Greetings!

I'm having a problem where my SCEP definitions are updating...but they're always at least one day old.

As far as I can tell, I have everything set to run at least daily, and the clients do eventually get updated...just not the current definition.

For example, my client currently has 1.153.222.0 and per the Microsoft malware portal the latest is 1.153.258.0.  Also, when I look in the SCEP client it shows the correct policy, but says, "Policy Applied: 6/19/2013 at 9:40pm" which is last night.

Here are some of the pertinent settings:

EP Policy, Definition updates: Check for EP definitions at specific interval: 6 hrs, Check for EP definitions daily at: 6am, Sources: SCCM, WSUS, MS Update, MS Malware Center (in that order...)

ADR: General: Add to existing is selected, Software Updates: Product: ForeFront EP 2010, Superceded: No, Update Class: Definition Updates, Eval Schedule: Every 6 hrs starting @7:15am, Deployment Schedule: Specific time 1 hr (8:15am), Installation deadline: ASAP, User Exp: Deadline behavior Software Install is checked, Download Settings: Download from DP and install (both cases)

Deployment Package: Last refresh time: 6/20/2013 @7:16am, Show Members: There are 10, latest is 1.153.222.0

SUP syncs every 6hrs starting @3:15am

The ADR is configured to re-use the same deployment, and I see the "Date Created" on the DP is current.

I have GPO's, the only WSUS setting I'm pushing is:  Configure Automatic Updates: Disabled

(I've read numerous posts and books that have conflicting information on GPO's and WSUS, this was the nearest I could figure to keep the clients from hitting the Internet and not interfering with the SCCM client's local policies...correct me if I'm wrong on this setting.)

Checking the server, under All software updates and search for "endpoint protection" I see the current definition (1.153.258.0).  Which leads me to another thing I can't figure out.  Per numerous "how-to" posts, and multiple books, such as Agerlund's "SCCM Mastering the Fundamentals" if I perform the query as explained on page 226, "Date Released or Revised: Last 1 Month, Product: Forefront EP 2010, Update Classification: Definition Updates", I get nothing listed...but if I dump the "Date Released" criteria and add "Superceded: No"...the latest def shows up.  Also, if I change the date released criteria to "is greater than or equal to" and "Last 1 day"...the last four defs show up...this makes no sense to me.

As you have probably figured out, I'm new to this. I have searched many forums for answers but haven't figured this out, so if I've missed something obvious or posted this in the wrong forum, I apologize in advance...

Thank you in advance for your help, if you need any logs or anything that would help, please let me know.

Thanks,

-Rob 

So you are synching with WSUS every 6 hours and your ADR runs every 6 hours.

Then, your clients are checking for new definitions also every 6 hours

When your WSUS starts synch, you are running ADR (which doesn't see newest definition yet because WSUS is synching) and you have all the clients check in at the same time +/- CM pooling policy schedule.

You need to allow WSUS synch to complete first.

Why don't you set this up for test in this order:

Synch WSUS every 3 hours
Run ADR rule every 4 hours
Have your clients check in for definitions every 5 hours.

This should give you new definitions twice a day, I think MS releases it 3 times a day if I remember correct.

Two notes:

- Running the SUP sync is supported a maximum of three times a day (you currently are at 4 so this is technically unsupported although probably not the source your issue).

- You can set an ADR to run immediately following a successful SUP Sync.

Thank you for the tips!

Impatience prevails...I cranked all the sync times down to "speed it up" as it was taking a day-at-a-time to see the results.  There was a method to my madness though because my plan was to stagger the start times and interlace the intervals...sync @ 6:15 on a 4 hr interval, ADR @ 8:15 on a 6 hr interval...so except for a few times where multiples are the same there would be a 2 hr difference...

Anyway, I'll reduce it futher to see if that has any effect on it.

Might it be something more rudimentary like the CM client settings or something like that?  I have not deployed the "Default Client Settings" to any groups, but instead created my own policy and deployed that.  In my policy I have not selected every one of the custom settings on the General tab...I assumed <grin> there were built-in "default" settings that unless I needed to tweak with custom policies, would be applied.  Is that a correct assumption?  Or should I deploy the Default Client Settings at the 10,000 priority and then have my 1 and 2 priority settings only override that which I want to change?

My problem feels like it's something with the Software Updates Scan/Deployment Evaluation Cycles...like they are occurring maybe once or twice a day...so even though I ramped up the sync and ADR schedules, the clients are only checking once...??

I also notice that when I click on the Software Update Group created by the ADR, that the summary information for the one definition that shows up (the correct, most current) says "Required: 35"...the pie chart says, "Not Required: 245"...we have about 450 clients that are in this EP deployment collection...seems to me that it should say "Required: 450"??

-Rob

Required depends on how often you run summary (you can set schedule summarization).

Software Updates Scan has nothing to do with how often your clients check in for definition updates.
It is the setting on antimalware policy.

No matter what you do, do not modify or deploy default client policy. Just copy it and set it up the way you need it.

OK, that was my feelings on the "Default" policy...so I had created my own...

I reduced the definition check to 8 hrs and changed my sync schedules, etc...still nothing.

Here's what I have now:

SUP sync: 8 hrs @ 0315

ADR:  8 hrs @ 0515

EP client def chk: 8 hrs @0600

Any other ideas on what I should check?  It still seems to be consistently one day behind.

-Rob

Why not run your ADR in response to the SUP sync instead of a hard-coded time?

What sources do you have selected for your EP definitions in your applicable EP policy?

Jason,

Right now I have Config Mgr and WSUS sources checked.

I didn't know you could schedule the ADR to run like that, how do you configure it?

This problem is making me nutty, I'm sure it's something simple that I've overlooked but I just can't seem to figure it out.

Thanks for your help,

-Rob