SCEP Clients At Risk/State Messaging/NIS

Hi there,

I got various Problems with some of the SCEP Clients in a 2012R2CU4 environment. About 0,5% of the Clients is at Risk according to SCCM Console (active Clients at risk).
Most of them have EP Definition Last Version, and EP Enabled NULL value, however when checking wmi on These Computers, Definition is the latest and SCEP/AV/AS are enabled.

I am using -Namespace root\microsoft\securityclient -Class AntiMalwareHealthStatus Class to Review the actual Information on a Client...

Q1: Where/how can I track SCEP statemessages sent to SCCM? And what do Topic types 2001/2003 and they realted state IDs mean?
Since for me everything seems to be fine on the clients side, I thought maybe they don't send the report.
There is this old forum: https://social.technet.microsoft.com/Forums/en-US/e46c75e8-c9db-4539-8080-bd81bef35124/endpoint-protection-how-does-client-report-back-installed-definition-version?forum=configmanagersecurity
but I don't really feel that answered.
In EndpointProtection.log on a healthy client I see this:
start to send State Message with topic type = 2001, state id = 3, and error code = 0x00000000
Skip sending state message due to same state message already exists.

But still, in this case one can assume that state id 3 for topic 2001 means OK... :S

On a client that is reported at risk, very few occurence of this msg is shown, which does not have a skip send after that (3 times in 3 weeks):
Send State Message with topic type = 2003, state id = 3, and message = <INSTANCE><PROPERTY NAME="ProcessTime" TYPE="datetime"><VALUE>2015-06-19T11:17:18.088Z</VALUE></PROPERTY><PROPERTY NAME="ErrorCode" TYPE="int32"><VALUE>0</VALUE></PROPERTY><PROPERTY NAME="Error" TYPE="string"><VALUE></VALUE></PROPERTY></INSTANCE>

Though then again, since a healthy Client always skips (in the last 3 weeks, until I could chase back) I guess this state msg has nothing to do with Definition Updates... only engine and policy (actually there's no info about definition's here)
I thought maybe MPSigStub.log but I don't find anything regarding state message in it...

In epmgr.box I don't see any bad/corrupt data, but I'm not even sure if that is for the Clients (though I assume)

I just read the RSS feed about KB3025417 and thought it may be, so I checked... but clients do *not* have this update installed (and actually if it had been deployed there would be more issues)
Nevertheless, I tried the workaround solution: Register-CimProvider.exe -ProviderName ProtectionManagement -Namespace root\microsoft\ProtectionManagement -Path "C:\Program Files\Microsoft Security Client\ProtectionMgmt.dll" -Impersonation True -HostingModel LocalServiceHost -SupportWQL -ForceUpdate
However I receive: Warning: The provider DLL 'C:\Program Files\Microsoft Security Client\ProtectionMgmt.dll' was built to be used with a MUI file, but no MUI file was specified in the registration. Localizable qualifiers' value will be displayed as resource IDs.

What else can be done here?

Q2NIS - when is it enabled and does it have anything to do with 'at risk'?
Now I don't know much about the NIS part of the SCEP client but actually while checking these clients I find that NIS is enabled on some while not enabled on others.
In Console under At Risk, I did not find any NIS information. Since the random enabled/disabled seems to affect all clients, whether or not they are 'at risk' I assume NIS is not taken into account, when marking client 'at risk'.

Cheers

June 19th, 2015 2:12pm

Update to Q1:

in ExternalEventAgent.log I found this entry repeating on an unhealthy client:
WMI callback for machine notification (SELECT * FROM MSFT_MpEvent where CategoryDiscriminant = 2) in scope (\\.\root\Microsoft\ProtectionManagement) for group 'EndpointProtection' is not registered.

It is very similar to this: http://blogs.technet.com/b/configmgrteam/archive/2015/06/18/scep-client-reporting-issues-after-installing-kb3025417-on-win-8-1.aspx

Free Windows Admin Tool Kit Click here and download it now
June 22nd, 2015 6:03am

click active client at risk, you should be able to see the reason why it is at risk.

ANd what does NIS mean here?

July 1st, 2015 1:16am

Solved: simply reinstall SCEP Client.

my .bat for ReInstall:

scepinstall.exe /u /s /q
timeout 10
scepinstall.exe /s /q /policy %~dp0ep_defaultpolicy.xml

Note: in some cases ccmexec Service (process if Service was stuck) required a restart.

  • Marked as answer by cgsilver 18 hours 56 minutes ago
Free Windows Admin Tool Kit Click here and download it now
July 14th, 2015 8:53am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics