Policies. In the ribbon select Create Antimalware Policy

create antimalware policy.png

give the policy a name like Custom Endpoint Protection Antimalware Policy

custom endpoint protection antimalware policy.png

for Scheduled scans change to Daily at 12 pm (default was Saturday, 2am) and set it to check for latest definition updates before the scan and to randomize the scan start time

scheduled scans.png

for Definition Updates set the check to 2 hours and click on set source, only select Updates distributed from Configuration Manager (deselet the other options)

Note: if your SCCM server has no internet access you can configure it to check for updates from UNC file shares

updates distributed from Configuration Manager.png

Click Ok, Ok.


Right click our Custom Endpoint Protection Antimalware Policy and select Deploy, choose our All Windows 7 Computers Collection as we did for the Device settings above.

deploy custom antimalware policy.png

that's it we are done !

we have now created custom Client Device settings and a Custom Antimalware Policy for our All Windows 7 Computers collection, in further posts we will add some computers to that collection and verify our Endpoint Protection settings.

Note: If you are having issues with the client installing or getting the Endpoint Protection role installed please refer to the following Endpoint Protection Log files.
  • EndpointProtectionAgent.log - Records details about the installation of the Endpoint Protection client and the application of antimalware policy to that client.
  • EPCtrlMgr.log - Records details about the synchronization of malware threat information from the Endpoint Protection role server into the Configuration Manager database.
  • EPMgr.log - Monitors the status of the Endpoint Protection site system role.
  • EPSetup.log - Provides information about the installation of the Endpoint Protection site system role.

  • jmmj69 likes this
Microsoft MVP > Enterprise Client Management
My linkedin profile at > linkedin.com
Follow me on Twitter > ncbrady
Follow windowsnoob.com on Twitter > windowsnoob
My blog

#2 aristotiles

aristotiles

    Newbie

  • Members
  • Pip
  • 1 posts

Posted 17 November 2011 - 02:48 PM

Hi together,
i got problems with the automatic deployment rule. i get the error code 0X87D20417 with the following information: automatic deployment rule download failed. when i start the download of a forefront update manualy i works great and places the update in the selected folder.
Can anyone give my a little bit help.
in the ruleengine.log i got the following error: Failed to download the update from internet. Error = 5 and in the next line Failed to download contentID 16791605 for UpdateID 16792808. Error code = 5.
:(
Brgds, Jan

#3 tmewin

tmewin

    Newbie

  • Members
  • Pip
  • 5 posts

Posted 18 November 2011 - 02:39 AM

Hi

I'm doing some testing in deploying FEP 2012 to clients in another state but in monitoring its showing that the clients haven't been deployed.

I'm wondering if there is a way to see why the clients didn't install so that i can remedy it. Looking around i can't seem to find any logs or monitoring for whether the FEP client error out.

Thanks

#4 anyweb

anyweb

    Administrator

  • Root Admin
  • PipPipPip
  • 5,871 posts
  • Gender:Male
  • Location:Sweden
  • Interests:Deploying Operating systems and more with System Center Configuration Manager

Posted 01 December 2011 - 12:13 PM

are you referring to EP as from being installed above or purely talking about FEP 2012 on a different version of SCCM ? please clarify
Microsoft MVP > Enterprise Client Management
My linkedin profile at > linkedin.com
Follow me on Twitter > ncbrady
Follow windowsnoob.com on Twitter > windowsnoob
My blog

#5 n00blar

n00blar

    Advanced Member

  • Members
  • PipPipPip
  • 74 posts
  • Gender:Male
  • Location:USA

Posted 02 December 2011 - 02:02 PM

I noticed something in my lab environment.

1. System Center 2012 Endpoint Protection shows as: real-time protection OFF and virus and spyware definitions Out of date

How do I go about changing these settings? I can't find them on SCCM.

#6 anyweb

anyweb

    Administrator

  • Root Admin
  • PipPipPip
  • 5,871 posts
  • Gender:Male
  • Location:Sweden
  • Interests:Deploying Operating systems and more with System Center Configuration Manager

Posted 02 December 2011 - 09:11 PM

if you follow what I did above then real time protection will be ON and your virus definitions will be up to date assuming you are checking on a Windows 7 client in the All Windows 7 computers collection as that's where we targetted the deployments
can you please double check ?
Microsoft MVP > Enterprise Client Management
My linkedin profile at > linkedin.com
Follow me on Twitter > ncbrady
Follow windowsnoob.com on Twitter > windowsnoob
My blog

#7 n00blar

n00blar

    Advanced Member

  • Members
  • PipPipPip
  • 74 posts
  • Gender:Male
  • Location:USA

Posted 02 December 2011 - 10:18 PM

if you follow what I did above then real time protection will be ON and your virus definitions will be up to date assuming you are checking on a Windows 7 client in the All Windows 7 computers collection as that's where we targetted the deployments
can you please double check ?


