Jump to content


anyweb

using SCCM 2012 in a LAB - Part 5. Enable the Endpoint Protection Role and configure Endpoint Protection settings

Recommended Posts

Hi Everyone!

 

I'm new to this. I just want to ask if it's possible to use the Endpoint Protection only in SCCM 2012? For example: I'm going to install tha agent manually on a standalone workstation ( not connected to a SCCM 2012 console or server ) but with internet connection. The workstation will only use the Endpoint Protection.

 

Thanks in advance. =')

 

Jo Em

Share this post


Link to post
Share on other sites

Hi

I've followed all the steps that you described in this web page and executed without failure, but I don't know why this downloaded arond 150MB and made around 58 carpets

Also I don't understand this:

In addition Everytime this ADR runs it will want to create a new deployment package as specified above, we do not want this to happen so after running the ADR once, retire it and create a new ADR except this time point the deployment package to the packaged which is now created called Endpoint Protection Definition Updates.

 

I nos sure about this if after made the first ADR, I have to delete it and create a new one with the same parameters? may be to avoid duplicate the files... Which is the difference with the first one that I've created?

 

Thanks!

Share this post


Link to post
Share on other sites

Hi

 

thanks for the write up. Will the auto deployment rule which we created in Step 4 deploy defenition updates to the client computers automatically. i noticed that the definition is different in the EP running on SCCM server and in Win 7. I guess this is due to the fact the the SCCM server is not included in the EP deployment collection. Please someone can correct me if I am wrong?

 

thanks

 

AJ

Share this post


Link to post
Share on other sites

I am new to SCCM but having been following all these guides and managed to get most things working, eventually.

 

I'm also having problems with the Endpoint Protection ADR returning 0x87D20417. This only happens periodically so I am eventually able to get it to run and only appear to be a problem for one set of devices. The error code in the RuleEngine log is 3.

 

Looking in the PatchDownloader log I can't see anything that looks like an error apart from for some downloads I get the following

 

Download http://download.windowsupdate.com/msdownload/update/software/defu/2012/11/am_delta_patch_1.141.28.0_0801713781a21b0854c26c2f718b0607d866b353.exe to C:\Windows\TEMP\CABF044.tmp returns 0 $$<Software Updates Patch Downloader><11-22-2012 09:47:42.650+00><thread=16652 (0x410C)>

 

Any ideas please?

Share this post


Link to post
Share on other sites

I have a pretty basic question, I think.

 

I have a collection that ended up with three antimaleware policies on it. The Default Policy an Admin-type policy and the custom policy (laptops policy) that applied to the clients before I created the admin collection. I probably should have created the collection first, but that's in the past. :)

 

The way I'm thinking about the priority level of each dictates that the policy i created for the collection is the one actually applying custom settings and then other settings are applied as the policies with the other priorities are "filtered" in.

 

So-

admin policy priority 1 - applies custom settings for admin collection

Laptop policy priortiy 3 - applies custom settings that aren't accounted for in the admin policy

Default policy priority 10,000 - applies everything else that hasn't been accounted for in the other two

 

Is that the correct way to think about that and secondly can I remove the laptops policy and is it even necessary?

Share this post


Link to post
Share on other sites

I am building a LAB with SCCM 2012 SP1. And on step 3 where i need to check EndPoint in the Products tub, i dont see it. I have office, sql, windows, exchange.

 

Did the name change? Maybe a locations?

 

thank you.

