URGENT! Endpoint Protection Out-of-date on ALL Clients

[xc3ss1v3]

Hey guys...

It's come to my attention that all of our clients are now out-of-date in regard to definition updates. I will first note that our networking side did replace the firewall around the same time that this issue started. However, I don't really have any ammunition to go at them with as to why it is (if it is) their fault. This has just been one of those things that has always worked.

 

As for my set up, I have an ADR created that creates deployments for definition updates as soon as they are downloaded each day. From what I can tell, it last downloaded and deployed an update this morning around 10 a.m. So, it seems as if the issue is that the clients aren't getting the deployment. Is there a log of some sort I can look at to find potential issues?

 

Thanks in advance.

[Peter van der Woude]

If you are using the software updates via ConfigMgr then look at the client log files that start with update*

[xc3ss1v3]

If you are using the software updates via ConfigMgr then look at the client log files that start with update*

I hope you can excuse my "noob-ness" in this regard, but would you care to elaborate?

[Peter van der Woude]

Look at a problematic client in the Windows\CCM\Log directory in the log files that start with Update*. Those log files should give some indication if the client is still able to communicate with ConfigMgr for updates..

[xc3ss1v3]

Look at a problematic client in the Windows\CCM\Log directory in the log files that start with Update*. Those log files should give some indication if the client is still able to communicate with ConfigMgr for updates..

Thanks for the clarification. In looking at those logs, I'm not seeing any errors (that I can tell). To me, this just seems like some kind of break down of communication between the clients and servers in particular regard to SCEP. Completely at a loss ):

[Peter33]

Try you push the definition update from the SCCM Management Console to your client and then check the client logs. Sort the directory by date to see which logs have any changes.

Also check your windowsupdate.log for Errors.

[anyweb]

can you show us what your Endpoint Protection Update tab gui looks like on a client ? this will show you when it last updated and what version it's running...

[xc3ss1v3]

can you show us what your Endpoint Protection Update tab gui looks like on a client ? this will show you when it last updated and what version it's running...

 

Basically every client is just like this or at least similar (last update being older). We are currently blocking updating from outside sources. I did notice that in the Antimalware Policy, there is a setting that will only allow clients to update from outside sources after so many hours of not being able to update with ConfigMgr. To take that setting out of the loop, I set it for 720 hours (30 days), but the clients still don't seem to be updating. I will also note that the majority of clients haven't pulled Antimalware Policies any time recently. Is that indicative of a somewhat broken SCEP client? Note that on this particular machine (in the screenshot), it is pulling current policies.

[xc3ss1v3]

One thing I just noticed... It appears as if Default Client Antimalware Policy AND Endpoint Protection - Managed Device Policy are both deployed to clients even though I don't have Default Client Antimalware Policy actually deployed? Is that one that is applied no matter what? If so, do the settings in my custom policy override it? I currently have the custom policy order set to 1 and Default is set to 10000.

[Peter33]

Just to to make sure. Is the update group of your ADR holding a valid definition file?

I remember a similar situation in our environment, when the upstream WSUS ran out of disk space and could not download the newest definitions anymore.