Archive for the ‘Endpoint Protection’ Category

Gartner announces the 2020 Magic Quadrant for Unified Endpoint Management

August 20th, 2020 No comments

I’m excited to announce that, earlier today, Gartner listed Microsoft as a Leader in its 2020 Magic Quadrant for Unified Endpoint Management. You can read the entire report here, and you can see a snapshot of the Magic Quadrant below.

You will note that we improved on both the “Ability to Execute” and “Completeness of Vision” axes.

A major culture principle within the Microsoft Endpoint Manager team has been to place the ultimate measure of value on usage, and we have built our products accordingly. We extend this principle in our belief that customers choose to run their businesses with the products that offer IT the best combination of value and functionality, and provide the organization with the best user experience.

Our desire is to be an organization that constantly listens to and learns from our customers. Our successes are the result of very concrete changes we’ve made to the way we operate. The acceleration of customer value and simpler solutions are the result of very deliberate changes we made in engineering focus and in the things we choose to celebrate. When we stopped celebrating the shipment of a new product and instead started throwing all our energy into supporting our customers’ usage goals, our customers experienced greater value and benefit.

It isn’t about shipping. It isn’t about revenue. It’s usage that will always be the foremost leading indicator of the value for our customers—and it is by making the effort to focus our team on customer usage that enabled us to create and sustain an organization-wide culture that recognizes and rewards the behaviors that guarantee your long-term success.

To be clear, we have always considered Configuration Manager and Intune to be one solution—but we made it official in the last year bringing them together as Microsoft Endpoint Manager.

This made all the difference in our progress with Endpoint Manager reflected in this report. We are innovating faster, we have more customer empathy, and we are delivering more value than ever before to more customers than we ever thought possible.

According to the Gartner report, “Drastic change and a global pandemic marked a tumultuous year in the UEM market. The past 12 months magnified legacy CMT limitations and drove I&O leaders to UEM for reduced complexity, location-agnostic device management, and analytics to track and improve device performance and end-user experience.”

Maximize what you learn from the Magic Quadrant

As you evaluate these conclusions and determine the best course of action for your company, consider what trends and market forces were driving the ultimate conclusions made by Gartner, and superimpose this perspective on the unique needs of your organization.

Also, of course, don’t hesitate to reach out to Microsoft for more information, or, as always, go ahead and reach out to me on Twitter or LinkedIn.

Image of the Magic Quadrant.

Gartner, Magic Quadrant for Unified Endpoint Management, August 11, 2020.

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity. Follow @MSIntune for the latest news on endpoint management.

The post Gartner announces the 2020 Magic Quadrant for Unified Endpoint Management appeared first on Microsoft Security.

Errors When Using the FEP 2010 Definition Update Automation Tool

by Michael Cureton

We’ve become aware of two issues when using the Definition Update Automation Tool. This blog article presents workarounds for the issues.

Definition Update Automation Tool fails to add new definition updates to the deployment package



The FEP 2010 Definition Update Automation Tool may fail to add new definition updates to your deployment package. Reviewing the %ProgramData%\SoftwareUpdateAutomation.log file shows the following exception:

SmsAdminUISnapIn Error: 1 : Unexpected exception: System.ArgumentException: An item with the same key has already been added.
  at System.ThrowHelper.ThrowArgumentException(ExceptionResource resource)
  at System.Collections.Generic.Dictionary`2.Insert(TKey key, TValue value, Boolean add)
  at System.Collections.Generic.Dictionary`2.Add(TKey key, TValue value)
  at Microsoft.Forefront.EndpointProtection.SoftwareUpdateAutomation.SccmUtilities.CalculateCleanupDelta(ConnectionManagerBase connection, ICollection`1 freshUpdateFilesObjectList, IResultObject destinationPackageObject)
  at Microsoft.Forefront.EndpointProtection.SoftwareUpdateAutomation.SoftwareUpdater.Update(SoftwareUpdateAutomationArguments arguments)
  at Microsoft.Forefront.EndpointProtection.SoftwareUpdateAutomation.SoftwareUpdater.Main(String[] args)



More than one FEP 2010 definition update is being detected as active by the tool.

More Information

The FEP 2010 Definition Update Automation tool queries WMI (SELECT * FROM SMS_SoftwareUpdate WHERE ArticleID=2461484 AND IsSuperseded=0 AND IsEnabled=1) to get the single active FEP 2010 definition update. The exception happens as a result of more than one update being returned. The tool may detect more than one update as being active when one of the two conditions is TRUE:

  1. One or more FEP 2010 definition updates has been expired but not superseded, OR
  2. One or more FEP 2010 definition updates has been orphaned.

To confirm if you’re experiencing condition #1 or #2, run the below WMI query:

SELECT * FROM SMS_SoftwareUpdate WHERE ArticleID=2461484 AND IsSuperseded=0 AND IsEnabled=1 AND IsExpired=0

If the query only returns one row, then you are experiencing condition #1. If two or more rows are returned, you are experiencing condition #2.


Condition #1

If you are experiencing condition #1, you can prevent the symptom by simply adding the /UpdateFilter flag to the command line for the tool (SoftwareUpdateAutomation.exe) with the appropriate values to filter out expired definition updates that are not superseded.

For example:

SoftwareUpdateAutomation.exe /AssignmentName <AssignmentName> /PackageName <DeploymentPkgName> /UpdateFilter “ArticleID=2461484 AND IsSuperseded=0 AND IsEnabled=1 AND IsExpired=0”

Condition #2

If you are experiencing condition #2, you will need to manually decline the orphaned updates via the WSUS administration console. For each update returned from the WMI query that you used to confirm that you have condition #2, double-click on the LocalizedDisplayName property and note the definition version. The update with the highest definition version will be the active one. The update(s) with the lower definition versions have been orphaned.

For example, using the list below, 1.107.713.0 would be the active update and the other two updates are orphaned and would need to be declined manually in WSUS.

Definition Update for Microsoft Forefront Endpoint Protection 2010 – KB2461484 (Definition 1.103.1405.0)
Definition Update for Microsoft Forefront Endpoint Protection 2010 – KB2461484 (Definition 1.105.2231.0)
Definition Update for Microsoft Forefront Endpoint Protection 2010 – KB2461484 (Definition 1.107.713.0)

After you have determined the orphaned update(s) title (and version), load the WSUS snap-in and drill down to the Updates node. On the action pane, click New Update View. Select “Updates are in a specific classification” and “Updates are for a specific product”. In step 2, click any classification and ensure that only Definition Updates is checked. Next click any product and ensure that only Forefront Endpoint Protection 2010 is checked. In step 3, specify a name for the view and click OK.

Locate the created view in the WSUS console. Change the Approval value to “Any Except Declined” and the Status to “Any” and hit Refresh. Click the Title column so that the results are sorted using the version. Find the orphaned update(s) that you identified by version and select the Decline action for each. Once this is complete, you’ll need to wait for the next scheduled Software Update Point (SUP) sync to complete, at which time the updates that you declined will be marked as expired in the ConfigMgr database.

NOTE: Running a manual SUP sync will NOT expire the declined updates. Only a scheduled sync will perform this operation.

Once the sync is complete, you can run the WMI query used to determine condition to confirm that only one row is now returned. You will also need to run the tool going forward using the condition #1 workaround with the /UpdateFilter flag.

Definition Update Automation Tool does not refresh distribution points



The FEP 2010 Definition Update Automation Tool does not refresh distribution points (DPs) by default. Even though the help output for the tool states that /RefreshDP is set by default, it is not.



Add /RefreshDP to the command line for the tool (SoftwareUpdateAutomation.exe). For example:

SoftwareUpdateAutomation.exe /AssignmentName <AssignmentName> /PackageName <DeploymentPkgName> /RefreshDP

Monitoring Forefront Endpoint Protection 2010 – the FEP Dashboard

November 9th, 2010 Comments off

Forefront Endpoint Security 2010 (FEP) Release Candidate was just released. In this post, we will discuss ways for administrators to monitor FEP. There are several monitoring features provided with FEP2010 – this is the first in a series of posts about these monitoring features.

One of the key architecture changes from FCS is FEP’s alignment with System Center Configuration Manager. Configuration Manager provides the platform for client distribution and policy settings, as well as data collection to and from clients.

The FEP Dashboard is an extension to the Configuration Manager console. After deploying the FEP console extension to Configuration Manager (either on the server or on administrator’s laptop), a new node appears in the navigation tree called “Forefront Endpoint Protection” (see Figure 1).


  • Provide a single pane of information to an administrator who needs to know how FEP is doing, as well as a starting point for drill down into FEP features and troubleshooting.
  • Serves as a Launchpad for the administrator to drill down to troubleshooting or other day to day tasks.


Figure 1 – FEP Dashboard

Capabilities of the FEP dashboard (see the labeled figure above):


    1. Computers targeted by FEP: Unlike other security suites, FEP does not require a new discovery mechanism for computers in the organization. Instead, it queries the Configuration Manager database for workstations, laptops and servers (dropping mobile devices). Once discovered, the administrator may decide to protect the clients by creating a software distribution advertisement for collections containing all the clients.
      • Tip: Administrators can open the FEP collections and drill down to the “Deployment\Not Targeted” collection to identify those computers that are going to be unprotected without manual intervention (e.g. creating an advertisement).
      • Tip: The only way to capture administrator’s intention is to have the FEP related advertisement to active (never expire). Make sure you have this checked when creating your own.
    2. Deployment status: Once an administrator starts to deploy FEP on clients, the clients are moved from the “not targeted” collection to one of the following deployment states:
      • Locally Removed – Computers where the FEP client was locally removed either by a user with local administrator permission or by another software (e.g. malware).
      • Failed – Computers for which the FEP client setup program reported a failure.
      • Pending – Computers for which an active Configuration Manager software distribution advertisement is trying to install the FEP client.
      • Out of date – Computers for which the reported FEP version is older than the one installed at the server.
      • Deployed – Computers with FEP client deployed.
    3. Health status: For those computers either in “deployed” or “out of date” state, the FEP dashboard provides additional health information:
      • Protection inactive – The FEP service is reported to be turned off.
      • Not responding – Computers which have not reported for the last 14 days.
      • Healthy – Neither of the above.
    4. Malware activity status: Shows computers with malware activity. FEP surfaces computers with the following infection states:
      • Infected – Computers where FEP could not fully mitigate a malware instance.
      • Restart\Full scan required – Computers where FEP mitigated a malware incident but requires additional action in order to complete the mitigation.
      • Recent activity – Computers where malware was detected and successfully mitigated (within the last 24 hours).
    5. Definition status: Enables administrators to drill down into computers which failed to update their FEP definitions.
    6. Policy distribution: Enables administrators to drill down into computers where Configuration Manager failed to distribute FEP policy.
    7. FEP baselines: Presents administrators with a quick compliance view into the FEP baselines.
      • Tip: Administrators may create their own DCM baselines and use FEP Configuration Items (CIs). In order to add (or remove) baselines to the FEP dashboard, a “FEP” category should be added (or removed) to the baseline.
      • Note: The FEP dashboard is built on top of Configuration Manager collections. Each of the hyperlinks in the FEP dashboard leads to a collection which holds the actual computers sharing the same symptom.

Ziv Rafalovich,
Senior Program Manager