Jump to content


anyweb

using System Center 2012 Configuration Manager - Part 6. Adding the Endpoint Protection role, configure Alerts and custom Antimalware Policies.

Recommended Posts

Dear Champ,

I was quite stuck in the middle of nowhere. Now as after removing that Custom Setting the problem is resolved. I am very grateful to you.

Regards

Share this post


Link to post
Share on other sites

Sorry Champ,

That icon again showed up then my script removed it, please advice what to do now to get this done.

Hundreds of users complaining about it that is it getting the systems slow.

Thanks in advance.

Share this post


Link to post
Share on other sites

you really need to provide more information and logs to explain what your problem is, are you saying that SCEP is installing on your computers ? have you reviewed all your custom and default client settings yet ? are you sure it's SCEP and not something else ?

 

how about including a screenshot ?

Share this post


Link to post
Share on other sites

I already tried to include screen shots but that didnt work here on this page - I am adding the logs for you to review and advice the solution.

 

<![LOG[sending EvaluateAssignments Trigger to Updates Deployment Agent]LOG]!><time="14:43:15.031-300" date="12-07-2012" component="EndpointProtectionAgent" context="" type="1" thread="1300" file="epagentutil.cpp:553">

<![LOG[Register a timer here to check whether definition get updated in 30 minutes.]LOG]!><time="14:43:20.546-300" date="12-07-2012" component="EndpointProtectionAgent" context="" type="1" thread="1300" file="epagentimpl.cpp:1006">

<![LOG[Firewall provider is installed.]LOG]!><time="14:43:23.158-300" date="12-07-2012" component="EndpointProtectionAgent" context="" type="1" thread="1300" file="epagentutil.cpp:774">

<![LOG[installed firewall provider meet the requirements.]LOG]!><time="14:43:23.158-300" date="12-07-2012" component="EndpointProtectionAgent" context="" type="1" thread="1300" file="epagentutil.cpp:795">

<![LOG[File C:\Windows\ccmsetup\SCEPInstall.exe version is 2.2.903.0.]LOG]!><time="14:43:23.168-300" date="12-07-2012" component="EndpointProtectionAgent" context="" type="1" thread="7876" file="epagentutil.cpp:499">

<![LOG[EP version 2.2.903.0 is already installed.]LOG]!><time="14:43:23.168-300" date="12-07-2012" component="EndpointProtectionAgent" context="" type="1" thread="7876" file="epagentutil.cpp:200">

<![LOG[Expected Version 2.2.903.0 is exactly same with installed version 2.2.903.0.]LOG]!><time="14:43:23.168-300" date="12-07-2012" component="EndpointProtectionAgent" context="" type="1" thread="7876" file="epagentutil.cpp:218">

<![LOG[AM Policy XML is ready.]LOG]!><time="14:43:23.169-300" date="12-07-2012" component="EndpointProtectionAgent" context="" type="1" thread="7876" file="epagentutil.cpp:314">

<![LOG[Renew the wmi notification hookup as new EP installation is deteced.]LOG]!><time="14:43:24.335-300" date="12-07-2012" component="EndpointProtectionAgent" context="" type="1" thread="7876" file="epagentimpl.cpp:921">

<![LOG[EP Policy Default Client Antimalware Policy is already applied.]LOG]!><time="14:43:24.338-300" date="12-07-2012" component="EndpointProtectionAgent" context="" type="1" thread="7876" file="epagentutil.cpp:520">

<![LOG[Endpoint is triggered by Timer.]LOG]!><time="15:13:20.384-300" date="12-07-2012" component="EndpointProtectionAgent" context="" type="1" thread="4820" file="fepsettingendpoint.cpp:263">

<![LOG[Definition is not installed or it's too old. Need to explicitly trigger SCEP client to download latest definition.]LOG]!><time="15:13:20.405-300" date="12-07-2012" component="EndpointProtectionAgent" context="" type="1" thread="4820" file="epagentimpl.cpp:1029">

<![LOG[Create Process Command line: "C:\Program Files\Microsoft Security Client\Antimalware\MpCmdRun.exe" -SignatureUpdate.]LOG]!><time="15:13:20.405-300" date="12-07-2012" component="EndpointProtectionAgent" context="" type="1" thread="4820" file="epagentutil.cpp:602">

