Troubleshooting Definition Updates not in the CM Console

Duchemin, Dominique 2,006 Reputation points
2023-05-16T17:40:52.14+00:00

Hello,

I am checking the System Center Endpoint Protection (SCEP), Windows Defender, Definition Updates on the machines they are getting the updates properly from a share.

My issue is that the updates are not showing up in the Configuration Manager Console on the machine, the clients have in CM Console an old Definition Update version.

I checked EndpointProtectionAgent.log, execmgr.log, ccmexec.log what are the next logs to review to see the issue of the Definition Updates not updating the Configuration manager Console?

Thanks,

Dom

Microsoft Configuration Manager
0 comments No comments
{count} votes

Accepted answer
  1. Simon Ren-MSFT 31,606 Reputation points Microsoft Vendor
    2023-05-17T06:24:05.4066667+00:00

    Hi,

    Thank you for posting in Microsoft Q&A forum.

    1,Please check if topic type 1901 (State_Topictype_Ep_Am_Health) is logged in StateMessage.log or not. This issue may occur because the instance of the MSFT_MpComputerStatus class doesn't exist in the root\Microsoft\ProtectionManagement namespace. We can run the command line in below official article on the affected client computers to re-register the ProtectionManagement provider:

    Configuration Manager console displays out-of-date Endpoint Protection Definition version and last update time

    2,You can also collect diagnostic logs for Windows Defender for more information:

    Collect update compliance diagnostic data for Microsoft Defender Antivirus assessment

    Thanks for your time. Have a nice day!

    Best regards,

    Simon


    If the response is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    1 person found this answer helpful.

2 additional answers

Sort by: Most helpful
  1. Duchemin, Dominique 2,006 Reputation points
    2023-05-17T17:52:15.4266667+00:00

    Hi @Simon Ren-MSFT

    I tried the option 1. but nothing changed ... I have the message in the ---------------------------------------------------------------------------------StateMessage.log file:

    State message(State ID : 3:ASSIGNMENT_EVALUATE_FAILED) with TopicType 302:SUM_ASSIGNMENT_EVALUATION and TopicId {d630002c-e648-432d-9b79-5766f605206e} has been recorded for SYSTEM, priority 5 StateMessage 5/17/2023 7:11:04 AM 8752 (0x2230) Successfully forwarded State Messages to the MP StateMessage 5/17/2023 7:14:27 AM 34160 (0x8570) Received positive messaging acknowledgement message StateMessage 5/17/2023 7:14:27 AM 38280 (0x9588) State message with TopicType 2001:EP_CLIENT_DEPLOYMENT, and TopicId EPDeploymentState and State 3:EPCLIENT_MANAGED has been updated StateMessage 5/17/2023 8:43:00 AM 10060 (0x274C) State message with TopicType 2100:WP_CLIENT_DEPLOYMENT, and TopicId WPDeploymentState and State 1:WPCLIENT_NOT_INSTALLED has been updated StateMessage 5/17/2023 9:06:23 AM 35536 (0x8AD0) Adding message with TopicType 1901:EP_AM_HEALTH and TopicId ComputerStatus to WMI StateMessage 5/17/2023 9:36:18 AM 15000 (0x3A98) State message(State ID : 1:1901) with TopicType 1901:EP_AM_HEALTH and TopicId ComputerStatus has been recorded for SYSTEM, priority 5 StateMessage 5/17/2023 9:36:18 AM 15000 (0x3A98)

    but still only two registries filled:

    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CCM\ExternalEventAgent\Criterias\Differentiation\ComputerStatusStateMessage
    • IHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CCM\ExternalEventAgent\Criterias\Differentiation\InfectionStatusStateMessage

    Still missing:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CCM\ExternalEventAgent\Criterias\Differentiation\ATPHealthStatusStateMessage


    As the key does not exist I have in the ExternalEventAgent.log:

    Could not open the registry key SOFTWARE\Microsoft\CCM\ExternalEventAgent\Criterias\Differentiation\ATPHealthStatusStateMessage\SyncStatus with error 0x80070002.

    ===============================================

    Option 2: I have the CAB file created and I will send it to Microsoft as I have already a case opened with Microsoft for weeks ...

    Thanks,

    Dom

    0 comments No comments

  2. Duchemin, Dominique 2,006 Reputation points
    2023-05-17T22:43:24.5366667+00:00

    Hi @Simon Ren-MSFT

    Apparenbtly just running the command line you proposed:

    Register-CimProvider -ProviderName ProtectionManagement -Namespace root\Microsoft\protectionmanagement -Path <path of ProtectionManagement.dll> -Impersonation True -HostingModel LocalServiceHost -SupportWQL -ForceUpdate

    fixed the updates ... now all the machines where I ran this command have the correct Endpoint Protection Definition Last Version updated with the local ("client") values as well as the current value from Software Updates ("WSUS").

    Now my question will be:

    Should I schedule this command to run daily, weekly, to correct all those machines not updating automatically?

    Thanks,

    Dom