ePO Noob here, so please be gentle!
In ePO, we have an Assigned Client Task to update HIPS to vers 184.108.40.20610 (windows) scheduled to run every day at 8am to 6pm and to repeat every 2 hours. However, it appears this is not working correctly, as I consistently see 180+ hosts (Out of several thousand) that have an older or no version of HIPS.
When I Run Client Task Now on individual hosts and chose to update HIPS, I get the following in the Server Task Log:
|11/13/17 8:28:02 AM||Started: Sent to 1 computer(s)|
|11/13/17 8:28:15 AM||Failed: Failed RunNow Task|
And under Subtasks:
|11/13/17 8:28:02 AM||Started: Sent Run Now task "HIPS Update - Windows" to "Hostname"|
|11/13/17 8:28:06 AM||Run now task HIPS Update - Windows received.|
|11/13/17 8:28:09 AM||Run now task started.|
|11/13/17 8:28:15 AM||Run now task HIPS Update - Windows failed.|
Details: Deployment/Update task failed, reason "Unknown error"..
Assuming the Agent is the problem, which I found to be consistent in our environment...I've removed the McAfee Agent from specific Hosts and reinstalled using ePO and the Agent's Run Client Task now. All seems to run ok, but HIPS still will not update.
Any help will be appreciated.
First I would try to narrow down the specific issues. For the machines that are showing as having an older version of hips and not installing the newer version this could be because you're using a client task which is running the full installer. Some products like SiteAdvisor don't have individual patches and to update you just run the full install as you would on a fresh install. HIPS is not one of those products. If you attempt to run the full installer of 8.0p9 on a machine running 8.0p8 it will fail stating the software is already installed. You have to update via an update task.
Also I've had issues where the update would fail if ips is enabled, i believe it's in the upgrade guide to disable it. Try to disable hips on a small subset and retry the update. See if it now works.
For the machines not showing anything installed confirm locally hips really isn't installed. The installer could have ended in a state requiring a reboot. You could also attempt to run an uninstall task (even if the products not showing) and then rerun the install.
I'm experiencing similar issues with HIPS updates in my own estate.
approx 90 systems still stuck on HIPS patches 2 or 7.
IPS is turned off.
I've got the systems in 2 different system tree groups, which have different policies on which repository to retreve HIPS patches from.
Patch 2 systems are pointed at the "Previous" branch where HIPS p7 is available. Whilst the P7 systems are in "Evaluation", where HIPS p10 is available.
I've got a McAfee Agent / Product Update task defined, that only tells it to update VirusScan or HIPS. When task runs (either by schedule, or run client task now), it reports success, but subsequent check on system shows the HIPS version hasn't changed.
Most are agent 5.0.5, with a small number on 5.0.6.
The annoying thing is, vast majority of our 3000+ systems are on same policy settings so its odd that only a fairly small number are misbehaving.
in regards my version of the issue... i made a couple of discoveries, and then came up with my own "workaround".
In the McAfee agent's Macompatsvc_ log file, i'm seeing plugin errors related to HIPS8000. Date/time ties in with system startup, and also occasions when a client update, or epo initiated HIPS uninstall has attempted to run.
2018-02-09 11:00:01.696 macompatsvc(5796.5816) plugin.Error: Failed to open the plugin = C:\Program Files\McAfee\Host Intrusion Prevention\HipMgtPlugin.dll 5
2018-02-09 11:00:01.696 macompatsvc(5796.5816) plugin.Error: Failed to initialize the plugin for product id = HOSTIPS_8000 and plugin path = C:\Program Files\McAfee\Host Intrusion Prevention\HipMgtPlugin.dll.
2018-02-09 11:00:01.696 macompatsvc(5796.5816) compatbase.Error: Manageability client initialization failed for the application HOSTIPS_8000, error = 2003.
2018-02-09 11:00:01.696 macompatsvc(5796.5816) cmasvc.Error: Manageability client initialize/start failed for the application HOSTIPS_8000.
As a workaround, which is working for my environment so far... i've created an Uninstall command in SCCM to push to the affected systems to uninstall the old version, and then let ePO install the latest version in the repository by making sure the targetted systems are in a system tree group with an appropriate deployment task for HIPS.
The command line for uninstall came from here: