Recently I had a client using System Center Endpoint Protection (SCEP) who was having issues with Definitions not being updated across their enterprise. They also had issues with trying to manually update the definitions using the GUI.
I am going to start with the issues my client was having when manually trying to update the definitions by using the GUI and then go into why the client wasn’t getting updates from ConfigMgr.
Manual Client Update Errors
Both errors 0x80248014 and 0x8024402c had occurred when someone tried to manually update the definitions using the GUI. After a little research and thanks to the Forefront Endpoint Protection Blog I had found that both of these errors had the same core cause.
I won’t get deep technically here so if you want deep technical details about the errors. I have provided links to the Microsoft KB’s for you. I will give you a high level reason why at this client they where getting these errors.
Updating the antimalware definitions in FEP/SCEP fails with error 0x80248014.
Clicking the Update button in the System Center 2012 Endpoint Protection client user interface fails with error 0x8024402c.
Both errors are related to settings in the clients Windows Update settings. The first error 0x80244014 will happen if the Microsoft Update box (Give me updates for other Microsoft product when I update Windows) within the Windows Update settings isn’t check.
To resolve this issue manually change this setting.
- Open Control Panel
- Click System and Security
- Click Windows Update
- Click Change Settings
- Check the checkbox “Give me updates for other Microsoft products when I update Windows”
- Click OK
The second error started to happen just after the above error was resolved. Error 0x8024402c happens when the Windows update client can’t connect and download the proper definitions. In this clients case, they have a policy set that doesn’t allow the Windows Update clients to go to Microsoft Updates. So in turn the update will fail with the error.
The KB that I provided above has some resolutions. Our client decided to change their ConfigMgr Antimalware settings to disable the user from manually updating the definitions. Which brings us to the third issue we had to resolve.
SCEP Definitions Not Updating Across Enterprise
So, a quick lesson on how definitions are downloaded. If someone uses the GUI and manually tries to update the client, that process uses the Windows Update client. When the endpoint client updates via ConfigMgr it using the Software update component piece of the ConfigMgr Client.
Our last issue we had to look at is why a large number of servers haven’t had their definitions updated in weeks and months. We did the basic trouble shooting, viewing logs, checking the distribution point health, the health of the distributed package, client health, etc. What we found was that a majority of their servers had their software update component disabled. We did some checking on custom client policies and they had policies that where deployed to these servers with the software updates selection not checked. The client has changed that customer client policies for their servers and now the servers are all getting definitions.