Forefront Endpoint Protection (FEP) Troubleshooting
This article is intended to be a place where community members can contribute troubleshooting tips for FEP. As you use FEP, please share your troubleshooting tips!
For other troubleshooting areas, see the following articles:
See also
FEP Security Management Pack
Client
- FEP 2010: Troubleshooting Client Issues
- FEP Client Troubleshooting: the ConfigMgr Client
- FEP 2010 - Deploying Client KB981889 Ahead of Time
- FEP 2010: Troubleshooting Definition Update Automation Tool errors (Endpoint Security blog)
Reports
- Troubleshooting FEP reports may not display properly (Endpoint Security blog)
Dashboard
Deployment
Troubleshooting
FEP Server Setup fails when installing the reporting feature
Symptom
FEP Server Setup fails when installing the reporting feature. In the Setup log file (located in %ProgramData%\Microsoft Forefront\Support\Server), you see the following error (or a similar error):
Product: Microsoft Forefront Endpoint Protection 2010 Reporting -- Error 26201.Error -2147217900: failed to create SQL database: FEPDW, error detail: CREATE DATABASE failed. Some file names listed could not be created. Check related errors.
Cause
This error happens when the SQL Server service cannot create the physical file for the target database.
Solution
- Ensure the account under which the SQL Server service (MSSQLSERVER) runs has permissions to create files in the target storage device.
- Ensure there is not already a file in the target directory by the same name.
FEP Server Setup fails when installing the reporting feature.
Symptom
In the Setup log file (located in %ProgramData%\Microsoft Forefront\Support\Server), you see the following error:
1956 ExecuteSqlStrings: Error 0x80040e14: failed to execute SQL string, error: Error 6401, Procedure spAN_Infra_MaintenanceAddPartitionEntry, Line 93, Message Cannot roll back AddPartitionTransaction. No transaction or savepoint of that name was found., SQL key: SQL.Script.InstallSchema.InstallDWHDB SQL string: EXEC spAN_Infra_MaintenanceConfigurtion 'dtAN_Infra_ErrorEvents', 1
Solution
If you encounter this error during server setup, check the account your SQL Server services are using to run. If your SQL Server services are running as the Network Service account, add the computer account for the SQL Server to the Pre-Windows 2000 Compatible Access group.
After policy edit, traffic to DP increases
Symptom
After you edit either a default or a custom policy in FEP 2010, you may notice that traffic to your distribution points increases. Additionally, upon investigation, you notice that the source version of the FEP deployment package increases (in Software Distribution/Packages/Microsoft Corporation FEP- Deployment 1.0/Package Status).
Cause
When you update a policy in FEP 2010, the deployment package is updated in the event that the policy updated was a default client or default server policy.
Solution
Disable the FEP policy modification from parent status filter rule. In the Configuration Manager console, under Site Management\Site code>\Site Settings\Status Filter Rules, disable the FEP policy modification from parent status filter.
NOTE: Using this solution results in the default policies XML files not being updated when you change the default policies (for both server and client). This does not affect deployed clients; it only affects the default policies used during client deployment. If you do update the default policies and need to update them for client rollout, you must run the PlcUpdtr.exe tool manually, and specify the package ID for the policies. PlcUpdtr.exe uses the following syntax
“C:\Program Files (x86)\Microsoft Configuration Manager\AdminUI\bin\PlcUpdtr.exe" <FEP Policy Package ID>
where <FEP Policy Package ID> is the ID of the FEP policy package you need to update.
If you have a decentralized FEP policy management infrastructure, you should run PlcUpdtr.exe on each site where the policy is changed.
You cannot update definitions from Microsoft Update.
Symptom
You cannot update definitions from Microsoft Update. You may see an error message with the error code 0x8024402c.
Cause
Windows Update is disabled. Windows update can be disabled via the registry or via Group Policy.
Solution
For computers that are not connected to the corporate network all the time (for example, mobile computers), you must enable access to Microsoft Update in order to download definition updates outside the corporate network. You can use Group Policy to prevent Automatic Updates from downloading updates for Windows; this configuration still allows the FEP definition updates to continue.
To do this, in Group Policy Editor, navigate to Computer Configuration\Administrative Templates\Windows Components\Windows Update, and disable the setting for Configure Automatic Updates.
After deploying FEP client, computer show in Not Reporting
Symptom
After deploying the FEP client software in your organization, all client computers show up in the Not Reporting collection in the Configuration Manager console.
Cause
This can happen if either the Desired Configuration Manager (DCM) service on the Configuration Manager server is not running, or the System Center Management service is not running on the client computers.
FEP 2010 uses DCM to report health back to the Configuration Manager server. A client computer is placed into the Not Reporting collection if no data has been received from the client in the last 14 days.
Solution
Ensure the DCM service is running on the Configuration Manager server and the System Center Management services are running on your client computers.
After FEP server repair, new malware is shown with ID
Symptom
After you repair a FEP Server installation, new malware in reports are shown with their malware id and an "unknown" name and details.
Cause
The reporting infrastructure in FEP uses the FEP Client definitions to list malware detected in reports. Because the FEP Client is not repaired during a FEP Server repair, this functionality is lost.
Solution
Reinstall the FEP Client on the FEP Server, and then update the definitions.