<![LOG[Trigger the application C:\Program Files\Microsoft Security Client\Antimalware\MpCmdRun.exe starting successfully.]LOG]!><time="15:13:20.622-300" date="12-07-2012" component="EndpointProtectionAgent" context="" type="1" thread="4820" file="epagentimpl.cpp:592">

<![LOG[service startup notification received]LOG]!><time="09:20:24.032-300" date="12-10-2012" component="EndpointProtectionAgent" context="" type="1" thread="6120" file="fepsettingendpoint.cpp:234">

<![LOG[Endpoint is triggered by CCMTask Execute.]LOG]!><time="09:20:24.767-300" date="12-10-2012" component="EndpointProtectionAgent" context="" type="1" thread="6120" file="fepsettingendpoint.cpp:208">

<![LOG[File C:\Windows\ccmsetup\SCEPInstall.exe version is 2.2.903.0.]LOG]!><time="09:20:25.264-300" date="12-10-2012" component="EndpointProtectionAgent" context="" type="1" thread="6120" file="epagentutil.cpp:499">

<![LOG[unable to query registry key (SOFTWARE\Microsoft\Microsoft Security Client), return (0x80070002) means EP client is NOT installed.]LOG]!><time="09:20:25.264-300" date="12-10-2012" component="EndpointProtectionAgent" context="" type="1" thread="6120" file="epagentutil.cpp:149">

<![LOG[start to send state message.]LOG]!><time="09:20:25.265-300" date="12-10-2012" component="EndpointProtectionAgent" context="" type="1" thread="6120" file="epagentimpl.cpp:159">

<![LOG[send State Message with topic type = 2001, state id = 2, and error code = 0x00000000]LOG]!><time="09:20:25.287-300" date="12-10-2012" component="EndpointProtectionAgent" context="" type="1" thread="6120" file="epagentimpl.cpp:166">

<![LOG[save new state 2 to registry SOFTWARE\Microsoft\CCM\EPAgent\State]LOG]!><time="09:20:25.287-300" date="12-10-2012" component="EndpointProtectionAgent" context="" type="1" thread="6120" file="epagentimpl.cpp:190">

<![LOG[AM Policy XML is ready.]LOG]!><time="09:20:25.343-300" date="12-10-2012" component="EndpointProtectionAgent" context="" type="1" thread="6120" file="epagentutil.cpp:314">

<![LOG[Endpoint is triggered by message.]LOG]!><time="10:47:30.059-300" date="12-10-2012" component="EndpointProtectionAgent" context="" type="1" thread="4132" file="fepsettingendpoint.cpp:55">

<![LOG[Endpoint is triggered by message.]LOG]!><time="10:47:30.059-300" date="12-10-2012" component="EndpointProtectionAgent" context="" type="1" thread="1204" file="fepsettingendpoint.cpp:55">

<![LOG[File C:\Windows\ccmsetup\SCEPInstall.exe version is 2.2.903.0.]LOG]!><time="10:47:30.264-300" date="12-10-2012" component="EndpointProtectionAgent" context="" type="1" thread="4132" file="epagentutil.cpp:499">

<![LOG[unable to query registry key (SOFTWARE\Microsoft\Microsoft Security Client), return (0x80070002) means EP client is NOT installed.]LOG]!><time="10:47:30.264-300" date="12-10-2012" component="EndpointProtectionAgent" context="" type="1" thread="4132" file="epagentutil.cpp:149">

<![LOG[AM Policy XML is ready.]LOG]!><time="10:47:30.264-300" date="12-10-2012" component="EndpointProtectionAgent" context="" type="1" thread="4132" file="epagentutil.cpp:314">

<![LOG[Handle AM Policy.]LOG]!><time="10:47:30.264-300" date="12-10-2012" component="EndpointProtectionAgent" context="" type="1" thread="4132" file="epagentimpl.cpp:844">

<![LOG[Disable Startup Signature Update equals to true.]LOG]!><time="10:47:30.396-300" date="12-10-2012" component="EndpointProtectionAgent" context="" type="1" thread="4132" file="epagentimpl.cpp:347">

<![LOG[Add the Disable Startup Signature Update settings to policy xml successfully.]LOG]!><time="10:47:30.426-300" date="12-10-2012" component="EndpointProtectionAgent" context="" type="1" thread="4132" file="epagentimpl.cpp:356">

<![LOG[Create Process Command line: "C:\Windows\ccmsetup\SCEPInstall.exe" /s /q /NoSigsUpdateAtInitialExp /policy "C:\Windows\CCM\EPAMPolicy.xml".]LOG]!><time="10:47:30.426-300" date="12-10-2012" component="EndpointProtectionAgent" context="" type="1" thread="4132" file="epagentutil.cpp:602">

<![LOG[Detail error message is : [EppSetupResult]

HRESULT=0x00000000

Description=The operation completed successfully.

]LOG]!><time="10:49:15.969-300" date="12-10-2012" component="EndpointProtectionAgent" context="" type="1" thread="4132" file="epagentutil.cpp:406">

<![LOG[installed EP client successfully.]LOG]!><time="10:49:15.969-300" date="12-10-2012" component="EndpointProtectionAgent" context="" type="1" thread="4132" file="epagentimpl.cpp:418">

<![LOG[start to send state message.]LOG]!><time="10:49:15.970-300" date="12-10-2012" component="EndpointProtectionAgent" context="" type="1" thread="4132" file="epagentimpl.cpp:159">

<![LOG[send State Message with topic type = 2001, state id = 3, and error code = 0x00000000]LOG]!><time="10:49:18.825-300" date="12-10-2012" component="EndpointProtectionAgent" context="" type="1" thread="4132" file="epagentimpl.cpp:166">

<![LOG[save new state 3 to registry SOFTWARE\Microsoft\CCM\EPAgent\State]LOG]!><time="10:49:18.826-300" date="12-10-2012" component="EndpointProtectionAgent" context="" type="1" thread="4132" file="epagentimpl.cpp:190">

<![LOG[EP Policy Default Client Antimalware Policy is already applied.]LOG]!><time="10:49:19.025-300" date="12-10-2012" component="EndpointProtectionAgent" context="" type="1" thread="4132" file="epagentutil.cpp:520">

<![LOG[state 1 and ErrorCode 0 and ErrorMsg and PolicyName Default Client Antimalware Policy is NOT changed, SKip sending State Message.]LOG]!><time="10:49:19.106-300" date="12-10-2012" component="EndpointProtectionAgent" context="" type="1" thread="4132" file="epagentimpl.cpp:237">

<![LOG[sending EvaluateAssignments Trigger to Updates Deployment Agent]LOG]!><time="10:49:19.152-300" date="12-10-2012" component="EndpointProtectionAgent" context="" type="1" thread="4132" file="epagentutil.cpp:553">

<![LOG[Register a timer here to check whether definition get updated in 30 minutes.]LOG]!><time="10:49:20.806-300" date="12-10-2012" component="EndpointProtectionAgent" context="" type="1" thread="4132" file="epagentimpl.cpp:1006">

<![LOG[Firewall provider is installed.]LOG]!><time="10:49:21.032-300" date="12-10-2012" component="EndpointProtectionAgent" context="" type="1" thread="4132" file="epagentutil.cpp:774">

<![LOG[installed firewall provider meet the requirements.]LOG]!><time="10:49:21.033-300" date="12-10-2012" component="EndpointProtectionAgent" context="" type="1" thread="4132" file="epagentutil.cpp:795">

<![LOG[File C:\Windows\ccmsetup\SCEPInstall.exe version is 2.2.903.0.]LOG]!><time="10:49:21.038-300" date="12-10-2012" component="EndpointProtectionAgent" context="" type="1" thread="1204" file="epagentutil.cpp:499">

<![LOG[EP version 2.2.903.0 is already installed.]LOG]!><time="10:49:21.038-300" date="12-10-2012" component="EndpointProtectionAgent" context="" type="1" thread="1204" file="epagentutil.cpp:200">

<![LOG[Expected Version 2.2.903.0 is exactly same with installed version 2.2.903.0.]LOG]!><time="10:49:21.038-300" date="12-10-2012" component="EndpointProtectionAgent" context="" type="1" thread="1204" file="epagentutil.cpp:218">

<![LOG[AM Policy XML is ready.]LOG]!><time="10:49:21.038-300" date="12-10-2012" component="EndpointProtectionAgent" context="" type="1" thread="1204" file="epagentutil.cpp:314">

<![LOG[Handle EP Deployment Policy.]LOG]!><time="10:49:21.038-300" date="12-10-2012" component="EndpointProtectionAgent" context="" type="1" thread="1204" file="epagentimpl.cpp:780">

<![LOG[EP Policy Default Client Antimalware Policy is already applied.]LOG]!><time="10:49:21.069-300" date="12-10-2012" component="EndpointProtectionAgent" context="" type="1" thread="1204" file="epagentutil.cpp:520">

<![LOG[EP Client is already installed, will NOT trigger reinstall for now.]LOG]!><time="10:49:21.069-300" date="12-10-2012" component="EndpointProtectionAgent" context="" type="1" thread="1204" file="epagentimpl.cpp:823">

<![LOG[Firewall provider is installed.]LOG]!><time="10:49:21.071-300" date="12-10-2012" component="EndpointProtectionAgent" context="" type="1" thread="1204" file="epagentutil.cpp:774">

<![LOG[installed firewall provider meet the requirements.]LOG]!><time="10:49:21.071-300" date="12-10-2012" component="EndpointProtectionAgent" context="" type="1" thread="1204" file="epagentutil.cpp:795">

<![LOG[Endpoint is triggered by WMI notification.]LOG]!><time="10:49:49.288-300" date="12-10-2012" component="EndpointProtectionAgent" context="" type="1" thread="6420" file="fepsettingendpoint.cpp:125">

<![LOG[File C:\Windows\ccmsetup\SCEPInstall.exe version is 2.2.903.0.]LOG]!><time="10:49:49.292-300" date="12-10-2012" component="EndpointProtectionAgent" context="" type="1" thread="6420" file="epagentutil.cpp:499">

<![LOG[EP version 2.2.903.0 is already installed.]LOG]!><time="10:49:49.293-300" date="12-10-2012" component="EndpointProtectionAgent" context="" type="1" thread="6420" file="epagentutil.cpp:200">

<![LOG[Expected Version 2.2.903.0 is exactly same with installed version 2.2.903.0.]LOG]!><time="10:49:49.293-300" date="12-10-2012" component="EndpointProtectionAgent" context="" type="1" thread="6420" file="epagentutil.cpp:218">

<![LOG[AM Policy XML is ready.]LOG]!><time="10:49:49.293-300" date="12-10-2012" component="EndpointProtectionAgent" context="" type="1" thread="6420" file="epagentutil.cpp:314">

<![LOG[Renew the wmi notification hookup as new EP installation is deteced.]LOG]!><time="10:49:49.388-300" date="12-10-2012" component="EndpointProtectionAgent" context="" type="1" thread="6420" file="epagentimpl.cpp:921">

<![LOG[EP Policy Default Client Antimalware Policy is already applied.]LOG]!><time="10:49:49.391-300" date="12-10-2012" component="EndpointProtectionAgent" context="" type="1" thread="6420" file="epagentutil.cpp:520">

<![LOG[Endpoint is triggered by Timer.]LOG]!><time="11:19:20.866-300" date="12-10-2012" component="EndpointProtectionAgent" context="" type="1" thread="7532" file="fepsettingendpoint.cpp:263">

<![LOG[Definition is not installed or it's too old. Need to explicitly trigger SCEP client to download latest definition.]LOG]!><time="11:19:20.896-300" date="12-10-2012" component="EndpointProtectionAgent" context="" type="1" thread="7532" file="epagentimpl.cpp:1029">

<![LOG[Create Process Command line: "C:\Program Files\Microsoft Security Client\Antimalware\MpCmdRun.exe" -SignatureUpdate.]LOG]!><time="11:19:20.896-300" date="12-10-2012" component="EndpointProtectionAgent" context="" type="1" thread="7532" file="epagentutil.cpp:602">

<![LOG[Trigger the application C:\Program Files\Microsoft Security Client\Antimalware\MpCmdRun.exe starting successfully.]LOG]!><time="11:19:21.274-300" date="12-10-2012" component="EndpointProtectionAgent" context="" type="1" thread="7532" file="epagentimpl.cpp:592">

Share this post


Link to post
Share on other sites

can you answer this >

 

you really need to provide more information and logs to explain what your problem is, are you saying that SCEP is installing on your computers ? have you reviewed all your custom and default client settings yet ?

Share this post


Link to post
Share on other sites

Instead of creating an Automatic Deployment for Endpoint Protection for each collection, could you just specify "All Desktop and Server Clients" (See Image)?

post-18089-0-39318300-1355522982_thumb.jpg

Share this post


Link to post
Share on other sites

sure, but if you want to check the compliance status of your ADR deployment on let's say all your Configuration Manager Servers, how are you planning on doing that ? if you are pointing at the All Desktops and Servers collection you won't get this granularity...

 

compliance of a deployment.png

Share this post


Link to post
Share on other sites

Hello,

 

As a follow up to my previous message, I am no longer going to run SCCM12 on Windows2012, and go back to my 2008r2 machine.

 

Anyways, as a result, on my 2008r2 machine, my SCCM12 will not auto-deploying definition files for EndPoint. As a result, my users keep getting Window Update popups every time a new definition file is ready to be installed. Any ideas?

Share this post


Link to post
Share on other sites

Hi ,

 

Current antivirus i am using Forefront security client on my production envirment .

 

If i Enable the endpoint prodction in on SCCM 2012, is SCCM 2012 wil luninstall old Antivirus and install teh latestversion ?

Share this post


Link to post
Share on other sites

EndPoint Protection can uninstall the following products automatically, however you'll have to configure the client settings in order to make this change.

 

Select True (Configuration Manager with no service pack) or Yes (Configuration Manager SP1) to uninstall existing antimalware software.

 

 

Endpoint Protection uninstalls the following antimalware software only:

  • Symantec AntiVirus Corporate Edition version 10

  • Symantec Endpoint Protection version 11

  • Symantec Endpoint Protection Small Business Edition version 12

  • McAfee VirusScan Enterprise version 8

  • Trend Micro OfficeScan

  • Microsoft Forefront Codename Stirling Beta 2

  • Microsoft Forefront Codename Stirling Beta 3

  • Microsoft Forefront Client Security v1

  • Microsoft Security Essentials v1

  • Microsoft Security Essentials 2010

  • Microsoft Forefront Endpoint Protection 2010

  • Microsoft Security Center Online v1
  • Like 1

Share this post


Link to post
Share on other sites

This has been configured for a few months for me. Checking in the \\sccm\sources\WindowsUpdates\EndpointProtection\ directory, it's full of definition updates, dating back to November. Over 1900 items and 2GB of data. Is SCCM supposed to delete expired definitions or do I need to do something else to manage that?

Share this post


Link to post
Share on other sites

yes, if you want to target one computer with specific settings for that computer only then simply create a collection for that one computer, place the computer in that collection and target that collection with a custom antimalware policy

 

it seems a bit overkill though, why the need ?

Share this post


Link to post
Share on other sites

I am trying to understand why you have created so many ADRs, other than compliance reporting.

As far as I can tell, there are no settings in the ADR itself that would make much difference when deploying to various clients.

(I do see that a number of collections are needed to manage the different antimalware policies.)

 

Would it make sense to create a different set of collections (fewer in number) just for the ADRs?

This would result in a few more collections, but fewer ADRs...

 

Or is there something else, that I am not yet understanding, that would make using the policy-related collections for ADRs also the best way to structure this?

Share this post


Link to post
Share on other sites

Hi!

 

Error Code: 0x8024402c

Error Description: System Center Endpoint Protection couldn't install the definition updates because the proxy server or target server names can't be resolved.

 

But updated earlier, now showing above error. Please advise........

