SOLVED Remediating SCEP "Active Clients At Risk"

[matteobarreo]

Good morning all,
I've been working on this problem for quite some time and keep hitting a wall, I was hoping if someone could provide some help. Basically, my Endpoint Protection Client Status is only at about 83%, and it was as low as 79% at one point. Many of the clients that are at risk have very old definitions, some a few weeks or a few months old and one of them even has definitions that are over a year out of date.
How we are pushing definition updates
Two different ADR's, one for Windows 10 and one for Windows 7. They both have the following selected:
Deployment Settings: Automatically deploy all software updates found by this rule, and approve any license agreements.
Software updates: Product "Forefront Endpoint Protection 2010" OR "Windows Defender", Superseded=No, Update Classification=Definition Updates
Evaluation Schedule: Runs every 12 hours
Language: English

Please see attached for screenshots, along with a sample endpointprotection.log from one of my computers with very old definitions.

 

[matteobarreo]

More Deets (I'm new to pushing updates / definition updates with SCCM, so I'm just learning all the logs. I'm seeing these two errors OVER AND OVER on one of my failed machines (WUAHandler.log):

Group policy settings were overwritten by a higher authority (Domain Controller) to: Server HTTP://SRVWSUS and Policy ENABLED
Failed to Add Update Source for WUAgent of type (2) and id ({5904FFEA-A54D-43D2-AF64-20A72FBEF1C6}). Error = 0x87d00692.

I'm also seeing these errors over and over on the same machine, under UpdatesDeployment.log:

Job error (0x87d00692) received for assignment ({46733bd3-fb91-4f69-8ba4-e83962f6c87b}) action
Updates will not be made available

 

[Prajwal Desai]

Group policy settings were overwritten by a higher authority (Domain Controller) to: Server - This means that something within the domain is overwriting the policy from configmgr. Check if an old GPO is enabled that is setting an update server.

Go to registry HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
and look for entries under WindowsUpdate folder (WUServer,WUStatusServer).

 

[matteobarreo]

Thanks, Prajwal, I'll look into that!

Just an update, we are a smaller environment (~500 total devices), so in order to get our compliance up in the short-term, I enabled "updates from Microsoft Updates" and "Updates Distributed from Microsoft Malware Protection Center." Doing so has us up around 95% endpoint protection compliance, up from ~80% when I made this post, so it's been monumentally better!

Obviously though, this means that we have less control over updates, and I'll use the troubleshooting you've provided to see if I can get us up to this high of a compliance level using only WSUS.

 

[Prajwal Desai]

Doing so has us up around 95% endpoint protection compliance, up from ~80% - Yes that's because the client machines downloaded the updates directly from internet. You can't do that very often in bigger setup, atleast when you want to save enough bandwidth.

 

[matteobarreo]

Doing so has us up around 95% endpoint protection compliance, up from ~80% - Yes that's because the client machines downloaded the updates directly from internet. You can't do that very often in bigger setup, atleast when you want to save enough bandwidth.

Yup, for now it's just a temporary solution, still looking into making sure everyone is downloading from WSUS. I've checked a few of those registry entries on failed computers and they were all pointing where they should be, but I still have a lot more investigating to do. I'll check back next week with more data, thanks so far :-D