Quantcast
Channel: Configuration Manager 2012 - Security, Updates and Compliance forum
Viewing all 6382 articles
Browse latest View live

How to manage Forefront Endpoint Prorection Security Client 2010 with SCCM 2012

June 7, 2012, 6:57 pm
$
0
0

Hi

I've sucessfully installed System Center Configuration Manager 2012 and now I 'd like to push/deploy Forefront Endpoint Protection Client 2010 on client machines.I also know that Microsoft embedded Forefront Endpoint Protection in SCCM 2012 so that you can manage FEP from single SCCM 2012 console.Now when I try to push FEP client on client machines using Default Client Settingsthen I've found that all Endpoint Protection settings are greyed out !

Do I need to install Forefront Endpoint Protection 2010 or 2012 Server (which is beta) with SCCM 2012, in order to deploy FEP client or is there a workaround or solution to resolve this ?

Thanks

Sohail

Search

How to export/read ConfigMgr audit messages to/from external log management system?

February 25, 2015, 10:48 am
$
0
0

The title pretty much explains the scenario. Is there any built-in way to export or read audit messages concerning who did and what with ConfigMgr to external log management system? I'm talking about the kind of data that Status message queries provide with audit messages... Any suggestions are welcome.

Configuration Items Runs on Windows Server 2003 even I have not selected it as a "Supported Platforms"?

March 13, 2015, 4:54 am
$
0
0

Hi,

Configuration Items Runs on Windows Server 2003 even I have not selected it as a "Supported Platforms"?

In the "Supported Platforms" Tab I have not selected any "Windows 2003" OS, but it runs our Windows Server 2003 anyway. The target Collection have members that is Windows Server 2003. But I did not expect to get  "Compliance
State" from this Servers.

Some one that have any idea why?

/SaiTech

SCEP going out to the internet after being migrated to SCCM 2012 and saturating facility MPLS.

March 12, 2015, 5:56 pm
$
0
0

I was unaware of the fact that SCEP was gonig out to the internet to pull down 120 megs worth of data each time a client is migrated. I'm trying to determine the easiest or best way to avoid this. I've done some research and it looks like bundeling the SCEP policy with the migration package might work. I also saw some tool that you can use to add a SCEP update rollup to the package. Ultimately if i could just get the exact URL the clients are going out to our networking team could apply QoS to this URL. Unfortunately though it appears in the MPCMDRUN.log to go to go.microsoft.com/fwlink, but on the networking side in pathview i seen the client ends up going to Akamai.

I'm assuming MS offloads their web traffic to Akamai and that first link is redirected, if that is even the right link. Does anyone know a way i can prevent this while still getting the client up to date. This entire time I thought the clients would pull what they needed from the SCCM 2012 env. I'm using ADR to push the definitions and that seems to be working fine except for 2 situations. One a client is migrated, or 2 the client comes online after being offline for more than 7 days and goes out.

Either way if someone could provide me with the URL for throttling or a better method for deploying I would be very grateful. So far we've migrated about 8 thousand clients and have about another 10 thousand to go. The majority of the clients have local pull DPs, and if further details of my infrastructure would be helpful please just let me know.

Thanks,

-KR

SCUP Adobe Acrobat Installation Failures - Bad Certificate

March 12, 2015, 2:46 pm
$
0
0

I recently published some Acrobat updates in SCUP 2011. Shortly after that, I had to regenerate another cert from SCUP due to the old one expiring. I have some updates out there that are failing on user's machines with errors like this in WindowsUpdate.log

Validating signature for C:\Windows\SoftwareDistribution\Download\431980c76c452fe726671fe621ed1900_ctc\AcrobatUpd11010.cab with dwProvFlags 0x00000080:
FATAL: Error: 0x800b0101 when verifying trust for C:\Windows\SoftwareDistribution\Download\431980c76c452fe726671fe621ed1900_ctc\AcrobatUpd11010.cab
WARNING: Digital Signatures on file C:\Windows\SoftwareDistribution\Download\431980c76c452fe726671fe621ed1900_ctc\AcrobatUpd11010.cab are not trusted: Error 0x800b0101

I went ahead and in SCUP republished them and checked the option to re-sign the updates with the new cert. I sync'd SCCM and saw the update in the logs getting sync'd. Then I refreshed my DPs that had the update.

When I tried to reinstall the update on a client I got the same errors in WindowsUpdate.log as above. What do I need to do so that the client's content will get signed with the new cert?

Orange County District Attorney

ADR guidline

March 12, 2015, 12:52 pm

SCCM 2012 Endpoint Protection on Windows 8.1

August 2, 2013, 12:28 am
$
0
0
Good Morning Everyone,

Is there any possibility to install SCCM 2012 - Endpoint Protection on an Windows 8.1 client?

When i try to do so, i get the following error message:

"System Center 2012 Endpoint Protection cannot be installed on your operating system. Windows Program Compatibility mode is not supported by this program.  <a>For information about supported operating systems, see the online Help</a>. Error code:0x8004FF71"

If it is not possible, is there any ETA when we will be able to protect Windows 8.1 with SCCM 2012 EP?

Thank you in advance

Andreas

SCCM/WSUS issue after importing March CSA patch bundle

March 12, 2015, 12:44 pm
$
0
0

Hi, I am having an issue with security patch deployment since Tuesday night.  Debugging is ongoing.  I am running SCCM 2012 CU2.

Coincidentally, the problem appeared shortly after importing the March XP CSA (Custom Support Agreement) patch bundle into SCCM.  From the client end, WUAHandler.log reported continuous failures/retries.  On lower-end machines, system performance became very poor.  From the server end, starting up the Windows Server Update Services mmc (yes, I know you're not supposed to be doing anything in here, which I'm not) results in a connection error.  The detailed error message is shown further down.

It was difficult to get the client machines to stop "thrashing" per WUAHandler.log.  It wasn't until I de-installed/re-installed WSUS and ASP.NET that things quieted down yesterday afternoon.  All appeared to be stable until this morning when I  re-added "Windows XP Custom Support" under the SUP Component Properties tab, imported the CSA bundle info, initiated a CAB synchronization from Microsoft, and re-enabled Software Updates on the clients.  Again, I would get the error when starting up the Windows Server Update Services mmc.

I am doing everything again, but this time one step at a time.  My working theory is that there is some kind of corruption caused by the CSA import (this worked just fine up until Feb.).  A few hours ago, Microsoft published a new CSA patch bundle because a patch was apparently forgotten.  Is it possible that there was some kind of corruption included with the original bundle published on Tuesday?

I will post what I find as a result of my debugging.

Thanks,

Nick.

--

The WSUS administration console was unable to connect to the WSUS Server via the remote API.

Verify that the Update Services service, IIS and SQL are running on the server. If the problem persists, try restarting IIS, SQL, and the Update Services Service.

The WSUS administration console has encountered an unexpected error. This may be a transient error; try restarting the administration console. If this error persists,

Try removing the persisted preferences for the console by deleting the wsus file under %appdata%\Microsoft\MMC\.


System.IO.IOException -- The handshake failed due to an unexpected packet format.

Source
System

Stack Trace:
   at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
   at System.Threading.ExecutionContext.runTryCode(Object userData)
   at System.Runtime.CompilerServices.RuntimeHelpers.ExecuteCodeWithGuaranteedCleanup(TryCode code, CleanupCode backoutCode, Object userData)
   at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)
   at System.Net.TlsStream.ProcessAuthentication(LazyAsyncResult result)
   at System.Net.TlsStream.Write(Byte[] buffer, Int32 offset, Int32 size)
   at System.Net.PooledStream.Write(Byte[] buffer, Int32 offset, Int32 size)
   at System.Net.ConnectStream.WriteHeaders(Boolean async)
** this exception was nested inside of the following exception **


System.Net.WebException -- The underlying connection was closed: An unexpected error occurred on a send.

Source
Microsoft.UpdateServices.Administration

Stack Trace:
   at Microsoft.UpdateServices.Administration.AdminProxy.CreateUpdateServer(Object[] args)
   at Microsoft.UpdateServices.Administration.AdminProxy.GetUpdateServer(String serverName, Boolean useSecureConnection, Int32 portNumber)
   at Microsoft.UpdateServices.UI.AdminApiAccess.AdminApiTools.GetUpdateServer(String serverName, Boolean useSecureConnection, Int32 portNumber)
   at Microsoft.UpdateServices.UI.SnapIn.Scope.ServerSummaryScopeNode.GetUpdateServer(PersistedServerSettings settings)
   at Microsoft.UpdateServices.UI.SnapIn.Scope.ServerSummaryScopeNode.ConnectToServer()
   at Microsoft.UpdateServices.UI.SnapIn.Scope.ServerSummaryScopeNode.ConnectToServerAndPopulateNode(Boolean connectingServerToConsole)
   at Microsoft.UpdateServices.UI.SnapIn.Scope.ServerSummaryScopeNode.OnExpandFromLoad(SyncStatus status)

Search

Adobe Flash 17.0.0.134 and SCUP with SCCM

March 13, 2015, 7:00 am
$
0
0

Not specifically an SCCM issue I know, but unfortunately the Adobe forums are very sleepy.

Basically I'm just wondering if any one using SCUP with SCCM to update Adobe Flash, and if they've noticed there's no sign of the latest Internet Explorer or Plugin version: 17.0.0.134 ?

The update process has worked fine for me until now.


One bad patch? KB3035131

March 13, 2015, 6:38 am
$
0
0

I had a 50% failure rate in my test group for patch KB3035131.

From the WUAHandler.log

1. Update (Missing): Security Update for Windows Server 2008 R2 x64 Edition (KB3035131) (3c704f78-5f61-4a0d-aae5-4e154e6f13b6, 202)WUAHandler3/12/2015 11:28:02 AM4356 (0x1104)

Failed to find update (df7f383f-b308-4d1a-a145-8c8b9514c703) with binary in update collection from WUA. Continuing with download.WUAHandler3/12/2015 11:28:03 AM4356 (0x1104)

All systems in the test group use the same DP so I am unsure as to why some would have an issue with the update missing and others would not.

The systems that failed did patch a different patch at the same time.

Any help would be great! 

Does anyone have a link to some SCEP Exclusion Rules Best Practice Templates (DC, Database Server, File Server etc..)

January 19, 2015, 8:30 pm
$
0
0

I am looking for suggested exclusions for System Center Endpoint Protection - basically focusing on servers. I believe that there should be a document for best practice for how to configure Endpoint Protection (formerly know as Forefront) for Domain Controllers, File Servers, Citrix Servers, MS Database Servers etc...

Does anyone have a link to recommend for this type of best practice information?  

 

Having trouble with installing updates

March 13, 2015, 10:48 am
$
0
0

Hello,

I am having trouble installing updates.  I checked the windowsupdate.log file and I see:

2015-03-13          11:52:43:075       956       680         Agent     * Criteria = "(DeploymentAction=* AND Type='Software') OR (DeploymentAction=* AND Type='Driver')"

In reading others' posts, I noticed in their logs contain "DeploymentAction=Install" .. could this potentially be the issue why it will not install the update?   If so, where does this get set at so I can modify it?  I looked around but was not able to find this setting.

Thanks for the help!

License Management

March 14, 2015, 9:39 am
$
0
0

Hi ,

How can i manage the License of Microsoft and non Microsoft Products in SCCM 2012 R2...

How it would be work ,,and what are the configuration required in SCCM , is any click steps link for SCCM 2012  ..

Shailendra Dev

MS11-043 Expired and won't install, but still Required on workgroup server?

March 14, 2015, 1:16 pm
$
0
0

So this is weird.

In my SCCM 2012R2 environment, MS11-043 now shows expired, since it was superseded by MS15-011.  Since it's expired, SCCM software update deployment mechanisms won't install the patch on new server builds.  Normal so far.  I haven't yet removed MS11-043 from all deployed software update groups so that it will get scavenged, since that's something I only do every few months. 

Just built a 2008R2 SP1 server in WORKGROUP mode since it's going to be in our DMZ.  Fully patched and compliant according to the SSRS reports.  However, when I go to the Compliance 5 report, it does show MS11-043 as being Required.  MS15-011 is not even on the list of applicable patches.

I think this is because MS11-043 addresses a vulnerability in SMB, which would apply to a WORKGROUP server, but MS15-011 addresses a vulnerability in group policy, which would NOT apply to a WORKGROUP server.  In this vein, I don't really understand why MS15-011 supersedes MS11-043, but then I'm not a Microsoft developer, so what do I know...

When I run MBSA on the server and point it to the SCCM WSUS server, everything shows compliant, but when I point MBSA to Microsoft, it shows missing MS11-043.

What have I done wrong?  How can I make sure our SCCM instance is applying MS11-043 to WORKGROUP servers with normal Software Update mechanisms?  Is there a way to "un-expire" the update?  I know I can uncheck the option to expire superseded updates after so long, but we generally want to do that right?

Thoughts?

Thanks!



compliance settings?

March 15, 2015, 5:16 am
$
0
0

 it is possible to identify the machines. if it is running non approved software by using compliance settings?

Search

Files with ".ECC" Extension

March 16, 2015, 2:26 am
$
0
0
Trying to track down what Malware changes files extensions to ".ECC" so I can find it in SCCM. 

Software Updates End User Experience in SCCM 2012

March 16, 2015, 10:01 am

I updated SCCM 2012 R2 from CU3 to CU4. Where can I find good directions on what else I need to do to make this work?

March 16, 2015, 10:54 am
$
0
0

I updated SCCM 2012 R2 from CU3 to CU4. Where can I find good directions on what else I need to do to make this work? I'm assuming I have to deploy the new clients?

Thanks,

James

James A+, Network+, MCP

Nokia Lumia 920, error code 0x80131500 when attempting to install software from the Lumia Software Recovery Tool

March 16, 2015, 4:56 pm
$
0
0
Does anyone know how to fix this problem? Its very frustrating and help would be much appreciated. And for clarification, with in seconds of the installation process my phone seems to disconnect or reset. It only does this when I get to the installation stage. 

Update SCEP from wsus

March 16, 2015, 8:41 pm
$
0
0

hi, can anyone help my problem

i want update SCEP client from wsus, i made configuration for it. 
in software update point, i fill synch wsus to my wsus server.

but when i try to synch software update, there no anything.

i look in component status, there many critical status. i try to run but it doesnt change.

any suggest?

thank you

Viewing all 6382 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>