SCEP definition updates trying to pull from the Internet - poor behaviour (Network Steve Forum)

SCEP definition updates trying to pull from the Internet - poor behaviour

Most of our clients do NOT have the ability to just head out to the internet to get things (via proxy or otherwise) and as such, I have configured my Malware policy to use "Updates distributed from Configuration Manager" ONLY

I do NOT want it trying to get updates from ANYWHERE ELSE.

Some aren't behaving. :(

I am seeing log entries that indicate that the client is trying to go out to the Internet to get the updates.

Here is a cycle of the machine's more recent attempt:

2014-01-27 19:51:43:096 3616 e38 Misc =========== Logging initialized (build: 7.6.7600.256, tz: -0000) ===========
2014-01-27 19:51:43:096 3616 e38 Misc   = Process: c:\Program Files\Microsoft Security Client\MpCmdRun.exe
2014-01-27 19:51:43:096 3616 e38 Misc   = Module: C:\Windows\system32\wuapi.dll
2014-01-27 19:51:43:096 3616 e38 COMAPI -------------
2014-01-27 19:51:43:096 3616 e38 COMAPI -- START -- COMAPI: Search [ClientId = System Center Endpoint Protection (DDEFDD14-250E-4DC8-A0B3-9D667EC5D8EB)]
2014-01-27 19:51:43:096 3616 e38 COMAPI ---------
2014-01-27 19:51:43:096 3616 e38 COMAPI <<-- SUBMITTED -- COMAPI: Search [ClientId = System Center Endpoint Protection (DDEFDD14-250E-4DC8-A0B3-9D667EC5D8EB)]
2014-01-27 19:51:43:096 1032 e7c Agent *************
2014-01-27 19:51:43:096 1032 e7c Agent ** START ** Agent: Finding updates [CallerId = System Center Endpoint Protection (DDEFDD14-250E-4DC8-A0B3-9D667EC5D8EB)]
2014-01-27 19:51:43:096 1032 e7c Agent *********
2014-01-27 19:51:43:096 1032 e7c Agent   * Online = Yes; Ignore download priority = No
2014-01-27 19:51:43:112 1032 e7c Agent   * Criteria = "(IsInstalled = 0 and IsHidden = 0 and CategoryIDs contains 'a38c835c-2950-4e87-86cc-6911a52c34a3' and CategoryIDs contains 'e0789628-ce08-4437-be74-2495b842f43b')"
2014-01-27 19:51:43:112 1032 e7c Agent   * ServiceID = {7971F918-A847-4430-9279-4A52D1EFE18D} Third party service
2014-01-27 19:51:43:112 1032 e7c Agent   * Search Scope = {Machine}
2014-01-27 19:51:43:112 1032 e7c Misc Validating signature for C:\Windows\SoftwareDistribution\WuRedir\9482F4B4-E343-43B6-B170-9A65BC822C77\muv4wuredir.cab:
2014-01-27 19:51:43:128 1032 e7c Misc Microsoft signed: Yes
2014-01-27 19:52:27:427 1032 e7c Misc WARNING: Send failed with hr = 80072ee2.
2014-01-27 19:52:27:427 1032 e7c Misc WARNING: SendRequest failed with hr = 80072ee2. Proxy List used: <(null)> Bypass List used : <(null)> Auth Schemes used : <>
2014-01-27 19:52:27:427 1032 e7c Misc WARNING: WinHttp: SendRequestUsingProxy failed for <http://download.windowsupdate.com/v9/1/windowsupdate/redir/muv4wuredir.cab>. error 0x80072ee2
2014-01-27 19:52:27:427 1032 e7c Misc WARNING: WinHttp: SendRequestToServerForFileInformation MakeRequest failed. error 0x80072ee2
