SOLVED SCEP Definitions not updated

[CrisKolkman]

Hello,

I'm quite new to SCCM and we are working on deploying it in our factory.
But before deploying SCCM to 1500+ clients we use our VDI's and some test machines to test everything out.

At this point we're quite stuck at that we manage SCEP from SCCM (which is working fine) but for example my own VDI installed the definitions from 13-04-2021 and not from yesterday.
I have created an ADR with below settings:






(I added Dutch just now to see if this makes a difference)



This ADR is deployed to a few device collections:


Below settings are for the Deployment Package:







A Software Update Group named SCEP Updates has been created by above actions:


But every time I look if there are new definition updates I seem to have to add them to the Software Update Group manually (I thought ADR would do that), and as shown in the screenshot below the clients have the status Not Required:

 

[CrisKolkman]

The Software Update Group shows most of the clients as Compliant, so what is the truth?


When I check my own VDI, I see below definition version:

Click Check for updates doesn't change anything.

We also want SCCM to handle the WSUS updates for the clients so I removed the WSUS GPO and I can see that the SCCM Client (?) created local policy to point to the SCCM server.
That seems to be fine but all the clients have the Not yet reported status in the WSUS console (not using the WSUS console to control anything (only automatic approval) but I was just checking).
I don't know if this is normal behavior but I'm also not sure if updates via SCCM/WSUS are working at the moment.

 

[Prajwal Desai]

Why are you using WSUS console to manage the updates ?. If the updates are showing as compliant can you check if the latest updates have been pulled directly from Internet.

 

[CrisKolkman]

Why are you using WSUS console to manage the updates ?. If the updates are showing as compliant can you check if the latest updates have been pulled directly from Internet.

Hello Prajwal,

Like I said in my previous post I'm not using the WSUS console to control/manage anything, but I read somewhere that even when you use SCCM to deploy updates, you need to configure the automatic approval in WSUS (and that's all you configure in WSUS), that's the reason I did that.

It seems that most of the clients are slowly pulling the latest definition versions after I changed a few settings, so fingers crossed.

 

[Naveedkarjikar]

Hello Prajwal,

Like I said in my previous post I'm not using the WSUS console to control/manage anything, but I read somewhere that even when you use SCCM to deploy updates, you need to configure the automatic approval in WSUS (and that's all you configure in WSUS), that's the reason I did that.

It seems that most of the clients are slowly pulling the latest definition versions after I changed a few settings, so fingers crossed.

Hi, I am also facing the same problem. Is it resolved?

 

[CrisKolkman]

Hi, I am also facing the same problem. Is it resolved?

Hello @Naveedkarjikar,

Which of the 2 issues do you have?
Both are solved at our environment yes.

 

[Naveedkarjikar]

Hello @Naveedkarjikar,

Which of the 2 issues do you have?
Both are solved at our environment yes.

Hi, First I would like to thank you for your response.
Recently we have installed endpoint protection point site system role on MECM to manage windows defender & system center endpoint protection client.
For windows server 2012 & 2012 R2 system center endpoint protection client is installed and we have configured ADR to distribute definition updates for windows defender & system center endpoint protection client.

ADR is deploying definition updates (Security Intelligence Updates) for windows defender without any problem but definition updates (Security Intelligence Updates) for system center endpoint protection client is not deploying using ADR.


As it shown in above screenshot this update is required by 0 computers. I am not able to reach to the point why it says required by 0 computers if it is the definition update and it is required for Microsoft endpoint protection.

I hope you understand my problem incase if you have any doubts please feel free to reply.

 

[CrisKolkman]

Hi, First I would like to thank you for your response.
Recently we have installed endpoint protection point site system role on MECM to manage windows defender & system center endpoint protection client.
For windows server 2012 & 2012 R2 system center endpoint protection client is installed and we have configured ADR to distribute definition updates for windows defender & system center endpoint protection client.

ADR is deploying definition updates (Security Intelligence Updates) for windows defender without any problem but definition updates (Security Intelligence Updates) for system center endpoint protection client is not deploying using ADR.
View attachment 4319

As it shown in above screenshot this update is required by 0 computers. I am not able to reach to the point why it says required by 0 computers if it is the definition update and it is required for Microsoft endpoint protection.

I hope you understand my problem incase if you have any doubts please feel free to reply.

Hello @Naveedkarjikar,

Let me start by saying that I'm not an SCCM expert at all
I will show our implementation below, can you confirm your setup looks (a bit) like this?

Open Software Update Point settings:


For this to work you need at least Definition Updates:


Under Products we selected:




We are syncing updates every hour (note that this only syncs the updates, it doesn't download updates):


Also make sure you selected the correct languages in the Languages tab.

For the ADR:





And the deployment of the ADR is set to Required.

 

[Naveedkarjikar]

Hello @Naveedkarjikar,

Let me start by saying that I'm not an SCCM expert at all
I will show our implementation below, can you confirm your setup looks (a bit) like this?

Open Software Update Point settings:
View attachment 4320

For this to work you need at least Definition Updates:
View attachment 4321

Under Products we selected:
View attachment 4322
View attachment 4323
View attachment 4324

We are syncing updates every hour (note that this only syncs the updates, it doesn't download updates):

View attachment 4325
Also make sure you selected the correct languages in the Languages tab.

For the ADR:

View attachment 4326
View attachment 4327
View attachment 4328
View attachment 4329
And the deployment of the ADR is set to Required.

Hello,
Please be informed that we have exactly same configuration in place.
If you answer to my below queries may it will be helpful to resolve my problem.
1. Do you have windows server 2012 & 2012 R2 in your environment?
2. If yes System center endpoint protection is installed?
3. if installed in MECM is it showing that the definition (Security Intelligence Update) is required.
4. If yes can you please share me with KB number which says this updates is required or some screenshot with the required definition update.

Thank you
Naveed

 

[CrisKolkman]

1. Do you have windows server 2012 & 2012 R2 in your environment?
2. If yes System center endpoint protection is installed?
3. if installed in MECM is it showing that the definition (Security Intelligence Update) is required.
4. If yes can you please share me with KB number which says this updates is required or some screenshot with the required definition update.

1. Do you have windows server 2012 & 2012 R2 in your environment?
Yes
2. If yes System center endpoint protection is installed?
Yes
3. if installed in MECM is it showing that the definition (Security Intelligence Update) is required.
Yes
4. If yes can you please share me with KB number which says this updates is required or some screenshot with the required definition update.

2 of our Server 2012R2 servers (but all our Server 2012R2 machines are up-to-date):


Some of the KB's deployed by our SCEP ADR:

 

[Naveedkarjikar]

Verified all settings as mentioned above but still its not working for us.
Can you please check the update source setting in antimalware policy and let us know how it is configured. also please check if UNC is also configured.

 

[CrisKolkman]

Verified all settings as mentioned above but still its not working for us.
Can you please check the update source setting in antimalware policy and let us know how it is configured. also please check if UNC is also configured.

Hello @Naveedkarjikar,

Also make sure there is no GPO deployed which is messing with SCCM settings.

Our Client Settings:


And update settings:

 

[Naveedkarjikar]

Hello, CrisKolkman,​

Thank you for your help. We have same settings configured but still definition updates are not getting deployed. We will open case with Microsoft.

 

[Naveedkarjikar]

Hello @Naveedkarjikar,

Also make sure there is no GPO deployed which is messing with SCCM settings.

Our Client Settings:
View attachment 4354

And update settings:
View attachment 4355

Hi,
Did you approve definition updates in WSUS server? If i approve definition update in WSUS then its taking from WSUS source not SCCM.

 

[CrisKolkman]

Hi,
Did you approve definition updates in WSUS server? If i approve definition update in WSUS then its taking from WSUS source not SCCM.

No you never approve anything in WSUS, the ADR should be configured to approve the updates automatically.