Endpoint Protection

In order to gain support for Windows 10, I recently upgraded our SEPM server to version 12.1.6 MP1. Upgrade appeard to go smooth. However, now the clients don't seem to be automatically updating definitions anymore, I have to manually 'run command' and 'update content' on my groups to push out the new definitons. And I think that only worked after I reconfigured the server settings to allow live update from the client and the internet. I did this because I kept getting bombarded with emails about my clients having out dated definitions.

So in other words, I'm pretty sure my clients are unable to get their definitions at all from the SEPM server which is how I've had it configured up to this point (prior to the upgrade). It seems I have to manually tell the clients to update, and even then they get their updates only from the internet (though I don't know how to verify this). Do I have to run some kind of client upgrade on each client or something for the new SEPM verssion to  work as it should? Any ideas?

Please enable sylink debugging on one affected client and post the log here for review.

Ok, I have attached the sylink.log file

Ok, I have attached the sylink.log file

Attachment(s)

Sylink_4.7z   19 KB 1 version

Could be possible (looking at the below log that - something went wrong with your licenses during upgrade:

08/25 11:45:14.856 [4528] <PostEvent> done post event=EVENT_LU_REQUIRE_STATUS, return=16
08/25 11:45:14.856 [4528] [Content]<mfn_LiveUpdate:>{535CB6A4-441F-4e8a-A897-804CD859100E}: Content updates from manager are disabled.
08/25 11:45:14.856 [4528] <PostEvent> going to post event=EVENT_LICENSE_REQUIRE_STATUS
08/25 11:45:14.856 [4528] <PostEvent> done post event=EVENT_LICENSE_REQUIRE_STATUS, return=0

Just to rule this out: Did you enable "Use the default management server" in the LU policy? That's necessary to get updates from the SEPM.

Not likely, but did you block full content downloads? See Admin > Servers > YourSEPM > Edit Server Properties > Full Definitions Download > Prevent clients from downloading full definition packages

And even more unlikely, is it possible that your content is frozen by the LU content policy? See Policies > LiveUpdate > LiveUpdate Content > LiveUpdate Content Policy > Security definitions. All must be set to "Use latest available".

Run SymHelp on client and SEPM. You can download it under Home > Help > Download Symantec Help tool.

Thanks Greg for your input.

The short answer to "did you block full content Downloads" is yes I did. I actually forgot that this was the first symptom after the upgrade. I was continually getting the email alert:

CRITICAL: NETWORK LOAD ALERT: Too many requests for full definitions

I first ignored it thinking a) that our network could handle it, and b) that a full content download was probably needed due to an upgrade

However, I continued to get that alert, and it did not seem that the list of computers requesting the download was dwindling each time I got the alert, apparently meaning (to me anyway) that the content was not getting downloaded. Since there was nothing in the alert noting any detriment to shutting off the full content download, and I was getting bombarded with the alerts, I did turn that off. I didn't think turning this off would 'stop all downloading of definitons period' from the server, but I guess it apparently does, so I followed instructions in the email on how to prevent full content downloads.

Then about a week later when I started getting alerts about a bunch of my computers definitions were way out of date. I turned on the ability to get definition updates from the internet and ran 'update content' on my groups. This did update my definitions on my clients, but I of course still get the message that they are out of date as they continue not to get updates

I have since turned on the 'full content dowload' again (yesterday before your suggestion above), but again, now I am back to just getting the critical alerts about too many requests and seemeing to make no progress.

I checked and 'use latest available' is checked in LU policy

I will download the symhelp tool and see what I can see.

Thanks

Problem is if a client requests a full package, it means that it cannot get a (small) delta file. If it's even impossible to download full package, a client cannot update itself at all via SEPM.

I would do the following in your case:

Under Admin > Servers > Local Site > Edit Site Properties > LiveUpdate > Disk Space Management, check the number of content revisions. Probably the setting of your old 12.1.4 version is still valid. If you have a small number (e.g. 10) you should increase it, e.g. up to 90. Then your SEPM is able to deliver or create far more delta files, and your clients will rarely complain about full downloads. A lot of content versions are no problem because with 12.1.5 and later the content is stored extremly efficient on the SEPM.

Allow full downloads. Blocking should only be enabled in special situations (e.g. troubleshooting).

In the SEPM Download Schedule, set download to "every 4 hours". For example, if the SEPM is on "daily", it's possible that a client which updated itself via internet does not find a matching content version on the SEPM with which the SEPM could build a delta file--so the client requests a full download from the SEPM (but see below).

Check Clients > YourGroup > Policies > LU policy > Windows settings/Advanced settings > Let clients download smaller packages from a LiveUpdate server. This is new in 12.1.6. If you enable it, the SEP client tries to download a delta file from the internet if its SEPM is not able to deliver a delta file but only a full content file.

Unfortunately, the notifications for full content downloads apply to all types of content. But only AV/AS content can have critical size. If you don't want to disable this notification, you can mitigate it under Monitors > Notifications > Notification conditions. Increase the required requests per time unit, increase the damper or even disable the sending of E-mails.

We too recently upgraded to 12.1.6 MP1. Started getting the alerts about too many requests for full definitions but found out that is a new notification specific to this version so wasn't overly concerned. I then noticed that some of our clients stopped pulling down definition updates. Looking at logs the error is "downloaded new content update from the management server failed". We have 11,000 endpoints and the majority are working fine. I can't see any commonalities with the devices that are failing although all are running a version older than RU6 MP1 as we haven't deployed that to many of our clients yet. See failures on both clients who get updates directly from SEPM and those who go to GUP. Upgrading seems to correct the problem so prior to opening a case with Symantec thought I'd see if anyone had a fix?

Hello Curt,

Try to upgrade a number of clients in order to test if the old version is the issue and look for the delta folder into the definitions path to check if your server is creating new ones.

I have done a very similar thing as Curt H but my issue is I have to send the Communications Package seperately or when I run the client deployment wizard but I have to manually select the client install settings to reset communications settings to get my clients to report.  My Default Standard Size Installation Settings is grayed out and the Upgrade settings are set to Maintain all logs and client-server communication settings.  How do I get around this?  Thanks everyone ...