Jump to content


anyweb

using SCCM 2012 in a LAB - Part 5. Enable the Endpoint Protection Role and configure Endpoint Protection settings

Recommended Posts

Hello All,

I followed this guide and have problem to get Definition Updates. They actually do not sync. I can not figure out why my sync does not work properly and try all suggestion I found searching on the errors I get.

I am brain new in SCCM so if any one can help... When I try a manual syn with the WSUS console, definition updates show up, but stilll not on SCCM console. Proxy server has the good parameters.

Here is an extract from wsyncmgr.log and wcm.logh error I keep on getting:

 

wsyncmgr.log

-------------------------------------------------------------------------------------------------------------------------------------------

Performing sync on retry schedule $$<SMS_WSUS_SYNC_MANAGER><05-22-2012 12:07:30.029-120><thread=3812 (0xEE4)>

STATMSG: ID=6701 SEV=I LEV=M SOURCE="SMS Server" COMP="SMS_WSUS_SYNC_MANAGER" SYS=SCCM-SRV.sccmtest.lab SITE=P01 PID=2236 TID=3812 GMTDATE=mar. mai 22 10:07:30.030 2012 ISTR0="" ISTR1="" ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=0 $$<SMS_WSUS_SYNC_MANAGER><05-22-2012 12:07:30.040-120><thread=3812 (0xEE4)>

Sync failed: WSUS server not configured. Please refer to WCM.log for configuration error details.. Source: CWSyncMgr::DoSync $$<SMS_WSUS_SYNC_MANAGER><05-22-2012 12:12:29.521-120><thread=3812 (0xEE4)>

STATMSG: ID=6703 SEV=E LEV=M SOURCE="SMS Server" COMP="SMS_WSUS_SYNC_MANAGER" SYS=SCCM-SRV.sccmtest.lab SITE=P01 PID=2236 TID=3812 GMTDATE=mar. mai 22 10:12:29.521 2012 ISTR0="CWSyncMgr::DoSync" ISTR1="WSUS server not configured. Please refer to WCM.log for configuration error details." ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=0 $$<SMS_WSUS_SYNC_MANAGER><05-22-2012 12:12:29.532-120><thread=3812 (0xEE4)>

Sync failed. Will retry in 60 minutes $$<SMS_WSUS_SYNC_MANAGER><05-22-2012 12:12:29.543-120><thread=3812 (0xEE4)>

-------------------------------------------------------------------------------------------------------------------------------------------

wcm.log

 

Found WSUS Admin dll of assembly version Microsoft.UpdateServices.Administration, Version=3.0.6000.273, Major Version = 0x30000, Minor Version = 0x17700111~ $$<SMS_WSUS_CONFIGURATION_MANAGER><05-22-2012 11:59:13.720-120><thread=2256 (0x8D0)>

Found WSUS Admin dll of assembly version Microsoft.UpdateServices.Administration, Version=3.1.6001.1, Major Version = 0x30001, Minor Version = 0x17710001~ $$<SMS_WSUS_CONFIGURATION_MANAGER><05-22-2012 11:59:13.720-120><thread=2256 (0x8D0)>

The installed WSUS build has the valid and supported WSUS Administration DLL assembly version (3.1.7600.226)~ $$<SMS_WSUS_CONFIGURATION_MANAGER><05-22-2012 11:59:13.720-120><thread=2256 (0x8D0)>

System.Net.WebException: The request failed with HTTP status 504: Unknown Host.~~ at Microsoft.UpdateServices.Administration.AdminProxy.CreateUpdateServer(Object[] args)~~ at Microsoft.UpdateServices.Administration.AdminProxy.GetUpdateServer(String serverName, Boolean useSecureConnection, Int32 portNumber)~~ at Microsoft.SystemsManagementServer.WSUS.WSUSServer.ConnectToWSUSServer(String ServerName, Boolean UseSSL, Int32 PortNumber) $$<SMS_WSUS_CONFIGURATION_MANAGER><05-22-2012 11:59:13.749-120><thread=2256 (0x8D0)>

Remote configuration failed on WSUS Server.~ $$<SMS_WSUS_CONFIGURATION_MANAGER><05-22-2012 11:59:13.751-120><thread=2256 (0x8D0)>

STATMSG: ID=6600 SEV=E LEV=M SOURCE="SMS Server" COMP="SMS_WSUS_CONFIGURATION_MANAGER" SYS=SCCM-SRV.sccmtest.lab SITE=P01 PID=2236 TID=2256 GMTDATE=mar. mai 22 09:59:13.751 2012 ISTR0="SCCM-SRV.sccmtest.lab" ISTR1="" ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=0 $$<SMS_WSUS_CONFIGURATION_MANAGER><05-22-2012 11:59:13.773-120><thread=2256 (0x8D0)>

 

-------------------------------------------------------------------------------------------------------------------------------------------

Thank you.

WCM.log

wsyncmgr.log

Share this post


Link to post
Share on other sites

your first and most glaring issue is this

Sync failed. Will retry in 60 minutes $$<SMS_WSUS_SYNC_MANAGER><05-22-2012 12:12:29.543-120><thread=3812 (0xEE4)>

 

if wsus can't sync then you can't get any updates, so... do you have internet on the server that WSUS/SUP are installed on ?

Share this post


Link to post
Share on other sites

Hello Anyweb,

 

Please help.

 

 

I recently deployed SCCM 2012 full and in my lab I have deployed a windows 7 client.

Every thing seem to be working fine except client cant download updates.

 

 

 

error code 0x80070005

 

error description Access Denied

 

 

Logged on user : system

 

 

Thank You

Share this post


Link to post
Share on other sites

Hi,

 

System center noob here and I have a question. First things first, I am running RTM, not RC, just in case that matters. I have followed all the steps above, except the alerting, as this is just a test environment, I have no need for alerting at this time.

 

When I install the endpoint protection point role, from all the other tutorials I have seen online, it should give me some packages for endpoint protection to deploy to the clients (In software library > application management > packages) , which hopefully will link endpoint on the clients back to this server.

 

This tutorial shows no such thing, so I feel like there is something I am missing. I have also searched for quite some time online, and found nothing about how these packages are created. Unfortunately, I do not see how to create these packages to deploy, without manually doing them, and when I tried that, they did not deploy at all, it sat at 0%.

 

Any advice would be extremely helpful, maybe I need to go through one of the other "parts" of this tutorial series to creat those (part 9?), but I see nothing specific to endpoint protection, and it only seems to work for MSIs, but endpoint is an exe.

 

Thanks,

 

Nick

Share this post


Link to post
Share on other sites

you are probably thinking about Forefront Endpoint Protection in Configuration Manager 2007, that was totally different, the only Endpoint Protection Program is scepinstall.exe which is included in the Configuration Manager 2012 client, so once you enable Endpoint Protection and add client computers to a collection targetted with custom client settings which enable Endpoint Protection, they will install the Endpoint Protection Client, try the above and you'll see what i mean

Share this post


Link to post
Share on other sites

you are probably thinking about Forefront Endpoint Protection in Configuration Manager 2007, that was totally different, the only Endpoint Protection program is scepinstall.exe which is included in the Configuration Manager 2012 client, so once you enable Endpoint Protection and add client computers to a collection targetted with custom client settings which enable Endpoint Protection, they will install the Endpoint Protection Client, try the above and you'll see what i mean

 

Thanks, I somehow missed the lines showing the logs to check, so I will need to go through them to see anything. One question though, the user I am installing with (SMSadmin) is a domain admin, but *not* an admin and the servers that will be getting the clients installed. Could that be causing them to not install? I will be checking the logs, maybe I will find something there.

 

Thanks again.

 

Edit: tried adding the SMSadmin user I am using as an admin and still no go, now log checking time.

Share this post


Link to post
Share on other sites

Great guide, although i am rather confused as to why you have to state client update frequency in the anti-malware policy when the Automatic Deployment should deploy to the clients?

 

Reason i am asking is that my company has a policy to UAT any DAT updates to a specific collection before they are fully deployed to the rest of the clients.

 

I thought that if i set up 2 deployment rules, one to a UAT collection, and one later on for full rollout it would work, but am sceptical as to how the client update setting in the anti-malware policy would intervine if it is set to check for updates every 2 hours, and the machines that i didn't want to deploy to straight away were online and performed the update check via the policy settings.

 

Guess i'm just wondering which settings take precedence? Or maybe i'm misunderstanding the logic here.

 

Cheers

Share this post


Link to post
Share on other sites

This is a really great guide and it's allowed me to get up and running with an evaluation (unlike Microsoft's own documentation). I'm trying to test the different features of Endpoint Protection to understand the features' behaviour. For example, I've tried to switch off real-time protection on one endpoint to see how long it takes for the endpoint to pick up the new policy. For most vendors (McAfee, Kaspersky) the change is instant but here it seems to take an inordinately long time. Any ideas how I can push the policy to the client and how to determine that the change has been successfully applied?

 

Thanks in advance :-)

Share this post


Link to post
Share on other sites

Any ideas how I can push the policy to the client and how to determine that the change has been successfully applied?Thanks in advance :-)

 

sure, but first you must understand that the Antimalware Policy and Client settings for Endpoint Protection are two separate things and they are 'picked up' by the client when it does its' normal machine policy as defined in the site's (or collection) Client policy which is one of many settings you can define for Client settings.

 

By default this value is 60 minutes, in other words you have to wait one hour for the policy to get retrieved from it's management point, you can speed this up by manually going to the client and opening up the configuration manager client agent in control panel and clicking on the actions tab and running a machine policy retrieval, or you can target Custom Client Settings with a client policy set to update every 5 minutes to a collection where you want machines to update their policy quickly,whatever you do above once the client retrieves it's policy from the management point it will apply the necessary changes and in Endpoint Protection terms if it was a custom antimalware policy you can verify on the SCEP client itself by clicking on the downward pointing arrow in the help screen

 

help about.png

 

and see when the policy was last applied by clicking on About System Center Endpoint Protection to see what the Policy Name is and when it was applied

 

policy applied.png

 

if you want to verify changes to your Antimalware policy right now then change something in it's name (add some square brackets or a full stop) and then do a machine policy update on the client, as you can see the policy change has been noticed..

 

policy changed.png

  • Like 1

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...


×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.