2014-01-27 19:52:27:427 1032 e7c Misc WARNING: WinHttp: SendRequestToServerForFileInformation failed with 0x80072ee2
2014-01-27 19:52:27:427 1032 e7c Misc WARNING: WinHttp: ShouldFileBeDownloaded failed with 0x80072ee2
2014-01-27 19:53:11:727 1032 e7c Misc WARNING: Send failed with hr = 80072ee2.
2014-01-27 19:53:11:727 1032 e7c Misc WARNING: SendRequest failed with hr = 80072ee2. Proxy List used: <(null)> Bypass List used : <(null)> Auth Schemes used : <>
2014-01-27 19:53:11:727 1032 e7c Misc WARNING: WinHttp: SendRequestUsingProxy failed for <http://download.windowsupdate.com/v9/1/windowsupdate/redir/muv4wuredir.cab>. error 0x80072ee2
2014-01-27 19:53:11:727 1032 e7c Misc WARNING: WinHttp: SendRequestToServerForFileInformation MakeRequest failed. error 0x80072ee2
2014-01-27 19:53:11:727 1032 e7c Misc WARNING: WinHttp: SendRequestToServerForFileInformation failed with 0x80072ee2
2014-01-27 19:53:11:727 1032 e7c Misc WARNING: WinHttp: ShouldFileBeDownloaded failed with 0x80072ee2
2014-01-27 19:53:56:042 1032 e7c Misc WARNING: Send failed with hr = 80072ee2.
2014-01-27 19:53:56:042 1032 e7c Misc WARNING: SendRequest failed with hr = 80072ee2. Proxy List used: <(null)> Bypass List used : <(null)> Auth Schemes used : <>
2014-01-27 19:53:56:042 1032 e7c Misc WARNING: WinHttp: SendRequestUsingProxy failed for <http://download.windowsupdate.com/v9/1/windowsupdate/redir/muv4wuredir.cab>. error 0x80072ee2
2014-01-27 19:53:56:042 1032 e7c Misc WARNING: WinHttp: SendRequestToServerForFileInformation MakeRequest failed. error 0x80072ee2
2014-01-27 19:53:56:042 1032 e7c Misc WARNING: WinHttp: SendRequestToServerForFileInformation failed with 0x80072ee2
2014-01-27 19:53:56:042 1032 e7c Misc WARNING: WinHttp: ShouldFileBeDownloaded failed with 0x80072ee2
2014-01-27 19:54:40:342 1032 e7c Misc WARNING: Send failed with hr = 80072ee2.
2014-01-27 19:54:40:342 1032 e7c Misc WARNING: SendRequest failed with hr = 80072ee2. Proxy List used: <(null)> Bypass List used : <(null)> Auth Schemes used : <>
2014-01-27 19:54:40:342 1032 e7c Misc WARNING: WinHttp: SendRequestUsingProxy failed for <http://download.windowsupdate.com/v9/1/windowsupdate/redir/muv4wuredir.cab>. error 0x80072ee2
2014-01-27 19:54:40:342 1032 e7c Misc WARNING: WinHttp: SendRequestToServerForFileInformation MakeRequest failed. error 0x80072ee2
2014-01-27 19:54:40:342 1032 e7c Misc WARNING: WinHttp: SendRequestToServerForFileInformation failed with 0x80072ee2
2014-01-27 19:54:40:342 1032 e7c Misc WARNING: WinHttp: ShouldFileBeDownloaded failed with 0x80072ee2
2014-01-27 19:54:40:342 1032 e7c Misc WARNING: DownloadFileInternal failed for http://download.windowsupdate.com/v9/1/windowsupdate/redir/muv4wuredir.cab: error 0x80072ee2
2014-01-27 19:54:40:342 1032 e7c Misc Validating signature for C:\Windows\SoftwareDistribution\WuRedir\9482F4B4-E343-43B6-B170-9A65BC822C77\muv4wuredir.cab:
2014-01-27 19:54:40:358 1032 e7c Misc Microsoft signed: Yes
2014-01-27 19:55:24:657 1032 e7c Misc WARNING: Send failed with hr = 80072ee2.
2014-01-27 19:55:24:657 1032 e7c Misc WARNING: SendRequest failed with hr = 80072ee2. Proxy List used: <(null)> Bypass List used : <(null)> Auth Schemes used : <>
2014-01-27 19:55:24:657 1032 e7c Misc WARNING: WinHttp: SendRequestUsingProxy failed for <http://download.microsoft.com/v9/1/windowsupdate/redir/muv4wuredir.cab>. error 0x80072ee2
2014-01-27 19:55:24:657 1032 e7c Misc WARNING: WinHttp: SendRequestToServerForFileInformation MakeRequest failed. error 0x80072ee2
2014-01-27 19:55:24:657 1032 e7c Misc WARNING: WinHttp: SendRequestToServerForFileInformation failed with 0x80072ee2
2014-01-27 19:55:24:657 1032 e7c Misc WARNING: WinHttp: ShouldFileBeDownloaded failed with 0x80072ee2
2014-01-27 19:56:08:941 1032 e7c Misc WARNING: Send failed with hr = 80072ee2.
2014-01-27 19:56:08:941 1032 e7c Misc WARNING: SendRequest failed with hr = 80072ee2. Proxy List used: <(null)> Bypass List used : <(null)> Auth Schemes used : <>
2014-01-27 19:56:08:941 1032 e7c Misc WARNING: WinHttp: SendRequestUsingProxy failed for <http://download.microsoft.com/v9/1/windowsupdate/redir/muv4wuredir.cab>. error 0x80072ee2
2014-01-27 19:56:08:941 1032 e7c Misc WARNING: WinHttp: SendRequestToServerForFileInformation MakeRequest failed. error 0x80072ee2
2014-01-27 19:56:08:941 1032 e7c Misc WARNING: WinHttp: SendRequestToServerForFileInformation failed with 0x80072ee2
2014-01-27 19:56:08:941 1032 e7c Misc WARNING: WinHttp: ShouldFileBeDownloaded failed with 0x80072ee2
2014-01-27 19:56:53:257 1032 e7c Misc WARNING: Send failed with hr = 80072ee2.
2014-01-27 19:56:53:257 1032 e7c Misc WARNING: SendRequest failed with hr = 80072ee2. Proxy List used: <(null)> Bypass List used : <(null)> Auth Schemes used : <>
2014-01-27 19:56:53:257 1032 e7c Misc WARNING: WinHttp: SendRequestUsingProxy failed for <http://download.microsoft.com/v9/1/windowsupdate/redir/muv4wuredir.cab>. error 0x80072ee2
2014-01-27 19:56:53:257 1032 e7c Misc WARNING: WinHttp: SendRequestToServerForFileInformation MakeRequest failed. error 0x80072ee2
2014-01-27 19:56:53:257 1032 e7c Misc WARNING: WinHttp: SendRequestToServerForFileInformation failed with 0x80072ee2
2014-01-27 19:56:53:257 1032 e7c Misc WARNING: WinHttp: ShouldFileBeDownloaded failed with 0x80072ee2
2014-01-27 19:57:37:603 1032 e7c Misc WARNING: Send failed with hr = 80072ee2.
2014-01-27 19:57:37:603 1032 e7c Misc WARNING: SendRequest failed with hr = 80072ee2. Proxy List used: <(null)> Bypass List used : <(null)> Auth Schemes used : <>
2014-01-27 19:57:37:603 1032 e7c Misc WARNING: WinHttp: SendRequestUsingProxy failed for <http://download.microsoft.com/v9/1/windowsupdate/redir/muv4wuredir.cab>. error 0x80072ee2
2014-01-27 19:57:37:603 1032 e7c Misc WARNING: WinHttp: SendRequestToServerForFileInformation MakeRequest failed. error 0x80072ee2
2014-01-27 19:57:37:603 1032 e7c Misc WARNING: WinHttp: SendRequestToServerForFileInformation failed with 0x80072ee2
