Configuration Manager console displays out-of-date Endpoint Protection Definition version and last update time

Applies to: System Center Configuration Manager

Symptoms


When you use Endpoint Protection together with Microsoft System Center Configuration Manager, you experience the following symptoms:

  • In the Configuration Manager console, you open the Assets and Compliance workspace under the Devices node. In that workspace, you notice that the Endpoint Protection Definition Last Version and Endpoint Protection Last Update Time columns display out-of-date values for some devices. However, the clients show that they have the latest versions applied.
  • Topic type 1901 (State_Topictype_Ep_Am_Health) isn't logged in the StateMessage log on the clients.
  • The following error messages are logged in the ExternalEventAgent log on the clients:
     
     

    Additionally, following registry keys don't exist on the client:

    HKLM\SOFTWARE\Microsoft\CCM\ExternalEventAgent\Criterias\Differentiation\ComputerStatusStateMessage

    HKLM\SOFTWARE\Microsoft\CCM\ExternalEventAgent\Criterias\Differentiation\InfectionStatusStateMessage

Cause


This issue occurs because the instance of the MSFT_MpComputerStatus class doesn't exist in the root\Microsoft\ProtectionManagement namespace. The client queries this instance to populate the related registry keys.

Resolution


To fix the issue, run the following command on the affected client computers to reregister the ProtectionManagement provider:

Register-CimProvider -ProviderName ProtectionManagement -Namespace root\Microsoft\protectionmanagement -Path <path of ProtectionManagement.dll> -Impersonation True -HostingModel LocalServiceHost -SupportWQL -ForceUpdate

Note In this command, <path of ProtectionManagement.dll> is the placeholder for the path of ProtectionManagement.dll. For example:

C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.1907.4-0\ProtectionManagement.dll

After you run this command, the following conditions are true:

  • The instance of MSFT_MpComputerStatus is populated in the root\Microsoft\ProtectionManagement namespace.
  • Topic type 1901 is logged in the StateMessage log.
  • The affected values in the Configuration Manager console are updated.

More information


Windows Defender logs can help you identify the root cause of this issue. For example, the following log snippet indicates the presence of a different antivirus solution:

To collect diagnostic logs for Windows Defender, follow the steps in Collect Update Compliance diagnostic data for Windows Defender AV Assessment.