Consider the following scenario:
-
The System Center Configuration Manager Administrator manages all updates in the environment.
-
Users have no access to the Windows Update website.
-
The Configuration Manager Software Update Point is configured and synchronizing.
-
The Automatic Deployment Rule for Definition Updates is configured and appears to deliver updates nightly with no problem.
In this scenario, when a new client is deployed and the local Administrator clicks the Update button in the System Center 2012 Endpoint Protection client user interface (SCEP UI), the search for updates eventually times out and the following error is displayed:
0x8024402c – System Center Endpoint Protection couldn’t install the definition updates because the proxy server or target server names can’t be resolved
Analysis of the C:\Windows\WindowsUpdate.log file also indicates that the SCEP client is attempting to access the Microsoft Update Website.
Symptoms
The Updates Distributed from Configuration Manager source setting is not like any of the other definition update source settings in SCEP policies. You cannot pull definitions from this source by clicking Update in the SCEP UI.
Cause
To work around this issue, set up another Definition Update source such as WSUS to fall back to when a client attempts to manually update definitions via the SCEP UI. Alternatively, you can hide the SCEP UI from the end user so they cannot click Update in the client UI using the Disable the client user interface policy setting introduced in System Center 2012 Configuration Manager SP1. The Disable the client user interface option is located in the Advanced area of the Antimalware policy setting in the Configuration Manager administration console.
Resolution
When you click Update in the SCEP UI, the client looks for a FallbackOrder registry key in HKLM\Software\Policies\Microsoft\Microsoft Antimalware\Signature Updates. The client will check each update source in the FallbackOrder registry key in the order that they are listed until it locates a source that has available definitions. If it goes through all sources without detecting available definitions, it returns an error and the update attempt is unsuccessful. Configuration Manager is never listed in the FallbackOrder registry key, as the SCEP client does not recognize a Configuration Manger Software Update Point agent (and associated infrastructure) as a valid definition source and cannot pull definitions from Configuration Manager. FallbackOrder sources can include InternalDefinitionUpdateServer (WSUS), MicrosoftUpdateServer (Microsoft Update Website), FileShares (One or more UNC file shares whose location is determined by policy), and MMPC (Microsoft Malware Protection Center alternate download location).
Configuration Manager definition updates are handled entirely by the CCM client Software Updates Agent and are downloaded and installed by the CCM software update agent. The schedule for these updates is determined when configuring the deployment rule during server side setup. See http://technet.microsoft.com/en-us/library/jj822983.aspx for more information.
When you select Updates Distributed from Configuration Manager in your SCEP policy, it does not modify the FallbackOrder registry key. Instead, this update source option sets the AuGracePeriod registry key in HKLM\Software\Policies\Microsoft\Microsoft Antimalware\Signature Updates. This registry setting suppresses the SCEP client from attempting to automatically pull definitions from sources defined in the FallbackOrder key for a set length of time determined by SCEP policy which is 72 hours by default, or 4320 minutes. This is designed to give the CCM client Software Update process sufficient time to complete the definition update process independently of the SCEP client.
If Updates Distributed from Configuration Manager is the only update source defined in your policy, then the FallbackOrder registry key will be blank. In this case, clicking Update in the SCEP UI will cause the client to revert to behavior similar to Microsoft Security Essentials and the client will attempt to update from the Microsoft Update website.
