I have a collection for some of our application servers that is used in conjunction with an ADR to deploy the SCEP definition updates. 12 of the servers in this collection recently had the SCCM 2012 R2 client installed on them. (The collection has a total of 23 servers in it)

I can see that these 12  servers have the Antimalware policy applied, but are not getting the SCEP updates.  The summary for SCEP is:  Service started without any malware protection engine; AV signatures out of date; AS signatures out of date.

The policy application state is "Succeeded" with the recent date and time.

When I view the status of the deployment, the enforcement state is "Failed to install update(s) " with an error code of 0X87D00667 - No current or future service window exists to install software updates.

These servers are members of another collection that is used for deploying the Monthly updates.  This "update" collection does have a maintenance window on it specific to software updates, with no recurrence schedule.

Do maintenance windows apply to the machine then, regardless of what collection they are in?

These 12 servers, for the Endpoint Protection client settings have the "Allow EP client installation and restarts outside MW" set to No, and the Suppress any required computer restarts after the EP client is installed set to Yes. 

For the Software Updates client setting, the update scan schedule and deployment re-evaluation is set to every 7 days.

So, in looking at this, it appears that these servers will never get any SCEP updates because they are members of another collection that has a MW, even though the SCEP collection does not have a MW?

Is that correct?

So, in looking at this, it appears that these servers will never get any SCEP updates because they are members of another collection that has a MW, even though the SCEP collection does not have a MW?

Is that correct?

Yes correct.

So, I have 2 choices -

Add a MW to the SCEP collection.

Change the recurrence schedule on the Update collection from None to (probably) daily so SCEP updates will install.

If maintenance windows do not overlap then they are treated as separate maintenance windows.

If they overlap, it will be treated as a single maintenance window including all the time covered by both maintenance windows.

But, assuming that is correct, I can have a MW on the EP collection and still maintain the MW with no recurrence on the update collection?

So if my MW for software updates was 3-5am with no recurrence and my MW for SCEP updates was 2-3am with daily recurrence, then each update type will get installed during their respective update time?

• Edited by mandp Thursday, January 29, 2015 7:48 PM

So, I have 2 choices -

Add a MW to the SCEP collection.

Change the recurrence schedule on the Update collection from None to (probably) daily so SCEP updates will install.

If maintenance windows do not overlap then they are treated as separate maintenance windows.

If they overlap, it will be treated as a single maintenance window including all the time covered by both maintenance windows.

But, assuming that is correct, I can have a MW on the EP collection and still maintain the MW with no recurrence on the update collection?

So if my MW for software updates was 3-5am with no recurrence and my MW for SCEP updates was 2-3am with daily recurrence, then each update type will get installed during their respective update time?

• Edited by mandp Thursday, January 29, 2015 7:48 PM

I added a MW on the collection that is used for SCEP updates.  I made the MW effective yesterday, but the MW hours were from 5:30am-7:30am daily (which should have started this morning, 1/30, at 5:30am).

In the updatesdeployment.log, I see the MW starting:

CUpdateAssignmentsManager received a SERVICEWINDOWEVENT START Event UpdatesDeploymentAgent 1/30/2015 5:30:00 AM 3004 (0x0BBC)
No current service window available to run updates assignment with time required = 1 UpdatesDeploymentAgent 1/30/2015 5:30:00 AM 3004 (0x0BBC)
CUpdateAssignmentsManager received a SERVICEWINDOWEVENT END Event UpdatesDeploymentAgent 1/30/2015 7:30:00 AM 3312 (0x0CF0)
No current service window available to run updates assignment with time required = 1 UpdatesDeploymentAgent 1/30/2015 7:30:00 AM 3312 (0x0CF0)
Attempting to cancel any job started at non-business hours. UpdatesDeploymentAgent 1/30/2015 7:30:00 AM 3312 (0x0CF0)

However, the definitions are not installed. These 12 servers have the SCEP client, but no definitions installed.

There are 11 servers in this collection that are getting the definition updates, but the 12 servers in this collection that have recently had the SCCM client installed on it are not getting the updates.    So I know that the ADR is working. What am I missing to get these 12 servers to install/update the definitions?

Yes, I know this is an old post, Im cleaning up old post, did you get this fixed, if so what was the solution?

Since no one has answer this post, I recommend opening  a support case with Microsoft Customer Support Services (CSS) as they can work with you to solve this problem.