Yup, you're right. It takes a few minutes (10-20min) before SCCM starts to deploy the updates; I was not waiting long enough.

Thanks!
  • anyweb likes this

#8 t0meck

t0meck

    Member

  • Members
  • PipPip
  • 10 posts

Posted 03 December 2011 - 01:49 PM

Hi together,
i got problems with the automatic deployment rule. i get the error code 0X87D20417 with the following information: automatic deployment rule download failed. when i start the download of a forefront update manualy i works great and places the update in the selected folder.
Can anyone give my a little bit help.
in the ruleengine.log i got the following error: Failed to download the update from internet. Error = 5 and in the next line Failed to download contentID 16791605 for UpdateID 16792808. Error code = 5.
:(
Brgds, Jan


I've got the same problem but in my situation even manual initiated download gives me "Access Denied" so if you have any solution for this please let me know.

#9 Jeff K

Jeff K

    Advanced Member

  • Members
  • PipPipPip
  • 52 posts

Posted 03 December 2011 - 09:38 PM

so if i was serious about the deployment, should these be the settings i choose for deploying?

Date released or revised > 1 day
Product > "ForeFront EndPoint Protection 2010"
Update Classification > Defintion updates

BTW i thank you for getting me started very quickly. i have instructed all people around my organzation to your site for helpful tips and trciks, as wellas the amazing guides. any hope of getting a PDF or word doc for offline references?

#10 hypercube33

hypercube33

    Member

  • Members
  • PipPip
  • 23 posts

Posted 05 December 2011 - 03:51 PM


I dont see how this product is anywhere near ready for production - how do we roll this out when the product is gold? It looks like its an all-or-nothing piece. I'd love to be able to test it on 10% of our machines to make sure it can uninstall current products with success and then kick it out - how would one do this?




#11 anyweb

anyweb

    Administrator

  • Root Admin
  • PipPipPip
  • 5,871 posts
  • Gender:Male
  • Location:Sweden
  • Interests:Deploying Operating systems and more with System Center Configuration Manager

Posted 05 December 2011 - 08:37 PM


I dont see how this product is anywhere near ready for production - how do we roll this out when the product is gold? It looks like its an all-or-nothing piece. I'd love to be able to test it on 10% of our machines to make sure it can uninstall current products with success and then kick it out - how would one do this?







what do you mean all or nothing ? if you don't want the SCEP agent installed then configure the Default client agent settings and your heirarchy will get no SCEP agent, if you want 10% of your computers to get it then configure custom client settings for that collection and they'll get the SCEP agent, you can then configure custom antimalware policies for those 10%
Microsoft MVP > Enterprise Client Management
My linkedin profile at > linkedin.com
Follow me on Twitter > ncbrady
Follow windowsnoob.com on Twitter > windowsnoob
My blog

#12 anyweb

anyweb

    Administrator

  • Root Admin
  • PipPipPip
  • 5,871 posts
  • Gender:Male
  • Location:Sweden
  • Interests:Deploying Operating systems and more with System Center Configuration Manager

Posted 05 December 2011 - 08:39 PM


BTW i thank you for getting me started very quickly. i have instructed all people around my organzation to your site for helpful tips and trciks, as wellas the amazing guides. any hope of getting a PDF or word doc for offline references?


If I get time in the future to convert these docs to pdf format then i'll do so, but not right now sorry
Microsoft MVP > Enterprise Client Management
My linkedin profile at > linkedin.com
Follow me on Twitter > ncbrady
Follow windowsnoob.com on Twitter > windowsnoob
My blog

#13 tmewin

tmewin

    Newbie

  • Members
  • Pip
  • 5 posts

Posted 07 December 2011 - 12:21 AM

are you referring to EP as from being installed above or purely talking about FEP 2012 on a different version of SCCM ? please clarify


I'm talking about the above install and deploying FEP 2012 using sccm 2012. Trying to access the requirements for different business locations so i got a test lab setup in canada as a 2nd site and the client is not deploying. So i wonder where i can get logs or something to see what the issue is.

Thanks

#14 anyweb

anyweb

    Administrator

  • Root Admin
  • PipPipPip
  • 5,871 posts
  • Gender:Male
  • Location:Sweden
  • Interests:Deploying Operating systems and more with System Center Configuration Manager

Posted 07 December 2011 - 09:15 AM


I'm talking about the above install and deploying FEP 2012 using sccm 2012. Trying to access the requirements for different business locations so i got a test lab setup in canada as a 2nd site and the client is not deploying. So i wonder where i can get logs or something to see what the issue is.

