SCEP 2012 client log files

No Gravatar

Looking for client log files I had to do a bunch of digging.  This is what I’ve concluded (for now).

C:\Windows\Temp\ (technically the System Temp folder)

  • MpCmdRun.log
  • MpSigStub.log

C:\ProgramData\Microsoft\Microsoft Security Client\Support (technically the %ProgramData%\Microsoft\Microsoft Security Client\Support folder)

  • EppSetup.log
  • EppSetup_#.log
  • MSSecurityClient_Setup_<version>_epp_install.log
  • MSSecurityClient_Setup_<version>_epp_uninstall.log
  • MSSecurityClient_Setup_<version>_eppManagement_install.log
  • MSSecurityClient_Setup_<version>_eppManagement_uninstall.log
  • MSSecurityClient_Setup_<version>_FEP_install.log

C:\Windows\CCM\logs (technically <SCCM Client location\logs folder> which can be discovered at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\Client\Configuration\Client Properties\Local SMS Path)

  • EndpointProtectionAgent.log
  • UpdatesDeployment.log (for definition updates)
  • UpdatesHandler.log (for definition updates)
  • UpdatesStore.log (for definition updates)
  • UpdateStore.log (for definition updates)
  • WUAHandler.log (for definition updates)

C:\Windows (technically the %windir% folder)

  • WindowsUpdate.log (for definition updates)

The Technical Reference for Log Files in Configuration Manager lists these server side files:

  • EPCtrlMgr.log
  • EPMgr.log
  • EPSetup.log
  • NotiCtrl.log

This product has a few different names depending on the version and where you look in the application and logs.  Here are a few alternative names:

  • Microsoft System Center Endpoint Protection (the product GUI)
  • SCEP (just the acronym)
  • Microsoft Endpoint Protection (as seen in WSUS definitions)
  • Microsoft System Center Configuration Manager Endpoint Protection
  • Microsoft Configuration Manager Endpoint Protection (as seen in some product documentation)
  • Microsoft Security Client (as seen in the software’s folder structure)
  • Microsoft Antimalware Client (as seen in the software’s folder structure)
  • Microsoft Security Essentials
  • Microsoft Forefront Endpoint Protection 2010 Client (as seen in WSUS products…  technically this is the old version but it is still there)

Thanks to a few other bloggers for getting me started

July 11, 2014

Posted In: ConfigMgr

ConfigMgr Admin Console install notes

No Gravatar

This is a FAST-PUBLISH article and is incomplete.

A few quick notes on installing the ConfigMgr 2012 Admin Console.

The console is a 32-bit (x86) application and it will run on many operating systems

  • Install .NET Framework 4.0
  • Install the console
  • Install any hotfixes you have applied to the server such as a Cumulative Update

For in-console reporting

  • Install .NET Framework 4.0 Extended (not the Client Profile).  This should have already been installed as a dependency to the Admin Console.
  • Install SQL 2012 CLR Types which is part of the SQL Server Feature Pack.  There is a Windows Installer package for 64 and 32 bit Windows
    • ENU\x64\SQLSysClrTypes.msi
    • ENU\x86\SQLSysClrTypes.msi
  • Then install Microsoft Report Viewer 2010 SP1.

Command Line Parameters

  • ConsoleSetup.exe /q TargetDir=”%ProgramFiles%\Microsoft Configuration Manager\AdminConsole” EnableSQM=1
  • ConsoleSetup.exe /uninstall /q
  • ReportViewer.exe /q:a /c:”install.exe /q /l %temp%\ReportViewer2010SP1.log” [credit]


July 3, 2014

Posted In: ConfigMgr

A Collection of ConfigMgr 2012 Collection Queries

No Gravatar

Tommy Gunn started a great post on this same topic at SystemCenterCentral.  I’m adding my own here.

*note: these are WQL queries for ConfigMgr/SCCM collections, but all will translate to T-SQL queries for reporting.

Computers which are joined to a specific domain or workgroup

Computers which are members of a domain security group

(notice the double backslash)


more to come…

June 13, 2014

Posted In: ConfigMgr, T-SQL

ReportServerService logs not deleted

No Gravatar

I was performing some initial discovery on a SCCM primary site server and noticed a lack of disk space. Using WinDirStat.exe I started digging deeper and discovered almost 100gb of ReportServerService_<timestamp>.log files. These are associated with the SQL Server Reporting Service and should be cleaned up after 14 days by default as configured in the ReportingServicesService.exe.config file via the parameter

However that was not happening on this server and it was soon to die under the weight of a year worth of log files.  It turns out this is a known bug as described in Microsoft KB2706518.  The solution is to upgrade SQL 2008 to Service Pack 3 and Cumulative Update 5 or higher.  Until that upgrade can happen the logging level can be changed to a value less than 3 in the config file.

You could enable NTFS compression, manually delete the files older than about 30 days, or write a script to automate that.  But why bother… just upgrade SQL! 🙂

June 11, 2014

Posted In: ConfigMgr, ConfigMgr 2007, SQL Reporting

SCCM Global Conditions File Version Less Than behavior

No Gravatar


When using Global Conditions in SCCM 2012, using the File Version Less Than criteria requires that the file exists on the target computers.  If the file does not exist the deployment for the computer will have the Requirements no Met status.

Logically and mathematically speaking, Less Than could include NULL (the value returned when he file does not exist); however, in this scenario it does not.

The Saga

I was recently asked to deploy some software via SCCM 2012 that was not a valid MSI package.  Using the Application model, we decided to use multiple criteria for the Detection Method which included the MSI product code and a file version.   This did not present any challenges; however, the Requirements and target collection did.

The goal was to deploy to a single collection and install the software only if MyFile.exe did not exist (the software was not installed) or if MyFile.exe was below a specific version.  We wanted to avoid doing Software Inventory for MyFile.exe.  Using Global Conditions, SCCM can test is a file version is Less than a given value.  The question was, what would it report if the file didn’t exist.

After running a few tests the reports showed that computers which did not have MyFile.exe get an Actual Value of NULL and are flagged as Requirements not Met.  Thus the Less than logic requires that the file exists.

To avoid Software Inventory, we ended up creating a second identical Deployment Type; however, instead of testing the File Version as a requirement we tested the Existence of MyFile.exe.


I find it a bit annoying that the Application model Detection method can use multiple rules with AND and OR logic, but the Requirements can only use AND logic.  I should file a DCR.




May 13, 2014

Posted In: ConfigMgr