Link to home
Start Free TrialLog in
Avatar of thomaschalmers
thomaschalmers

asked on

Endpoint protection not reporting to SCCM console

My endpoint protection clients not reporting right definition version or malware found back to SCCM 2012. Definition updates are working just fine and get pushed out every day. CM client also works fine and APP deployment works fine.

Some of the newly installed clients are showing as unmanaged when deployed using SCCM OS deployment but have all policies applied for endpoint and client installed.
Avatar of btan
btan

may want to see if this help by reviewing the client log for any specific errors and ensure the clients are in the correct OU setting https://kickthatcomputer.wordpress.com/2013/12/11/endpoint-protection-not-managed-or-installed-on-configmgr-clients/
Likewise the following sharing is useful to check out
This problem only occurs after deploying a system image, the packaged is installed and the endpoint client does pick up the policy, defs and reports but still un-managed .  

I've managed to sort once client out by deleting the client from Sccm then by running the redicovery, however this hasn't worked for one machine in particular.  For this i will perform a manual install of the client.
....
At this point it is over a week that they have been like that.  We are pushing a Package not an Application.  scepinstall.exe /s /q /policy %CURRENT_PATH%\EPAMPolicy.xml.  That seems to work pretty well.  If you go to about on the client the policy is listed.  and yes there is an endpoint policy applied to the collection.
https://social.technet.microsoft.com/Forums/en-US/dc4b3992-de63-4ba4-8e8a-0c360c1c8ab3/scep-2012-client-deployment-state-unmanaged?forum=configmanagersecurity

The Log locations are as below.
•%allusersprofile%\Microsoft\Microsoft Antimalware\Support—Log files specific for the antimalware service
•%allusersprofile%\Microsoft\Microsoft Security Client\Support—Log files specific for the SCEP client software
•%windir%\WindowsUpdate.log—Windows Update log files, which include information about definition updates
•%windir%\CCM\Logs\EndpointProtectionagent.log – Shows Endpoint version and policies applied
•%windir%\temp\MpCmdRun.log – Activity when performing scans and signature updates
•%windir%\temp\MpSigStub.log – Update progress for signature and Engine updates
Avatar of thomaschalmers

ASKER

Tried all of this already but unfortunately no progress. PC's still showing "Unmanaged" even after removing and re-discovering. And logs on client machine are normal, showing no errors. Current definition and status of client still not showing in SCCM console.
not sure if you also try having to create a new collection and get those problematic into this new collection and do discovery - hopefully it can be recognized as managed again. Otherwise, reinstall agent is another means but I believe you already done it but to no avail
To be honest couple of unmanaged clients is not that much of a problem. The bigger issue for me is that all other clients are reporting wrong definition update (old) and not reporting viruses found instantly.

This issue only started since upgrade to SP 1, all components are healthy but the issue is there.
Really quite non-trivial...

one thing is also to ensure following is set to False
- Disable alternate sources (such as Microsoft Windows Update, Microsoft Windows Server Update Services, or UNC shares) for the initial definition update on client computers.
- select Updates distributed from Configuration Manager as OK only for uses of SCCM software updates to deliver definition and engine updates to computers in your hierarchy.

Remember, a Custom Device Setting policy must be deployed to a collection before it can take affect.

By default, managed computers check for changes to their deployed policies and software every 60 minutes. When testing different types of deployments the need may arise to force a client to check immediately.

<Forcing a client policy check update with SCCM>
On the manged computer do the following:
Windows 7: Click Start > Control Panel > System and Security > Configuration Manager.
Click the Actions tab.
Highlight Machine Policy Retrieval & Evaluation Cycle and click Run Now.

<Forcing a membership update on a collection in SCCM>
You may need to force a collection to reevaluate its membership immediately rather than wait for it to do so at its scheduled time. To do so, do the following:

Launch the SCCM 2012 management console and browse to the collection you want to update.
Right-click the collection and click Update Membership.
It may take a few minutes for the collection update it's membership. When membership is being evaluated the icon for the collection will have an hour glass next to it when.

Important: The items in the collection list do not automatically refresh. To refresh the status of a collection, click it and press F5. When the collection has finished updating its membership the hourglass icon will be disappear.
ASKER CERTIFIED SOLUTION
Avatar of thomaschalmers
thomaschalmers

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial