locked
Slow system boot times with Endpoint Protection RRS feed

  • Question

  • We have been using Microsoft Endpoint Protection across our organization for about the past 5 years. Three weeks ago we started noticing a handful of slow boot complaints coming through our Help Desk. At first they were being looked at as individual system problems, but after our technicians started troubleshooting more and we received a few more reports, we began to think this may be all one issue.

    Last year we expanded our SCCM usage from just Endpoint Protection to include imaging and system management. When we created our task sequences, we added one for Endpoint Protection client and it was version 4.9.219. Our default client policy was set to install Endpoint Protection, but since it was being installed through a post install task, SCCM never pushed out the client.

    During our testing, we found a mix of PCs exhibiting the issue. Some Windows 7 and some Windows 8.1. None of our Windows 10 installs have every exhibited the issue. We have two domains, a parent and child, and so far, we have found confirmed reports in both domains.

    It gets strange when upgrading the Endpoint Protection client, say from 4.9.218 to 4.9.219 would apparently fix the slow boot issue for a number of restarts. However, the next morning, the system was back to slow booting again. The difference being that there was a shutdown in the middle of the night after a maintenance window.

    On other systems, they were running Endpoint Protection v4.10.x and downgrading to v4.9.219 would also correct the issue temporarily.

    So far, the only real fix seemed to be completely uninstalling the System Center Endpoint Protection client. On the few systems where we did that, SCCM would push out v4.7.214 due to the default client policy.

    We need to do some more testing to be 100% sure before acting on this hunch. If that is indeed the fix to our slow boot issue, I am just curious why this issue only manifested itself so recently. We have been pushing the newer version of the client for a long time with no problems. We have not altered our SCCM version since a year ago (SCCM Current Branch 1602), nor have we modified the endpoint protection policy. There have also been no changes to group policy, not to mention that the two domains share no policies, and PCs seem to be randomly affected from various OU's.

    One last thing I should mention, on one of the Windows 8.1 PCs which exhibited the slow boot issue, it was running SCEP v4.9.219. Installing Faronics Deep Freeze has corrected the issue on that PC for several days now. Through multiple shutdowns and restarts. I know that Deep Freeze disables Windows Fast Startup and thought there may be something to that, but I've been at this for so long I am having trouble figuring out what to try next or how best to proceed.

    I should also mention that the slow boot is always around 5 minutes. On unaffected systems, we expect normally to see boot times of less than a minute. Using Windows Performance Recorder and Analyzer from the ADK, we see a three minute stretch of time during boot where all activity appears to hang. It appears to be caused by an SVCHOST as that is the only process that exists in every instance on every PC experiencing the slow boot issue. We are going to try setting the Microsoft Antimalware service to a delayed start and do another capture to see if that is the svchost that is causing the issue.

    Anyway, if any one else is experiencing this issue or has any suggestions, we would most definitely welcome them!

    Wednesday, March 22, 2017 8:13 PM

Answers

  • It appears as though we may have found the issue! Endpoint Protection seems to have started flagging the Dell Kace agent on our machines. Adding exceptions into the Endpoint client policy has corrected the issue in our initial testing. Waiting for policy to finish propagating to the rest of our PCs.
    • Proposed as answer by Frank Dong Tuesday, April 18, 2017 1:50 PM
    • Marked as answer by disk2 Tuesday, April 18, 2017 2:08 PM
    Thursday, March 23, 2017 1:20 PM

All replies

  • I have over 100,000 machines and I haven't seen the issue and we have all version of windows and almost every different version of the engine running. Are you seeing the timeout notice in the Event Logs. Have you run the Microsoft Analyzer tool (https://msdn.microsoft.com/en-us/library/hh162945.aspx) on the machine? it can tell you where the boot process is low, GPO, etc.

    http://www.sccm-tools.com http://sms-hints-tricks.blogspot.com

    Wednesday, March 22, 2017 9:22 PM
  • I have over 100,000 machines and I haven't seen the issue and we have all version of windows and almost every different version of the engine running. Are you seeing the timeout notice in the Event Logs. Have you run the Microsoft Analyzer tool (https://msdn.microsoft.com/en-us/library/hh162945.aspx) on the machine? it can tell you where the boot process is low, GPO, etc.

    http://www.sccm-tools.com http://sms-hints-tricks.blogspot.com

    Thanks for the reply Matthew! We did run multiple collections using the Windows Performance Recorder/Analyzer from the ADK. It reveals an svchost in each of the problematic boots. Unfortunately, we can't seem to determine from that tool what process is using that svchost.

    We thought it might be the Microsoft Anti-Malware process, so I am getting ready to set that process to delayed start to see if I can identify it.

    Wednesday, March 22, 2017 9:41 PM
  • It appears as though we may have found the issue! Endpoint Protection seems to have started flagging the Dell Kace agent on our machines. Adding exceptions into the Endpoint client policy has corrected the issue in our initial testing. Waiting for policy to finish propagating to the rest of our PCs.
    • Proposed as answer by Frank Dong Tuesday, April 18, 2017 1:50 PM
    • Marked as answer by disk2 Tuesday, April 18, 2017 2:08 PM
    Thursday, March 23, 2017 1:20 PM