Share this post


Link to post
Share on other sites

SO I was able to get most of this done, but when I go to set up an Automatic Deployment I dont any \\MSSC\source\update location. Is there a piece i am missing that creates that repository? When trying to syncronize with my WSUS service (on the same machine) the log never says "Done syncronizing" it just says:

 

Found WSUS Admin dll of assembly version Microsoft.UpdateServices.Administration, Version=3.0.6000.273, Major Version = 0x30000, Minor Version = 0x17700111 SMS_WSUS_CONTROL_MANAGER 3/5/2013 11:29:42 AM 1444 (0x05A4)

 

Found WSUS Admin dll of assembly version Microsoft.UpdateServices.Administration, Version=3.1.6001.1, Major Version = 0x30001, Minor Version = 0x17710001 SMS_WSUS_CONTROL_MANAGER 3/5/2013 11:29:42 AM 1444 (0x05A4)

 

The installed WSUS build has the valid and supported WSUS Administration DLL assembly version (3.1.7600.226) SMS_WSUS_CONTROL_MANAGER 3/5/2013 11:29:42 AM 1444 (0x05A4)

 

Successfully connected to local WSUS server SMS_WSUS_CONTROL_MANAGER 3/5/2013 11:29:42 AM 1444 (0x05A4)

 

Local WSUS Server Proxy settings are correctly configured as Proxy Name and Proxy Port 80 SMS_WSUS_CONTROL_MANAGER 3/5/2013 11:29:42 AM 1444 (0x05A4)

 

Successfully connected to local WSUS server SMS_WSUS_CONTROL_MANAGER 3/5/2013 11:29:42 AM 1444 (0x05A4)

 

There are no unhealthy WSUS Server components on WSUS Server MSSC.pub.com SMS_WSUS_CONTROL_MANAGER 3/5/2013 11:29:42 AM 1444 (0x05A4)

 

Successfully checked database connection on WSUS server MSSC.pub.com SMS_WSUS_CONTROL_MANAGER 3/5/2013 11:29:42 AM 1444 (0x05A4)

 

Waiting for changes for 57 minutes SMS_WSUS_CONTROL_MANAGER 3/5/2013 11:29:42 AM 1444 (0x05A4)


Any ideas? It might be two separate issues. I'm just not sure how to add a deployment package or if WSUS is even working.

Share this post


Link to post
Share on other sites

I am new to this Forum so please forgive me if I'm in the wrong place, but I think I have a similar issue to the above post. I have followed the guides up through Part 5. Enable the Endpoint Protection Role and configure settings. The Software Update Point seems to be working. I can perform a "Synchronize Software Updates" from the Software Library successfully. I can see the updates listed under All Software Updates, but when it comes to distributing the Endpoint Package I don't have the "Sources\WSUS...\EndpointProtection" folder. I setup the sources share as the instructions say, and I setup WSUS to use sources, but where is the endpoint protection client? I feel like I've missed a core step somewhere.

 

Thanks in advance!

Share this post


Link to post
Share on other sites

In regards to using the Windows Firewall Policies, I don't recall seeing a firewall setting in the client settings to enable/disable. If you don't create a firewall policy for a collection what is the default? My guess is whatever you domain GPO policy is?

Share this post


Link to post
Share on other sites

Hi,

I'm not sure if this is the right place but I'll give it a whirl anyhow!

 

I basically have followed this guide and everything seems okay. I can now deploy the FEP client but it never actually updates. The ADRs are all running and everything seems happy and on a couple of machines they all seem fine and update regularly. However the Windows 7 ones never update.

 

However FEP on the clients doesn't seem to want to update. On the Endpoint Policy I've told clients that 'Updates distributed from Configuration Manager' as the only update source yet it still looks like it's trying to go out to the internet.

Any ideas? There is the Windows Update log below where I can see it trying to go out - we have a proxy in place but it doesn't look like it's configured (any ideas where I can configure this??) This is from a non-working Windows 7 client:

