Endpoint Protection

We have a significant issue where desktops are not logged into by an end user for an extended period of time. Many of these are training rooms, etc. All desktops are in User Mode.

We've noticed that if the computer is turned on via Wake On LAN, the defs are NEVER updated. We do wake them weekly for patches and administrator SEP scans on Sundays. In SAV CE 10, the defs also got updated which kept the employee from having to wait fror new defs each Monday morning.

I someone actually logs in then the defs do get updated either from their GUP or from the SEPM server, however they happen to be configured. But the employee get the "your defs are out of date" dialog box that prompts a support ticket.

We really don't want to SMS a 50+ MB IntelligentUpdater package across the WAN every week just to handle this due to the size and having to build a package every week.

All desktops are running MR4 MP2 while SEPM is running RU5. The GUP servers at each location are also on MR4 MP2.

Any suggestions on how to get the defs updated via the GUP or SEPM with no one logged in will be greatly appreciated.

Ray

 The client will not check-in to the SEPM until after the first user logs in. This is true of both user mode and computer mode clients. The SMC service (which is responsible for client-server communication) does not load until explorer launches at least once. 

Not even if you have a LU policy setting the LU frequency?  Seems like major design flaw if that is true...

That can't be right for computer mode clients, Jerryy. If it was, how could a server ever get a def update?

We actually tried starting the SMC service to see ifthat would fix it, but it didn't.

Ray

The mechanism that the SEPM uses to get its updates is LiveUpdate and is 100% different than what SEP clients do, even the SEP client on the SEPM computer.

Additionally this only seems to happen at the initial logon after a reboot/cold boot. Once any user has logged on, even if they subsequently log off, the SEP client will continue to connect to the SEPM and get updates, as by default the connection between SEP client and SEPM is not closed (push mode).

It seems to me that you do not have your internal LiveUpdate server, all your clients connect to your management server to receive virus defintion. With User Mode configuration, once the machine get rebooted, machine will have no communication to the management till next user log on.
To resolve your problem for the machine not being able to get virus definition updated automatically.
You can take advantage of locaiton feature, Click on Manage Locaiton, create Location One: there is a communication to the management server, this is the time that your user log on  the machine, create a new Liveupdate setting policy for this location and choose to use default management server in the server settings. 
Now you need to take care of the time when no one log on after machine reboot, create another location, let's call it Location Two: there is no communication to the management server. Create a new LiveUpdate setting policy for this location, choose to use default management server in the server settings, and select Use LiveUpdate, select use a specified internal LiveUpdate server, click Add, add our internal liveupdate server if you have one, add liveupdate.symantecliveupdate.com so that your machine at least can go to Symantec to update definition, I think you use GUP for your client as well, select GUP for this location as well. Since you add liveupdate.symantecliveupdate.com in the server settings, you will need to make sure your proxy setting is configured properly if you are in a proxy enviornment (You can use settings.merge.liveupdate file to configure proxy setting if necessary). 
To verify this setting, apply the while a user logon, reboot the machine, before anyone logon, access to the admin share of the machine to c:\document and settings\all users\applicaiton data\symantec\liveupdate, open setting.liveupdate file with notepad, you can see the host 0, 1, 2... that will be the host where the machine will update defintion from at the time no user log on the machine.

"Additionally this only seems to happen at the initial logon after a reboot/cold boot. Once any user has logged on, even if they subsequently log off, the SEP client will continue to connect to the SEPM and get updates, as by default the connection between SEP client and SEPM is not closed (push mode)."

Absolutely correct. Our regulators require us to turn off each PC that is not in use, including shutting all of them off each night. If we make an exception for this, such as PC's used for off-hours processing, it must be documented.There is no alternative.

Ray

Thanks for taking the time to write this, chenh.

"It seems to me that you do not have your internal LiveUpdate server, all your clients connect to your management server to receive virus defintion."

All clients at the main office connect to the SEPM for their updates. All branch office locations connect to their branch server, which is a Group Update Provider. Each Group Update Provider receives its updates from the single SEPM.

We already have Location policies for each branch office. That's how we define their Group Update Provider; by their subnet. Gees, it was a big enough pain to create a Location policy for each of the hundreds of subnets we have. If I now have to create a second policy for each location as well as install internal LiveUpdate servers, it will be an unmanageable mess.

We have a very restrictive outbound policy and PCs are not allowed to go directly to the Internet for their virus defs. Many have no Internet capability at all, proxied or otherwise, because there is no business need.

Thanks again,

Ray