We’ve been seeing some odd behavior, and I am wondering if any of you have seen similar. We have had 100-ish systems that we were seeing the last report time that was out further that we wanted it to be (these are remote employees), and at first assumed it was an issue with them slacking on the job LOL! When we started digging into these systems we are seeing the BESClient process running, but it is like no one is home.
Checking logs shows the last entry on the last day it reported in, but then nothing. It’s like the process hung, as nothing in the logs indicate issue with it not being able to send reports or anything related to finding relays, etc. It’s odd… we have to kill the BESClient process and it restarts and works fine - checks in, sends reports, and can fixlets on them again.
These are all windows desktop systems, and we keep them up to date with patches and versions. I have no turned on any debugging on any client, as restarting the client fixes the issue and it has been very random. I’ve had to MacGuyver a “fix” to use Bigfix’s api in powershell to get systems who are offline, then use that data via our antivirus’ API and run kill commands on the BESClient process… it works, but not sure why the client is behaving this way. Any ideas or reports of this happening to you all?
What version are the clients? I heard reports some while back that evaluating Windows Defender analyses was hanging the client when the WMI calls involved would hang the process, but I think it was fixed several versions ago.
If it’s happening repeatedly, turning on BES Client debug logging is helpful to tell us what content it was evaluating when it stopped processing.
We are on 10.0.1 on everything across the board. I’ll try the defender analysis first; I hate to turn debugging on everywhere with these crap-tastic computers our users have. It’s so random that it would need to be on everywhere just to catch it…unless I am missing something.
@FatScottishGuy, it’s difficult to say as we’d have to get BESClient and debug logs from both environments to compare in order to determine with any confidence. That said, I don’t have the Windows Defender site in my lab and can’t currently add it to check the analysis in question for descendant folders of folder relevance causing issues.
Every instance I have seen this has had that Bitlocker Management site enabled, and I am thinking it may be the culprit. We have had zero instances of this on any windows server in the datacenter, and the relevance for that site specifically had it set to Win10, which is where we have been experiencing the issue. It’s been random, so not sure why we are seeing it like we are, but it caught my eye.
There was also a Bigfix Manager for Windows defender that was enabled, but no analysis were enabled, so I unsubscribed everything from there as well. Going to see if this helps, and will update what I see for anyone else who might have similar issue.
It’s so random that it would need to be on everywhere just to catch it…unless I am missing something.
I had high hopes for it too.