SCEP outdated signature Troubleshooting

Outdated definition is one of the common issue you may encounter while managing System Center Endpoint Protection (SCEP). There may be various reason behind that. In this article, we will discuss about the issue caused by missing WMI namespace / class which prevent virus definition update.

Issue 1 : root\Microsoft\SecurityClient WMI Namespace is missing

The WMI namespace for SCEP is root\Microsoft\SecurityClient. The Configuration Manager client agent monitor the classes in this namespace for any changes and a state message is sent when a change detected. As name suggest, this WMI class represent Microsoft Antimalware service status. Corrupt or missing SecurityClient namespace is one of the primary reason behind outdated definition. You can follow the below steps to diagnose and fix the issue with with WMI namespace.

  1. Open WBEM on local machine using wbemtest command.

2. This will open Windows Management Instrumentation Tester window.

3. Click on connect button, under Namespace put root\Microsoft\securityclient and click connect. If there are no issue with the WMI namespace then all greyed out buttons will be enabled.

4. If you see below error then there are an issue with WMI namespace and you need to fix the same. Please continue with next steps to fix the issue.

5. Navigate to C:\Program Files\Microsoft Security Client folder and check if the following file exist or not.

  • ClientWMIInstall.mof
  • AmMonitoringInstall.mof
  • AmStatusInstall.mof

If these file exist then run the below command from command prompt or PowerShell. If the file doesn’t exist then you need to reinstall SCEP.

mofcomp 'C:\Program Files\Microsoft Security Client\ClientWMIInstall.mof'
mofcomp 'C:\Program Files\Microsoft Security Client\AmMonitoringInstall.mof'
mofcomp 'C:\Program Files\Microsoft Security Client\AmStatusInstall.mof'

6. After running the above command, open command prompt and run the below command to refresh SCCM client state messages.

WMIC /namespace:\\root\ccm path sms_client CALL TriggerSchedule "{00000000- 0000-0000-0000-000000000111}" /NOINTERACTIVE 

7. Wait for an hour and reopen wbemtest, connect to root\Microsoft\SecurityClient. You should be able to connect to it. You can check the definition status in SCCM after a day.

Issue 2: AntimalwareHealthStatus Class is missing in WMI

1. Open wbemtest and connect to root\Microsoft\SecurityClient. Follow the same steps provided earlier to connect with WMI namespace.

2. Click on query and type SELECT * FROM AntimalwareHealthStatus and click apply

3. If you see below error then AntimalwareHealthStatus class is missing and you need to reinstall SCEP.

Error Number: 0x80041013

Facility: WMI

Description: Provider Load Failure

4. Uninstall and reinstall SCEP using below command.

  • Silently uninstall SCEP using below command
c:\windows\ccmsetup>SCEPInstall.exe /u /s
  • Validate if System Center Endpoint Protection has been removed. Reboot the machine.
  • Install SCEP using below command.
c:\windows\ccmsetup>SCEPInstall.exe /s

5. Once SCEP is installed, open SCEP console on client machine and Run Update Definitions.

6. Try to connect with AnitmalwareHealthStatus class again. It should work fine. If issue persists then reinstall SCCM client.

Related Posts

Subscribe to Techuisitive Newsletter

Be the first to know about our new blog posts. Get our newsletters directly in your inbox and stay up to date about Modern Desktop Management technologies & news.

Scroll to Top