When it comes to SCEP I feel a love/hate relationship, partially due to that fact that it is either very straight forward to issue something and make it work fast and reliable, or you can get the total opposite and everything goes wrong and you need to do extensive detective work.

Here are some examples i have encountered while working with SCEP.

Bad Definitions from Microsoft

This was a case in early 2014 when a simple EP package made all Windows 2003 servers crash.

I was amazed to see that EP definitions to cause such a problem since i had set-up my environment to updated definitions on daily basis, based on Microsoft saying that they will never affect systems.

So here are the steps to remove definitions from SCEP:

First, go into your SCCM console and remove the faulty package if it was not already tagged by Microsoft.

Once you do that, you will want to log-in with administrator privileges to go to the folder:

C:\Program Files\Microsoft Security Client\ (default install dir)

And there run the command:

MpCmdrun -RemoveDefinitions

or

MpCmdrun -RemoveDefinitions -All

SCEP should be started.

Client missing definitions / updating from wrong source

This is another issue that will most likely happen to you. When SCEP client does not get update definitions for more than 3 days or it gets them from a another source than the one set up by you.
When you get these king of alerts you will need to do some investigations in log. files
A great place to start is:

  • MpCmdRun.Log
  • MpSigStub.Log

For a more in-deph report you must request them via admin cmd.
Go to (default install dir):
%windir%\temp\MpSigStub.log

C:\Program Files\Microsoft Security Client\Antimalware

Run the command:

MpCmdRun.exe -getfiles

You can then find the logs in:

C:\ProgramData\Microsoft\Microsoft Antimalware\Support

As also it will contain a CAB file (MPSupportFiles.cab) with several logs in it.

And here is a complete list of EP logs and locations:

Antimalware service:

%allusersprofile%\Microsoft\Microsoft Antimalware\Support

SCEP client:

%allusersprofile%\Microsoft\Microsoft Security Client\Support

Windows Update log (definition updates info)

%windir%\WindowsUpdate.log

Endpoint Versioning and Policies Enforced/Applied

%windir%\CCM\Logs\EndpointProtectionagent.log

Activity during performing scans and signature updates

%windir%\temp\MpCmdRun.log

Update progress for signature and Engine updates

Also it is very wise to check for WUAHandler.log when it comes to updating from another sources since it will reveal immediately if there is a GPO that supersedes the setting from the normal policy set by you.

Follow on Feedly