2014-01-27 19:57:37:603 1032 e7c Misc WARNING: WinHttp: ShouldFileBeDownloaded failed with 0x80072ee2
2014-01-27 19:57:37:603 1032 e7c Misc WARNING: DownloadFileInternal failed for http://download.microsoft.com/v9/1/windowsupdate/redir/muv4wuredir.cab: error 0x80072ee2
2014-01-27 19:57:37:603 1032 e7c Misc Validating signature for C:\Windows\SoftwareDistribution\WuRedir\9482F4B4-E343-43B6-B170-9A65BC822C77\muv4wuredir.cab:
2014-01-27 19:57:37:619 1032 e7c Misc Microsoft signed: Yes
2014-01-27 19:58:01:011 1032 e7c Misc WARNING: Send failed with hr = 80072ee2.
2014-01-27 19:58:01:011 1032 e7c Misc WARNING: SendRequest failed with hr = 80072ee2. Proxy List used: <(null)> Bypass List used : <(null)> Auth Schemes used : <>
2014-01-27 19:58:01:011 1032 e7c Misc WARNING: WinHttp: SendRequestUsingProxy failed for <http://www.update.microsoft.com/v9/1/windowsupdate/redir/muv4wuredir.cab>. error 0x80072ee2
2014-01-27 19:58:01:011 1032 e7c Misc WARNING: WinHttp: SendRequestToServerForFileInformation MakeRequest failed. error 0x80072ee2
2014-01-27 19:58:01:011 1032 e7c Misc WARNING: WinHttp: SendRequestToServerForFileInformation failed with 0x80072ee2
2014-01-27 19:58:01:011 1032 e7c Misc WARNING: WinHttp: ShouldFileBeDownloaded failed with 0x80072ee2
2014-01-27 19:58:24:278 1032 e7c Misc WARNING: Send failed with hr = 80072ee2.
2014-01-27 19:58:24:278 1032 e7c Misc WARNING: SendRequest failed with hr = 80072ee2. Proxy List used: <(null)> Bypass List used : <(null)> Auth Schemes used : <>
2014-01-27 19:58:24:278 1032 e7c Misc WARNING: WinHttp: SendRequestUsingProxy failed for <http://www.update.microsoft.com/v9/1/windowsupdate/redir/muv4wuredir.cab>. error 0x80072ee2
2014-01-27 19:58:24:278 1032 e7c Misc WARNING: WinHttp: SendRequestToServerForFileInformation MakeRequest failed. error 0x80072ee2
2014-01-27 19:58:24:278 1032 e7c Misc WARNING: WinHttp: SendRequestToServerForFileInformation failed with 0x80072ee2
2014-01-27 19:58:24:278 1032 e7c Misc WARNING: WinHttp: ShouldFileBeDownloaded failed with 0x80072ee2
2014-01-27 19:58:47:577 1032 e7c Misc WARNING: Send failed with hr = 80072ee2.
2014-01-27 19:58:47:577 1032 e7c Misc WARNING: SendRequest failed with hr = 80072ee2. Proxy List used: <(null)> Bypass List used : <(null)> Auth Schemes used : <>
2014-01-27 19:58:47:577 1032 e7c Misc WARNING: WinHttp: SendRequestUsingProxy failed for <http://www.update.microsoft.com/v9/1/windowsupdate/redir/muv4wuredir.cab>. error 0x80072ee2
2014-01-27 19:58:47:577 1032 e7c Misc WARNING: WinHttp: SendRequestToServerForFileInformation MakeRequest failed. error 0x80072ee2
2014-01-27 19:58:47:577 1032 e7c Misc WARNING: WinHttp: SendRequestToServerForFileInformation failed with 0x80072ee2
2014-01-27 19:58:47:577 1032 e7c Misc WARNING: WinHttp: ShouldFileBeDownloaded failed with 0x80072ee2
2014-01-27 19:59:10:844 1032 e7c Misc WARNING: Send failed with hr = 80072ee2.
