SCCM: All Software Updates responsiveness for Endpoint Protection dat files

Generally when I am interested in dat file compliance I will use the Endpoint Protection dashboard under monitoring.  Recently I started wondering why I wasn’t seeing the compliance status for System Center Endpoint Protection data files accurately reporting in the SCCM console under All Software Updates.  Additionally I wanted to speed up the compliance status of updates that were synced on Patch Tuesdays so I had a general idea before the ADR ran, my pre / post compliance reports ran, etc, about what was needed in the environment.

I knew that my scans were running and I could verify that with the report Scan 1 – Last scan states by collection.  Clicking into the completed scans showed me a potential issue that could contribute to slower compliance checks displaying;  long software update and re-evaluation scans in the software update client settings.

 

scantimes

 

If I was looking for a count of devices that were compliant against a particular patch that had come out after that 12:53 AM then I would only see that reported correctly for 2 of the 5 devices shown above.  I wanted to see the required + installed + not required to = the total devices and not see a high unknown count.

Totals

 

Attempt 1 to get the dat file compliance to display accurately in Software Library/All Software Updates

Currently our SCCM syncs metadata every 8 hours against Microsoft which will trigger the ADR that will download and deploy the dat files.  The client settings for software updates were set to run the software update scan schedule every 8 hours and the deployment re-evaluation every 8 hours.  I tried lowering the scans of both to 4 hours in an attempt to have the evaluation occurring twice as fast as dat files were downloading and deploying.  This didn’t work as I wanted it to and I was still only able to see ‘Not Required’ or ‘Unknown’ status for the dat files.  This did of course help other updates.

 

Attempt 2

This time I lowered the software update scan and re-evaluation scan to occur every 1 hour.  Again the same behavior was seen as attempt 1.

 

So what was going on?  Relevant logs to check are MP_relay, statemessage, mpfdm, statesys, ccmmessaging and probably others I didn’t look at I am sure.  I could see the dat files installing in the statemessege.log and the inbox/outboxes were processing state message correctly.  State messages were coming off client to the MPs to the primary;  Everything looked good, so what gives!

 

As it turns out the Endpoint Protection dat files are explicitly told not to display this information under Monitoring\All Software Updates.  Standard (I used this term loosely…) updates are supposed to display their compliance status here but the date files categorized under Endpoint protection 2010 aren’t…. interesting. You can see this by running WMI explorer on a client and looking at the WMI class (CCM_UpdateStaus).  Here you can see that the dat file is installed and that ExcludeForStateReporting = True.  If this were false then you would see patch compliance.

 


 

instance of CCM_UpdateStatus

{

Article = “2461484”;

Bulletin = “”;

ExcludeForStateReporting = TRUE;

Language = “”;

ProductID = “e0789628-ce08-4437-be74-2495b842f43b”;

RevisionNumber = 200;

ScanTime = “20141211164311.000000+000”;

Sources = {

instance of CCM_SourceStatus

{

RevisionNumber = 200;

ScanTime = “20141211164311.000000+000”;

SourceType = 2;

SourceUniqueId = “{B07A92D1-399D-470A-99C9-CD60F1007C28}”;

SourceVersion = 1691;

Status = “Installed”;

}};

SourceType = 2;

SourceUniqueId = “{B07A92D1-399D-470A-99C9-CD60F1007C28}”;

SourceVersion = 1691;

Status = “Installed”;

Title = “Definition Update for Microsoft Endpoint Protection – KB2461484 (Definition 1.189.1859.0)”;

UniqueId = “e4316d29-2be7-4fb3-8272-2ff790c8ae9e”;

UpdateClassification = “e0789628-ce08-4437-be74-2495b842f43b”;

};


 

So whats the moral of this story?  Crank down the software update and deployment re-evaluation scan times in the software update client settings to see more dynamic compliance checks in in All Software Updates for you regular updates.  For Endpoint Protection dat files just use the dashboard… but wait, there’s more!  You can also use the deployments to monitor dat file status.

DeploymentCompliance

 

Chadd

 

Leave a Reply