From WindowsUpdate.log:
2014-07-10 10:11:54:272 1072 115c Misc WARNING: SendRequest failed with hr = 80072ee2. Proxy List used: <(null)> Bypass List used : <(null)> Auth Schemes used : <>
2014-07-10 10:11:54:272 1072 115c Misc WARNING: WinHttp: SendRequestUsingProxy failed for <http://www.update.microsoft.com/v9/1...uv4wuredir.cab. error 0x80072ee2
2014-07-10 10:11:54:272 1072 115c Misc WARNING: WinHttp: SendRequestToServerForFileInformation MakeRequest failed. error 0x80072ee2
2014-07-10 10:11:54:272 1072 115c Misc WARNING: WinHttp: SendRequestToServerForFileInformation failed with 0x80072ee2
2014-07-10 10:11:54:272 1072 115c Misc WARNING: WinHttp: ShouldFileBeDownloaded failed with 0x80072ee2
2014-07-10 10:11:54:272 1072 115c Misc WARNING: DownloadFileInternal failed for <same path as above> error 0x80072ee2
2014-07-10 10:11:54:272 1072 115c Agent WARNING: Failed to obtain the authorization cab URLs, hr=0x80072ee22014-07-10 10:11:54:272 1072 115c Agent * WARNING: Online service registration/service ID resolution failed, hr=0x80072EE2
2014-07-10 10:11:54:288 1072 115c Agent * WARNING: Exit code = 0x80072EE2

 

We do have a proxy internally to access the internet and I'm wondering if I configure that will it work? More importantly how do I configure it?

 

TIA!

Share this post


Link to post
Share on other sites

Not sure what you're looking for.. You just want to know which client doesn't have the Endpoint Protection client? If so, you can simply look in the console at \Monitoring\Overview\Endpoint Protection Status\System Center 2012 R2 Endpoint Protection Status.

Share this post


Link to post
Share on other sites

When i add the Endpoint Protection Point role, it creates a lot of directorys in the root of the D drive, I cannot find an option where i can specify in what directory the files must be saved to. Any idea where i can find that option?

Share this post


Link to post
Share on other sites

what folders are you referring to exactly ?

Share this post


Link to post
Share on other sites

After i install the endpoint protection role, a lot of directorys with names like b369baaf8309393616b0c603 or 9175ae59d3c48a95de05 are created in the root of the D drive, every hour i get a new folder.

And no more extra folders are created when i remove the role.

Share this post


Link to post
Share on other sites

Hi Anyweb,

 

I too have everything setup acording to your guide but the definition updates does not install. I have changed the setting in 'step 4 User Experience' to display in Software Center, and I can see a new Definition file every 8 hours.

But that is as long as it goes, it never installs.

 

Another question is regarding the ADR, is it suppose to clean up the older definitions from the package, or will I have to do that manually?

 

/KL_Dane

Share this post


Link to post
Share on other sites

Thanks for the reply Peter, I will have to do a weekly clean of the deployment package.

 

Do you have a suggestion for my other question, why the definitions isn't installing?

 

/KL_Dane

post-30344-0-96218500-1436167029_thumb.png

Share this post


Link to post
Share on other sites

My test server is a member of a device collection 'Monthly Windows Updates', which has a maintenance window for the second thursday of every month between 22.00 and 03.00.

 

When i remove this maintenance window, the definitions begin to install at once!

So I ask; If a server is a member of a device collection with a maintenance window and member of another device collection without a maintenance window. Does the maintenance window from the first device collection take precedence on the server, thus preventing deployment without maintenance window on the second device collection?

 

How do I configure my 2 device collections, so that monthly updates will install on the second thursday of every month between 22.00 and 03.00, and my Endpoint Protection Definitions will install as soon as they become available?

 

/KL_Dane

Share this post


Link to post
Share on other sites

Every maintenance windows, configured on a collection, in which the device exists, is applicable.

 

To install the definition updates immediately make sure that you make some adjustments to the User Experience. Make sure that you configure the Deadline behavior to allow Software updates installation.

Share this post


Link to post
Share on other sites

Thanks Peter,

 

I have completely missed that setting. I looked everything through several times, can not believe I didn't see that.

 

/KL_Dane

Share this post


Link to post
Share on other sites

I don't see any updates, I have fully sync'd WSUS but it doesn't show any updates.

I opened the WSUS console and it shows like 14,000 but when I open SCCM it says "No items found"

 

Not sure why.

 

Internet connectivity is good. Domain connectivity is good.

 

Not sure what the problem is. i followed every thing you wrote here.

BTW thank you for this step by step. IT's awesome.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

×
×
  • Create New...