2014-01-27 19:59:10:844 1032 e7c Misc WARNING: SendRequest failed with hr = 80072ee2. Proxy List used: <(null)> Bypass List used : <(null)> Auth Schemes used : <>
2014-01-27 19:59:10:844 1032 e7c Misc WARNING: WinHttp: SendRequestUsingProxy failed for <http://www.update.microsoft.com/v9/1/windowsupdate/redir/muv4wuredir.cab>. error 0x80072ee2
2014-01-27 19:59:10:844 1032 e7c Misc WARNING: WinHttp: SendRequestToServerForFileInformation MakeRequest failed. error 0x80072ee2
2014-01-27 19:59:10:844 1032 e7c Misc WARNING: WinHttp: SendRequestToServerForFileInformation failed with 0x80072ee2
2014-01-27 19:59:10:844 1032 e7c Misc WARNING: WinHttp: ShouldFileBeDownloaded failed with 0x80072ee2
2014-01-27 19:59:10:844 1032 e7c Misc WARNING: DownloadFileInternal failed for http://www.update.microsoft.com/v9/1/windowsupdate/redir/muv4wuredir.cab: error 0x80072ee2
2014-01-27 19:59:10:844 1032 e7c Agent WARNING: Failed to obtain the authorization cab URLs, hr=0x80072ee2
2014-01-27 19:59:10:844 1032 e7c Agent   * WARNING: Online service registration/service ID resolution failed, hr=0x80072EE2
2014-01-27 19:59:10:891 1032 e7c Agent   * WARNING: Exit code = 0x80072EE2
2014-01-27 19:59:10:891 1032 e7c Agent *********
2014-01-27 19:59:10:891 1032 e7c Agent ** END ** Agent: Finding updates [CallerId = System Center Endpoint Protection (DDEFDD14-250E-4DC8-A0B3-9D667EC5D8EB)]
2014-01-27 19:59:10:891 1032 e7c Agent *************
2014-01-27 19:59:10:891 1032 e7c Agent WARNING: WU client failed Searching for update with error 0x80072ee2
2014-01-27 19:59:10:906 3616 458 COMAPI >>-- RESUMED -- COMAPI: Search [ClientId = System Center Endpoint Protection (DDEFDD14-250E-4DC8-A0B3-9D667EC5D8EB)]
2014-01-27 19:59:10:922 3616 458 COMAPI   - Updates found = 0
2014-01-27 19:59:10:922 3616 458 COMAPI   - WARNING: Exit code = 0x00000000, Result code = 0x80072EE2
2014-01-27 19:59:10:922 3616 458 COMAPI ---------
2014-01-27 19:59:10:922 3616 458 COMAPI -- END -- COMAPI: Search [ClientId = System Center Endpoint Protection (DDEFDD14-250E-4DC8-A0B3-9D667EC5D8EB)]
2014-01-27 19:59:10:922 3616 458 COMAPI -------------
2014-01-27 19:59:10:922 3616 5d0 COMAPI WARNING: Operation failed due to earlier error, hr=80072EE2
2014-01-27 19:59:10:922 3616 5d0 COMAPI FATAL: Unable to complete asynchronous search. (hr=80072EE2)
2014-01-27 19:59:15:891 1032 e7c Report REPORT EVENT: {45AA9823-28E9-4632-92BE-AF48B4BB8710} 2014-01-27 19:59:10:891-0000 1 148 101 {00000000-0000-0000-0000-000000000000} 0 80072ee2 System Center Endpoint Protecti Failure Software Synchronization Windows Update Client failed to detect with error 0x80072ee2.
2014-01-27 19:59:15:969 1032 e7c Report CWERReporter::HandleEvents - WER report upload completed with status 0x8
2014-01-27 19:59:15:969 1032 e7c Report WER Report sent: 7.6.7600.256 0x80072ee2 00000000-0000-0000-0000-000000000000 Scan 101 Unmanaged
2014-01-27 19:59:15:969 1032 e7c Report CWERReporter finishing event handling. (00000000)

