Jump to content


anyweb

using System Center 2012 Configuration Manager - Part 6. Adding the Endpoint Protection role, configure Alerts and custom Antimalware Policies.

Recommended Posts

Hi Niall,

 

Thanks for your guides they have been a great help. I have a question about endpoint updates failing if there are multiple updates available. My ADR is set to check for updates released/revised in the last 1 day as per your guide. What happens is the first update is installed successfully and any subsequent updates fail to install.

 

WUAHandler.log

 

 

1. Update (Missing): Definition Update for Microsoft Endpoint Protection - KB2461484 (Definition 1.149.1295.0) (bbf865e4-3ff0-40e5-b13e-df186cc63063, 200) WUAHandler 7/05/2013 4:52:32 AM 11048 (0x2B28)
2. Update (Missing): Definition Update for Microsoft Endpoint Protection - KB2461484 (Definition 1.149.1332.0) (f301ceba-a8d0-4429-9fc8-93342a234acd, 200) WUAHandler 7/05/2013 4:52:32 AM 11048 (0x2B28)
Async installation of updates started. WUAHandler 7/05/2013 4:52:32 AM 11048 (0x2B28)
Update 1 (bbf865e4-3ff0-40e5-b13e-df186cc63063) finished installing (0x00000000), Reboot Required? No WUAHandler 7/05/2013 4:52:40 AM 8860 (0x229C)
Update 2 (f301ceba-a8d0-4429-9fc8-93342a234acd) finished installing (0x80070643), Reboot Required? No WUAHandler 7/05/2013 4:52:41 AM 9504 (0x2520)
Async install completed. WUAHandler 7/05/2013 4:52:41 AM 9504 (0x2520)
Installation of updates completed. WUAHandler 7/05/2013 4:52:41 AM 4236 (0x108C)
WindowsUpdate.log
2013-05-07 04:52:32:422 1076 f94 Agent * Updates to install = 2
2013-05-07 04:52:32:423 1076 f94 Agent * Title = Definition Update for Microsoft Endpoint Protection - KB2461484 (Definition 1.149.1295.0)
2013-05-07 04:52:32:423 1076 f94 Agent * UpdateId = {BBF865E4-3FF0-40E5-B13E-DF186CC63063}.200
2013-05-07 04:52:32:423 1076 f94 Agent * Bundles 12 updates:
2013-05-07 04:52:32:423 1076 f94 Agent * {F31E6554-4C24-41F5-A8A5-208278248343}.200
2013-05-07 04:52:32:423 1076 f94 Agent * {8C88FF64-9417-41F4-B246-8122584867A5}.200
2013-05-07 04:52:32:423 1076 f94 Agent * {6B386754-D41B-4AAA-838B-D30D8FAF2B1C}.200
2013-05-07 04:52:32:423 1076 f94 Agent * {8B643E13-DB55-4AA4-859B-F93E835E74FB}.200
2013-05-07 04:52:32:423 1076 f94 Agent * {6B592150-B614-406A-B274-83482BC346CE}.200
2013-05-07 04:52:32:423 1076 f94 Agent * {D1BD04C9-E57C-4807-A9F0-858B92696D5E}.200
2013-05-07 04:52:32:423 1076 f94 Agent * {BAF05577-E3B4-4A3A-8634-681910527EBC}.200
2013-05-07 04:52:32:423 1076 f94 Agent * {81B4C990-BBBB-45F9-B958-4AE27BCDC6F0}.200
2013-05-07 04:52:32:423 1076 f94 Agent * {2B6ED6D2-F70B-432B-B3A0-FA7DA64BA52A}.200
2013-05-07 04:52:32:423 1076 f94 Agent * {3C2FFBD1-FD4D-41D6-9BED-5C0050E4C282}.200
2013-05-07 04:52:32:423 1076 f94 Agent * {2D9905CF-827E-4DA6-AB89-8E7AB2BFC25C}.200
2013-05-07 04:52:32:423 1076 f94 Agent * {2122E472-E363-4990-9348-2B55C0980C14}.200
2013-05-07 04:52:32:423 1076 f94 Agent * Title = Definition Update for Microsoft Endpoint Protection - KB2461484 (Definition 1.149.1332.0)
2013-05-07 04:52:32:423 1076 f94 Agent * UpdateId = {F301CEBA-A8D0-4429-9FC8-93342A234ACD}.200
2013-05-07 04:52:32:423 1076 f94 Agent * Bundles 12 updates:
2013-05-07 04:52:32:423 1076 f94 Agent * {F31E6554-4C24-41F5-A8A5-208278248343}.200