Share this post


Link to post
Share on other sites

My installation/migration from SCCM 2007 to 2012 is progressing well thanks to your guides. Thanks again!

 

I had the MOM based Forefront server running for several years and have accumulated a small group of policies with exclusions in each.

 

Can these policies be migrated from Forefront in any way or do they have to be recreated.

 

I have found no details regarding this topic by searching the WEB.

 

Thanks!

 

DWM

Share this post


Link to post
Share on other sites

Since SCCM 2012 SP1 came out the "Client Settings" have changed with the endpoint protection options. The default option seams to be that it won't install the System Center Endpoint Protection unless it is during maintenance hours. It can easily be adjusted:

 

post-4566-0-51157400-1361861286_thumb.jpg

 

Just a heads up for anyone that has issues with SCEP not installing after the client installs.

Share this post


Link to post
Share on other sites

good point, i'll update the documentation to reflect this,

as a side note did you have any maintenance windows configured ?

Share this post


Link to post
Share on other sites

good point, i'll update the documentation to reflect this,

as a side note did you have any maintenance windows configured ?

 

We did have maintenance windows configured for the client machines and eventually it should have installed but it stumped me for a little while until I looked into it further.

Share this post


Link to post
Share on other sites

I am new to this Forum so please forgive me if I'm in the wrong place, but I think I have an issue with either endpoint setup on the SCCM server or SUP. I have followed the guides up through Part 5. Enable the Endpoint Protection Role and configure settings. The Software Update Point seems to be working. I can perform a "Synchronize Software Updates" from the Software Library successfully. I can see the updates listed under All Software Updates, but when it comes to distributing the Endpoint Package/definition updates I don't have the "Sources\WSUS...\EndpointProtection" folder. I setup the "sources" share as the instructions say, and I setup WSUS to use "sources", but where is the endpoint protection client? I feel like I've missed a core step somewhere.

 

Thanks in advance!

Share this post


Link to post
Share on other sites

below is a quote from the guide you linked to (it was written for the release candidate version of CM12), did you do the below or not ?

 

For Deployment Package we are creating a new one so give it a suitable name like Endpoint Protection Definition Updates and point it to a previously created folder

Note: Make sure that \\sccm\sources\updates\Endpoint (or whatever path you choose) exists otherwise the wizard will fail below when it tries to Download as the Network Path won't exist. In addition Everytime this ADR runs it will want to create a new deployment package as specified above, we do not want this to happen so after running the ADR once, retire it and create a new ADR except this time point the deployment package to the packaged which is now created called Endpoint Protection Definition Updates.

Share this post


Link to post
Share on other sites

Yes and no... I read it. I understood it to mean that it should already exist. I've been searching for a reason why mine doesn't exist. I thought it should have been created with a software sync since that step was just before it. Are you saying that I should create this folder so the script will store it there?

Share this post


Link to post
Share on other sites

Are you saying that I should create this folder so the script will store it there?

 

yup, as per

 

point it to a previously created folder

 

and

 

Note: Make sure that \\sccm\sources\updates\Endpoint (or whatever path you choose) exists otherwise the wizard will fail below when it tries to Download as the Network Path won't exist.

Share this post


Link to post
Share on other sites

You da man! Thanks for clearing that up. I just ran back through it, and created it as you said to.

 

One more question, the collections that we created for desktops, laptops, servers, etc. I created them. The instructions say create them with empty memberships, and then populate them how we want to, either direct or query.

 

After searching around a bit, I have tried using the following query to populate the desktop and laptop collection. I get nothing though. Any ideas what I may be doing wrong? Does the config manager client need to be installed in order to populate these fields in the DB?

 

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_SYSTEM_ENCLOSURE on SMS_G_System_SYSTEM_ENCLOSURE.ResourceID = SMS_R_System.ResourceId where SMS_G_System_SYSTEM_ENCLOSURE.ChassisTypes in ("3","4","5","6","7","15","16")

 

Scott

Share this post


Link to post
Share on other sites

i've tested that query on a test collection here limited to All Systems and it works fine, did you choose Update Membership on the collection you created and then refreshed your view ?

 

cheers

niall

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

×
×
  • Create New...