Anyone have any suggestions? I don't want the machines to EVER try to go out to the internet when they are trying to update their SCEP defs.

Edited by DragonSpeed Tuesday, January 28, 2014 10:00 PM

January 28th, 2014 9:59pm

Has the Malware policy been deployed to the clients?

Free Windows Admin Tool Kit Click here and download it now

January 28th, 2014 10:27pm

Yes, they show the policy as applied when you show "Malware Policy" on the client in SCCM console.

January 28th, 2014 10:29pm

Take a look at Niall's guide. It may assist you with troubleshooting the problem.

http://www.windows-noob.com/forums/index.php?/topic/6106-using-system-center-2012-configuration-manager-part-6-adding-the-endpoint-protection-role-configure-alerts-and-custom-antimalware-policies/

Free Windows Admin Tool Kit Click here and download it now

January 28th, 2014 10:50pm

Have you installed a SUP in SCCM?

January 28th, 2014 10:51pm

Been there, done that, got the T-shirt.

Free Windows Admin Tool Kit Click here and download it now

January 28th, 2014 10:52pm

Have you installed a SU

January 28th, 2014 10:54pm

Do you have a GPO applied to the devices set to use Windows Update as the source for updates?

Free Windows Admin Tool Kit Click here and download it now

January 28th, 2014 11:15pm

No GPO - policy is applied from local (via SCCM) telling it that WSUS server is my SUP server.

I've just gone for the reinstall of the SCCM client to see if this wakes anything up.

Edited by DragonSpeed Tuesday, January 28, 2014 11:34 PM

January 28th, 2014 11:16pm

Uninstalling SCEP (via control panel) and then letting SCCM re-install it as per policy seems to have done the trick. I'm not sure though, as it might have started this after the "grace" period to go to other update sources.

I'd LIKE it to ONLY go to SCCM SUP for updates, no MATTER what. What value should I put in that "if SCCM is chosen as the source, fall back to other sources..." field to DISABLE it? 0? The highest value I can put in there is 99 :(

Free Windows Admin Tool Kit Click here and download it now

January 29th, 2014 5:19pm

I'm cleaning up old post, did you figure this out, if so how?

February 22nd, 2014 2:54pm

There is no way to stop it, that I found :( After the period of days in the field, it WILL go and look for updates if it hasn't been able to get them from the SUP.

If someone ever finds differently, please feel free to add to this thread.

Proposed as answer by Garth JonesMVP, Moderator Sunday, March 02, 2014 11:28 AM
Marked as answer by Garth JonesMVP, Moderator Saturday, March 15, 2014 3:09 PM

Free Windows Admin Tool Kit Click here and download it now

March 2nd, 2014 9:45am

I'm seeing this behaviour also for clients that are unable to get to the SUP due to firewall. Eventually they fallback to windows updates as a source even though this is not specified in the antimalware policies.

Is this behaviour documented somewhere?

November 12th, 2014 2:23pm

Stop SCEP from downloading over the internet, uncheck the following locations:

1. SCFEP Def Deployment (ADR if you have one) -

Download Setting: If software updates are not available on preferred distribution point or remote distribution point, download content from Microsoft Updates

2. Client Setting (Endpoint Protection) [check your priority if you have more than 1]

Disable Alternet Sources (such as Microsoft Windows Update, ....) for the inital definition update on client computers.

3. Asset and Compliance :Endpoint Protection, Antimalware Policies (check all that you have and priority)

Defintion Updates: If Configuration Manager is used as a source for definition update, clients will only update from alternate sources if definition is older than (hours) Set this to 720. This is the max, after this the machine will be forced to pull from Microsoft to protect the machine.

Free Windows Admin Tool Kit Click here and download it now

November 12th, 2014 8:23pm

Cheers for info Matthew

November 12th, 2014 9:09pm

The thing is "forced to go to MS to get the update" isn't going to do anything....

Hitting your head against the brick wall isn't going to make a difference to the WALL.... If the admin specifies that they shouldn't go out then they shouldn't even TRY to go out. PERIOD.

Free Windows Admin Tool Kit Click here and download it now

November 12th, 2014 9:24pm

The point of the the last box, the time out. the client will go to Windows update in order to protect the client, if you have listed ConfigMgr DP as a source. They are assuming the machine has access to the internet or at least the Windows update site for protection.

If the machine failed to update in 72 hours then you have a problem with your infrastructure anyway.

November 12th, 2014 9:31pm

If the machine failed to update in 72 hours then you have a problem with your infrastructure anyway.

Free Windows Admin Tool Kit Click here and download it now

November 12th, 2014 9:58pm

Matthew,

Thank you for the info. So does this mean there is no way to block SCEP from using MS after the timeout? I understand I would have something wrong with my infrastructure and I'm looking to monitor in other ways. Just looking to avoid an issue that I currently have which is every once in a while in the morning several hundred will go to MS to update the definitions and this hammers our Internet utilization. I would like to avoid finding out something is wrong this way since it impacts the business. Any ideas?

May 18th, 2015 12:23pm

This topic is archived. No further replies will be accepted.