This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(188.79999999999998, 43%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJD%3C/text%3E%3C/svg%3E)
We have recently installed and configured SCCM and Microsoft Defender on our servers. 16 of them have installed the SCCM client, applied the Microsoft Defender policies and are reporting back to the SCCM console. One of our servers has installed the client, applied the Microsoft Defender policies but has not reported back to SCCM and is showing at risk.
I have uninstalled the client, restarted the server, deleted the leftover SCCM folder in C:\Windows and reinstalled the client. This has reinstalled but I am still seeing the same issue where the server shows as at risk.
The Endpoint Protection Remediation Information information for this server in SCCM all shows as blank, which I suspect is why it shows as at risk. Any tips or suggestions as to where I should start looking here? Many thanks in advance.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(240, 43%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EG%3C/text%3E%3C/svg%3E)
Try checking the EndpointProtectionAgent.log.
Hi @CherryZhang-MSFT , thanks for your replies.
I can see some error 2001, cannot find the file specified when trying to update from the File Share source. The server does have definition updates installed so must be updating from another source. I've checked and the other Windows Server 2019 servers are also reporting the same error but are updating.
As far as I can tell (other than this file share update source which I'll have a look into) Windows Defender is working correctly on the server. I still feel like the issue is with the SCCM client not reporting rather than Windows Defender.
Hi @James Dixon ,
Thank you for your feedback
Please try to check ExternalEventAgent.log on client, it will record the history of Endpoint Protection malware detection and events related to client status.
Navigate to c:\windows\ccm\logs.
I will do more research on this issue. If there is any progress, I will be back. Thank you for your time and patience.
Best regards,
Cherry