Thanks


why are you deploying FEP 2012 clients when SCCM 2012 RC has the Endpoint Protection role and SCEP clients built in ? am I missing something here ?
Microsoft MVP > Enterprise Client Management
My linkedin profile at > linkedin.com
Follow me on Twitter > ncbrady
Follow windowsnoob.com on Twitter > windowsnoob
My blog

#15 hypercube33

hypercube33

    Member

  • Members
  • PipPip
  • 23 posts

Posted 07 December 2011 - 02:38 PM


If I get time in the future to convert these docs to pdf format then i'll do so, but not right now sorry


I can upload them to somewhere i have converted a ton of them to word which is easy to save as PDF. I also corrected a few minor things like adding screenshots where one wasnt, etc.

#16 anyweb

anyweb

    Administrator

  • Root Admin
  • PipPipPip
  • 5,871 posts
  • Gender:Male
  • Location:Sweden
  • Interests:Deploying Operating systems and more with System Center Configuration Manager

Posted 07 December 2011 - 03:51 PM

do you have dropbox ?
Microsoft MVP > Enterprise Client Management
My linkedin profile at > linkedin.com
Follow me on Twitter > ncbrady
Follow windowsnoob.com on Twitter > windowsnoob
My blog

#17 gordonf

gordonf

    Advanced Member

  • Members
  • PipPipPip
  • 30 posts
  • Gender:Male

Posted 07 December 2011 - 10:15 PM

I've only gotten automated definition updates working by selecting WSUS as a source and specifying that source in Group Policy; leaving only "Configuration Manager" enabled consistently gives me quick "you're out of date" responses when I click the Update button. I do have the automatic deployment rule set up and it did download updates to the share I specified -- following the example in Step 4 to the letter except calling the folder "Forefront" instead of "Endpoint."

Am I missing a permission or some other setting here? The logs on the FEP client don't tell me anything. The FEP client had Windows Update and the MS Malware Center as sources (HKLM\Software\Policies\Microsoft\Microsoft Antimalware\Signature Updates\FallbackOrder). This changed to "InternalDefinitionUpdateServer" when I turned on both Config Manager and WSUS as sources.

What's the point of having System Center download and approve the updates when WSUS can auto-approve the definition updates as well, and auto-update from System Center seems to do nothing?

#18 anyweb

anyweb

    Administrator

  • Root Admin
  • PipPipPip
  • 5,871 posts
  • Gender:Male
  • Location:Sweden
  • Interests:Deploying Operating systems and more with System Center Configuration Manager

Posted 08 December 2011 - 08:50 AM

Well it's working fine for me in my lab so I'm guessing you have misconfigured something, or forgotten to do an important step,
can you disable your wsus group policy and double check all the steps in this part, it should work.
Microsoft MVP > Enterprise Client Management
My linkedin profile at > linkedin.com
Follow me on Twitter > ncbrady
Follow windowsnoob.com on Twitter > windowsnoob
My blog

#19 gordonf

gordonf

    Advanced Member

  • Members
  • PipPipPip
  • 30 posts
  • Gender:Male

Posted 08 December 2011 - 01:03 PM

Well it's working fine for me in my lab so I'm guessing you have misconfigured something, or forgotten to do an important step,
can you disable your wsus group policy and double check all the steps in this part, it should work.

Thanks for responding, but I had tried disabling my WSUS-related group policy objects for the container where my test PCs are and I get the same result. I did gupdate /force and checked the Policy reg key to make sure the changes took effect. I'll keep checking.

Are there any logs that I've missed that are related to this? The System event log tells me about setting changes, and it reports update sources that fail (like Windows Update and MSMC) when they're enabled.

This is the third time, actually, that I've gotten through to this step. Twice I've gotten this result; the third time I messed up something on SQL and broke it completely but I know what happened there.

Speaking of SQL, I have a different problem but I'll raise that in Part 1.

#20 Peter van der Woude

Peter van der Woude

    Advanced Member

  • Moderators
  • PipPipPip
  • 2,386 posts
  • Gender:Male
  • Location:The Netherlands

Posted 09 December 2011 - 08:03 AM

When you run a RSOP on that machine, does it still say something about the update location?
Also what update location is show in the windowsupdate.log?

My Blog: http://www.petervanderwoude.nl/
Follow me on twitter: pvanderwoude





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Locations of visitors to this page