If you are managing your devices using System Center Endpoint Protection then you may have noticed Active Clients at risk: XX, under Endpoint Protection Status with in the monitoring node.
Most of the time this will mislead everyone thinking the client machines are not downloading the definition files.
However, if you check the definition version it will be up to date with released versions. This means that the error msg not specifically related to the definition but some of the other components having issues.
If we check the computer object in SCCM console, you may notice Product Status: Service not running under Endpoint Protection Remediation Information.
Checking for running services on the device shows that the Microsoft Antimalware Service is already running.
Restarting the device will fix the problem, however if it is a server then it will be an issue. Eventually after trying many things, restarting WMI service fixed the issue.
So login to the device where you have problem, access services, then select Windows Management Instrumentation then click on restart. Wait for few minutes then Run the Summarization by right clicking on Endpoint Protection Status node in SCCM console. This will give you the updates results for the Active Clients at risk and the remediated device should not be in the list.
However, if you check the definition version it will be up to date with released versions. This means that the error msg not specifically related to the definition but some of the other components having issues.
If we check the computer object in SCCM console, you may notice Product Status: Service not running under Endpoint Protection Remediation Information.
Restarting the device will fix the problem, however if it is a server then it will be an issue. Eventually after trying many things, restarting WMI service fixed the issue.
So login to the device where you have problem, access services, then select Windows Management Instrumentation then click on restart. Wait for few minutes then Run the Summarization by right clicking on Endpoint Protection Status node in SCCM console. This will give you the updates results for the Active Clients at risk and the remediated device should not be in the list.
Hello Venu Singireddy,
ReplyDeleteI have just tried your resolution for the problem Active Clients at risk AND this solved it :-)
Thank You very much, but I need further help....
I want to create a collection for all clients with the same error and then I would make an automatic repair function in SCCM to resolve the problem on all machines over a base line action
Question: How can I create this base line action? What is the exactly "flag" for this error (Remediation Status: Unknow and for the Product Status: Service not running?
Best regards,
Pascal Bilat
Here is a collection that you can use for Active Clients at Risk:
ReplyDeleteselect SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_EndpointProtectionStatus on SMS_G_System_EndpointProtectionStatus.ResourceId = SMS_R_System.ResourceId where SMS_G_System_EndpointProtectionStatus.AtRisk = 1