When it comes to SCEP I feel a love/hate relationship, partially due to that fact that it is either very straight forward to issue something and make it work fast and reliable, or you can get the total opposite and everything goes wrong and you need to do extensive detective work.
Here are some examples i have encountered while working with SCEP.
Bad Definitions from Microsoft
This was a case in early 2014 when a simple EP package made all Windows 2003 servers crash.
I was amazed to see that EP definitions to cause such a problem since i had set-up my environment to updated definitions on daily basis, based on Microsoft saying that they will never affect systems.
So here are the steps to remove definitions from SCEP:
First, go into your SCCM console and remove the faulty package if it was not already tagged by Microsoft.
Once you do that, you will want to log-in with administrator privileges to go to the folder:
C:\Program Files\Microsoft Security Client\ (default install dir)
And there run the command:
MpCmdrun -RemoveDefinitions -All
SCEP should be started.
Client missing definitions / updating from wrong source
This is another issue that will most likely happen to you. When SCEP client does not get update definitions for more than 3 days or it gets them from a another source than the one set up by you.
When you get these king of alerts you will need to do some investigations in log. files
A great place to start is:
For a more in-deph report you must request them via admin cmd.
Go to (default install dir):
C:\Program Files\Microsoft Security Client\Antimalware
Run the command:
You can then find the logs in:
As also it will contain a CAB file (MPSupportFiles.cab) with several logs in it.
And here is a complete list of EP logs and locations:
%allusersprofile%\Microsoft\Microsoft Security Client\Support
Windows Update log (definition updates info)
Endpoint Versioning and Policies Enforced/Applied
Activity during performing scans and signature updates
Update progress for signature and Engine updates
Also it is very wise to check for WUAHandler.log when it comes to updating from another sources since it will reveal immediately if there is a GPO that supersedes the setting from the normal policy set by you.