none
Windows 10 Client - Endpoint Protection stuck in "To Be Installed" status RRS feed

  • Question

  • Hi guys,

    I'm hoping you can help. We've recently installed SCCM 2016 at our site for the first time. Software updates are working just fine for all clients, and the next phase was to roll out Endpoint Protection for all of our clients to replace Trend. This has been done on the Windows 7 clients fine. The SCEP client installed, and updates are working fine.

    I'm stuck with the Windows 10 client I am testing with though. I understand that Windows Defender replaces the SCEP client in Windows 10, however I am having issues getting SCCM to manage the Windows Defender client on my Win 10 machine. When I look at the Windows 10 collection in the console, it shows it's Endpoint Protection deployment status as "to be installed". In the EndpointProtectionAgent.log, I can see it's trying to install SCEP even though it shouldn't. 

    If I go into Help -> About in Windows Defender, it doesn't show any Antimalware policies applied from SCCM. For some strange reason SCCM is refusing to take over management of Windows Defender. 

    To try and resolve it, I have tried uninstalling the SCCM client from the machine, removing the object from SCCM entirely and allowed SCCM to rediscover it and reinstall the client. After doing all of this, it still tries to install SCEP rather than take over Windows Defender. 

    I'm completely stumped, so I would be very grateful for any pointers or suggestions you might have.

    Regards,

    Lachlan Pearse.

    Tuesday, March 14, 2017 9:35 AM

Answers

  • There's no such this as ConfigMgr/SCCM 2016. You are probably rolling out SCCM/ConfigMgr Current Branch version 1610.

    > "I can see it's trying to install SCEP even though it shouldn't. "

    Yes it should. Windows Defender does not include a management component. Installing the SCEP client agent on a Windows 10 system installs the necessary management component but does not replace the core Defender component.

    Do you have a client settings package deployed to your Windows 10 systems to install SCEP?

    Have you deployed Windows Defender definition updates (in addition to the Forefront Endpoint Protection 2010 definition updates) in Software Updates?


    Jason | http://blog.configmgrftw.com | @jasonsandys

    Tuesday, March 14, 2017 3:10 PM

All replies

  • There's no such this as ConfigMgr/SCCM 2016. You are probably rolling out SCCM/ConfigMgr Current Branch version 1610.

    > "I can see it's trying to install SCEP even though it shouldn't. "

    Yes it should. Windows Defender does not include a management component. Installing the SCEP client agent on a Windows 10 system installs the necessary management component but does not replace the core Defender component.

    Do you have a client settings package deployed to your Windows 10 systems to install SCEP?

    Have you deployed Windows Defender definition updates (in addition to the Forefront Endpoint Protection 2010 definition updates) in Software Updates?


    Jason | http://blog.configmgrftw.com | @jasonsandys

    Tuesday, March 14, 2017 3:10 PM
  • Do you have a client settings package deployed to your Windows 10 systems to install SCEP?

    Hi Jason,

    Thanks for getting back to me. You nailed it right there. My lack of understanding of how it ties together was the cause of my issue. In the Win 10 client settings, I said No to it installing the SCEP client assuming it wasn't needed due to Windows Defender. Once I switched that to Yes all was well. 

    I'm glad it was just a rookie mistake!

    Thanks again, much appreciated.

    Cheers,

    Lachlan.

    Wednesday, March 15, 2017 8:43 AM