2013-05-07 04:52:32:423 1076 f94 Agent * {8C88FF64-9417-41F4-B246-8122584867A5}.200
2013-05-07 04:52:32:423 1076 f94 Agent * {6B386754-D41B-4AAA-838B-D30D8FAF2B1C}.200
2013-05-07 04:52:32:423 1076 f94 Agent * {8B643E13-DB55-4AA4-859B-F93E835E74FB}.200
2013-05-07 04:52:32:423 1076 f94 Agent * {6B592150-B614-406A-B274-83482BC346CE}.200
2013-05-07 04:52:32:423 1076 f94 Agent * {D1BD04C9-E57C-4807-A9F0-858B92696D5E}.200
2013-05-07 04:52:32:423 1076 f94 Agent * {BAF05577-E3B4-4A3A-8634-681910527EBC}.200
2013-05-07 04:52:32:423 1076 f94 Agent * {81B4C990-BBBB-45F9-B958-4AE27BCDC6F0}.200
2013-05-07 04:52:32:423 1076 f94 Agent * {2B6ED6D2-F70B-432B-B3A0-FA7DA64BA52A}.200
2013-05-07 04:52:32:423 1076 f94 Agent * {3C2FFBD1-FD4D-41D6-9BED-5C0050E4C282}.200
2013-05-07 04:52:32:423 1076 f94 Agent * {2D9905CF-827E-4DA6-AB89-8E7AB2BFC25C}.200
2013-05-07 04:52:32:423 1076 f94 Agent * {4C3EE25D-4654-42E8-9406-2140775B9993}.200
2013-05-07 04:52:32:448 1076 f94 DnldMgr Preparing update for install, updateId = {2122E472-E363-4990-9348-2B55C0980C14}.200.
2013-05-07 04:52:32:453 2696 35c0 Misc =========== Logging initialized (build: 7.6.7600.256, tz: +0800) ===========
2013-05-07 04:52:32:453 2696 35c0 Misc = Process: C:\Windows\system32\wuauclt.exe
2013-05-07 04:52:32:453 2696 35c0 Misc = Module: C:\Windows\system32\wuaueng.dll
2013-05-07 04:52:32:453 2696 35c0 Handler :::::::::::::
2013-05-07 04:52:32:453 2696 35c0 Handler :: START :: Handler: Command Line Install
2013-05-07 04:52:32:453 2696 35c0 Handler :::::::::
2013-05-07 04:52:32:453 2696 35c0 Handler : Updates to install = 1
2013-05-07 04:52:40:562 2696 35c0 Handler : Command line install completed. Return code = 0x00000000, Result = Succeeded, Reboot required = false
2013-05-07 04:52:40:563 2696 35c0 Handler :::::::::
2013-05-07 04:52:40:563 2696 35c0 Handler :: END :: Handler: Command Line Install
2013-05-07 04:52:40:563 2696 35c0 Handler :::::::::::::
2013-05-07 04:52:40:567 1076 f94 DnldMgr Preparing update for install, updateId = {4C3EE25D-4654-42E8-9406-2140775B9993}.200.
2013-05-07 04:52:40:719 2696 35c0 Handler :::::::::::::
2013-05-07 04:52:40:719 2696 35c0 Handler :: START :: Handler: Command Line Install
2013-05-07 04:52:40:719 2696 35c0 Handler :::::::::
2013-05-07 04:52:40:719 2696 35c0 Handler : Updates to install = 1
2013-05-07 04:52:41:013 2696 35c0 Handler : WARNING: Command line install completed. Return code = 0x80070670, Result = Failed, Reboot required = false
2013-05-07 04:52:41:013 2696 35c0 Handler : WARNING: Exit code = 0x8024200B
2013-05-07 04:52:41:013 2696 35c0 Handler :::::::::
2013-05-07 04:52:41:013 2696 35c0 Handler :: END :: Handler: Command Line Install
2013-05-07 04:52:41:013 2696 35c0 Handler :::::::::::::
2013-05-07 04:52:41:016 1076 f94 Agent *********
2013-05-07 04:52:41:016 1076 1070 AU Can not perform non-interactive scan if AU is interactive-only
2013-05-07 04:52:41:016 1076 f94 Agent ** END ** Agent: Installing updates [CallerId = CcmExec]
2013-05-07 04:52:41:016 1076 f94 Agent *************
2013-05-07 04:52:41:016 3788 1200 COMAPI >>-- RESUMED -- COMAPI: Install [ClientId = CcmExec]
2013-05-07 04:52:41:016 3788 1200 COMAPI - Install call complete (succeeded = 1, succeeded with errors = 0, failed = 1, unaccounted = 0)
2013-05-07 04:52:41:016 3788 1200 COMAPI - Reboot required = No

 

All my clients seem to have this problem. This means the deployment compliance is very low because of the installation errors. It also means the majority of my clients report the definition status as "up to 3 days old"
Thanks,
Curns.

Share this post


Link to post
Share on other sites

does the above problem happen every day the same way or just this once ? if you reboot the client does it behave any differently ?

Share this post


Link to post
Share on other sites

basically we use the first created ADR to create the Endpoint Protection Definition Updates package, once created, we then disable that ADR (because of the way we created it purely to create a NEW deployment package...) then we create another ADR practically matching the first except instead of creating a new package we point it to the package created in the first (now disabled) ADR.

 

What would happen if you don't disable the ADR that created a new package, and don't create a new one that points to the existing package?

If I understand correctly, the ADR would create a new package everytime. However I don't see that happening in our environment.

I created a new ADR with new package and didn't disable it. Don't see any errors?

Share this post


Link to post
Share on other sites

 

Hi Niall,

 

Thanks for your guides they have been a great help. I have a question about endpoint updates failing if there are multiple updates available. My ADR is set to check for updates released/revised in the last 1 day as per your guide. What happens is the first update is installed successfully and any subsequent updates fail to install.

 

WUAHandler.log

 

 

1. Update (Missing): Definition Update for Microsoft Endpoint Protection - KB2461484 (Definition 1.149.1295.0) (bbf865e4-3ff0-40e5-b13e-df186cc63063, 200) WUAHandler 7/05/2013 4:52:32 AM 11048 (0x2B28)
2. Update (Missing): Definition Update for Microsoft Endpoint Protection - KB2461484 (Definition 1.149.1332.0) (f301ceba-a8d0-4429-9fc8-93342a234acd, 200) WUAHandler 7/05/2013 4:52:32 AM 11048 (0x2B28)
Async installation of updates started. WUAHandler 7/05/2013 4:52:32 AM 11048 (0x2B28)
Update 1 (bbf865e4-3ff0-40e5-b13e-df186cc63063) finished installing (0x00000000), Reboot Required? No WUAHandler 7/05/2013 4:52:40 AM 8860 (0x229C)
Update 2 (f301ceba-a8d0-4429-9fc8-93342a234acd) finished installing (0x80070643), Reboot Required? No WUAHandler 7/05/2013 4:52:41 AM 9504 (0x2520)
Async install completed. WUAHandler 7/05/2013 4:52:41 AM 9504 (0x2520)
Installation of updates completed. WUAHandler 7/05/2013 4:52:41 AM 4236 (0x108C)
WindowsUpdate.log

2013-05-07 04:52:32:422 1076 f94 Agent * Updates to install = 2
2013-05-07 04:52:32:423 1076 f94 Agent * Title = Definition Update for Microsoft Endpoint Protection - KB2461484 (Definition 1.149.1295.0)
2013-05-07 04:52:32:423 1076 f94 Agent * UpdateId = {BBF865E4-3FF0-40E5-B13E-DF186CC63063}.200
2013-05-07 04:52:32:423 1076 f94 Agent * Bundles 12 updates:
2013-05-07 04:52:32:423 1076 f94 Agent * {F31E6554-4C24-41F5-A8A5-208278248343}.200
2013-05-07 04:52:32:423 1076 f94 Agent * {8C88FF64-9417-41F4-B246-8122584867A5}.200
2013-05-07 04:52:32:423 1076 f94 Agent * {6B386754-D41B-4AAA-838B-D30D8FAF2B1C}.200
2013-05-07 04:52:32:423 1076 f94 Agent * {8B643E13-DB55-4AA4-859B-F93E835E74FB}.200
2013-05-07 04:52:32:423 1076 f94 Agent * {6B592150-B614-406A-B274-83482BC346CE}.200
2013-05-07 04:52:32:423 1076 f94 Agent * {D1BD04C9-E57C-4807-A9F0-858B92696D5E}.200
2013-05-07 04:52:32:423 1076 f94 Agent * {BAF05577-E3B4-4A3A-8634-681910527EBC}.200
2013-05-07 04:52:32:423 1076 f94 Agent * {81B4C990-BBBB-45F9-B958-4AE27BCDC6F0}.200
2013-05-07 04:52:32:423 1076 f94 Agent * {2B6ED6D2-F70B-432B-B3A0-FA7DA64BA52A}.200
2013-05-07 04:52:32:423 1076 f94 Agent * {3C2FFBD1-FD4D-41D6-9BED-5C0050E4C282}.200
2013-05-07 04:52:32:423 1076 f94 Agent * {2D9905CF-827E-4DA6-AB89-8E7AB2BFC25C}.200
2013-05-07 04:52:32:423 1076 f94 Agent * {2122E472-E363-4990-9348-2B55C0980C14}.200
2013-05-07 04:52:32:423 1076 f94 Agent * Title = Definition Update for Microsoft Endpoint Protection - KB2461484 (Definition 1.149.1332.0)
2013-05-07 04:52:32:423 1076 f94 Agent * UpdateId = {F301CEBA-A8D0-4429-9FC8-93342A234ACD}.200
2013-05-07 04:52:32:423 1076 f94 Agent * Bundles 12 updates:
2013-05-07 04:52:32:423 1076 f94 Agent * {F31E6554-4C24-41F5-A8A5-208278248343}.200
2013-05-07 04:52:32:423 1076 f94 Agent * {8C88FF64-9417-41F4-B246-8122584867A5}.200
2013-05-07 04:52:32:423 1076 f94 Agent * {6B386754-D41B-4AAA-838B-D30D8FAF2B1C}.200
2013-05-07 04:52:32:423 1076 f94 Agent * {8B643E13-DB55-4AA4-859B-F93E835E74FB}.200
2013-05-07 04:52:32:423 1076 f94 Agent * {6B592150-B614-406A-B274-83482BC346CE}.200
2013-05-07 04:52:32:423 1076 f94 Agent * {D1BD04C9-E57C-4807-A9F0-858B92696D5E}.200
2013-05-07 04:52:32:423 1076 f94 Agent * {BAF05577-E3B4-4A3A-8634-681910527EBC}.200
2013-05-07 04:52:32:423 1076 f94 Agent * {81B4C990-BBBB-45F9-B958-4AE27BCDC6F0}.200
2013-05-07 04:52:32:423 1076 f94 Agent * {2B6ED6D2-F70B-432B-B3A0-FA7DA64BA52A}.200
2013-05-07 04:52:32:423 1076 f94 Agent * {3C2FFBD1-FD4D-41D6-9BED-5C0050E4C282}.200
2013-05-07 04:52:32:423 1076 f94 Agent * {2D9905CF-827E-4DA6-AB89-8E7AB2BFC25C}.200
2013-05-07 04:52:32:423 1076 f94 Agent * {4C3EE25D-4654-42E8-9406-2140775B9993}.200
2013-05-07 04:52:32:448 1076 f94 DnldMgr Preparing update for install, updateId = {2122E472-E363-4990-9348-2B55C0980C14}.200.
2013-05-07 04:52:32:453 2696 35c0 Misc =========== Logging initialized (build: 7.6.7600.256, tz: +0800) ===========
2013-05-07 04:52:32:453 2696 35c0 Misc = Process: C:\Windows\system32\wuauclt.exe
2013-05-07 04:52:32:453 2696 35c0 Misc = Module: C:\Windows\system32\wuaueng.dll
2013-05-07 04:52:32:453 2696 35c0 Handler :::::::::::::
2013-05-07 04:52:32:453 2696 35c0 Handler :: START :: Handler: Command Line Install
2013-05-07 04:52:32:453 2696 35c0 Handler :::::::::
2013-05-07 04:52:32:453 2696 35c0 Handler : Updates to install = 1
2013-05-07 04:52:40:562 2696 35c0 Handler : Command line install completed. Return code = 0x00000000, Result = Succeeded, Reboot required = false
2013-05-07 04:52:40:563 2696 35c0 Handler :::::::::
2013-05-07 04:52:40:563 2696 35c0 Handler :: END :: Handler: Command Line Install
2013-05-07 04:52:40:563 2696 35c0 Handler :::::::::::::
2013-05-07 04:52:40:567 1076 f94 DnldMgr Preparing update for install, updateId = {4C3EE25D-4654-42E8-9406-2140775B9993}.200.
2013-05-07 04:52:40:719 2696 35c0 Handler :::::::::::::
2013-05-07 04:52:40:719 2696 35c0 Handler :: START :: Handler: Command Line Install
2013-05-07 04:52:40:719 2696 35c0 Handler :::::::::
2013-05-07 04:52:40:719 2696 35c0 Handler : Updates to install = 1
2013-05-07 04:52:41:013 2696 35c0 Handler : WARNING: Command line install completed. Return code = 0x80070670, Result = Failed, Reboot required = false
2013-05-07 04:52:41:013 2696 35c0 Handler : WARNING: Exit code = 0x8024200B
2013-05-07 04:52:41:013 2696 35c0 Handler :::::::::
2013-05-07 04:52:41:013 2696 35c0 Handler :: END :: Handler: Command Line Install
2013-05-07 04:52:41:013 2696 35c0 Handler :::::::::::::
2013-05-07 04:52:41:016 1076 f94 Agent *********
2013-05-07 04:52:41:016 1076 1070 AU Can not perform non-interactive scan if AU is interactive-only
2013-05-07 04:52:41:016 1076 f94 Agent ** END ** Agent: Installing updates [CallerId = CcmExec]
2013-05-07 04:52:41:016 1076 f94 Agent *************
2013-05-07 04:52:41:016 3788 1200 COMAPI >>-- RESUMED -- COMAPI: Install [ClientId = CcmExec]
2013-05-07 04:52:41:016 3788 1200 COMAPI - Install call complete (succeeded = 1, succeeded with errors = 0, failed = 1, unaccounted = 0)
2013-05-07 04:52:41:016 3788 1200 COMAPI - Reboot required = No

 

All my clients seem to have this problem. This means the deployment compliance is very low because of the installation errors. It also means the majority of my clients report the definition status as "up to 3 days old"
Thanks,
Curns.

 

 

 

does the above problem happen every day the same way or just this once ? if you reboot the client does it behave any differently ?

 

I've noticed this from the beginning of implementing EndPoint Protection, but usually it is on one or two clients. Today, it showed up on over half (we don't have too many in the heirarcy yet). It's really a false positive because the most recent definitions available in my environment are installed on the client. Why doesn't ConfigMgr just install the latest definition and forget about the older updates? The clients only need the latest one right? I did have one server that successfully installed all three updates so I don't understand what's up. Is there a way to get more information on why the update isntallation fails?

Share this post


Link to post
Share on other sites

Sorry. After looking at it again, it's not necessarily the latest updates that get installed. I'm changing my Managed Laptop ADR to look back only 8 hours. That should get only the latest update. My laptop is the only device in that collection right now so good for testing.

 

If that works, I plan to change the Software Update Point to sync every 8 hours. I'm on ConfigMgr 2012 SP1 so my ADR's can use the evaluation period "After Software Udpate Point Sync"

 

Then I'll get updates 3x per day which is supported in SP1 - NOT recommended for RTM.

 

I'll let you know how it goes

Share this post


Link to post
Share on other sites

OK. Today, all my servers applied all three updates without issue (except one that I'll get to in a minute) I don't understand why it failed the day before.

 

The change in the ADR targeted to my laptop did what I hoped, it only deployed the latest update becasue it only searched back 8 hours.

 

I'm going to change the SUP to sync every 8 hours and see how that goes.

 

I have only one server client in a remote site accross a WAN. It did not update it's definitions last night. It is a distribution point at that site and I checked and it is looking to itself for content source. The distribution status of the EndPoint protection updates was successful so I'm not sure why it did not update it's definitions last night. It would see that it doesn't see that it has a deployment that is needed. It did successfully apply the EndPoint protection updates 3 days ago through the SUP. I'm looking at what the issue might be.

Share this post


Link to post
Share on other sites

Changing the SUP to every 8 hours worked like a charm. The SUP kicked off, 1 hour later the deployment deadline hit and so far every system I checked updated their definitions on schedule - including that pesky server in the remote site. (I did take a look at that server and ended up rebooting it earlier today so maybe there was something funky going on with it - I'll continue to monitor it)

 

I think I won't have to change my ADR's to only go back 8 hours either because each time the deployment goes, there should only be one definition update that needs applied no matter what.

  • Like 1

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...


×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.