locked
Endpoint Protection Install Error RRS feed

  • Question

  • I started rolling out EP with a pilot group.  I've added 25 machines to the collection and advertised a client policy with EP enabled.  20 of these machines installed the client and reported back.  5 of these machines, strangely the last few machines I've added, are throwing an 0x80070643 in the Endpoint log.  I've tried the command line manually on one of these machines and it runs correctly.  The only thing I can tell that may be a problem is it asking to remove existing antivirus software.  We have Forefront Client Security at the moment.  Any ideas as to why I'm getting this behavior? 

    Note: The OS is Win7 and Win8.  I installed the EP KB for SCCM 2012 R2 yesterday, and have forced a reinstall on the affected machines.   


    Best, Jacob I'm a PC.

    Wednesday, February 19, 2014 2:27 PM

Answers

  • It look like adding this key to Win8/8.1 machines resolves the problem.  However, its not consistent across the board that it needs to be manually added.  The key is HKLM\SOFTWARE\Microsoft\Microsoft Security Client.  Is this a known bug for migrating FCS to SCEP? 


    Best, Jacob I'm a PC.

    Monday, February 24, 2014 3:41 PM

All replies

  • Have a look at the EndpointProtectionAgent.log file on the clients. It records details about the installation of the Endpoint Protection client.


    Gerry Hampson | Blog: www.gerryhampsoncm.blogspot.ie | LinkedIn: Gerry Hampson | Twitter: @gerryhampson

    Wednesday, February 19, 2014 2:32 PM
  • That's where I grabbed the 0x80070643. The relevant lines were

    Detail error message is : [EppSetupResult]
    HRESULT=0x80070643
    Description=Cannot complete the System Center Endpoint Protection installation. An error has prevented the System Center Endpoint Protection setup wizard from completing successfully. Please restart your computer and try again. Error code:0x80070643. Fatal error during installation.                
        EndpointProtectionAgent    2/19/2014 8:16:58 AM    1148 (0x047C)
    EP State and Error Code didn't get changed, skip resend state message.    EndpointProtectionAgent    2/19/2014 8:16:58 AM    1148 (0x047C)
    State 4, error code -2147023293 and detail message are not changed, skip updating registry value    EndpointProtectionAgent    2/19/2014 8:16:58 AM    1148 (0x047C)
    Failed to install EP client with exit code = 0x80070643.    EndpointProtectionAgent    2/19/2014 8:16:58 AM    1148 (0x047C)

    and

    Failed to open namespace 'root\microsoft\securityclient', error 0x8004100e.  (This one presents itself any time the installer fails in previous steps)


    Best, Jacob I'm a PC.

    Wednesday, February 19, 2014 2:52 PM
  • Wednesday, February 19, 2014 2:57 PM
  • Those errors are not in my event logs.  Also, I don't see anything indicating a conflicting AV program or services that could not stop.  Is there another location that maybe has more detail?  I pulled the install logs from the ProgramData directory, but they show the same information as the EP log. 

    Best, Jacob I'm a PC.

    Wednesday, February 19, 2014 10:44 PM
  • Has the previous antivirus completely uninstalled from the affected machines?  Even with support for removing existing antivirus, I generally choose to perform an uninstall of the existing antivirus using its management agent before I go ahead and push SCEP down to a machine.
    Thursday, February 20, 2014 4:23 AM
  • The previous antivirus, Forefront, is not uninstalling.  I believe the issue is EP trying to install, but not able to because FF wasn't removed.  The strange piece is that it worked on several machines and failed on a few others.  Do you script the uninstall of existing AV and installation of EP, or do you just remove existing AV and let the policy install EP?  I would like to limit the amount of time machines are unprotected. 

    Best, Jacob I'm a PC.

    Thursday, February 20, 2014 2:49 PM
  • I haven't worked with on an install that had existing Forefront clients installed, but for the installs I have worked on, the antivirus has usually had a password protecting it from being uninstalled, and has required an admin to use the existing software's console to perform a mass uninstall.  If you have default settings configured, the longest that your machines should be without antivirus is about 1 hour, the amount of time it takes the machine to check in for policy to be aware it should download and install the scep agent.  If you do this at night when users are less active you should not have much risk moving forward.
    Thursday, February 20, 2014 10:54 PM
  • It look like adding this key to Win8/8.1 machines resolves the problem.  However, its not consistent across the board that it needs to be manually added.  The key is HKLM\SOFTWARE\Microsoft\Microsoft Security Client.  Is this a known bug for migrating FCS to SCEP? 


    Best, Jacob I'm a PC.

    Monday, February 24, 2014 3:41 PM
  • That helped for a couple of machines, but not for many many more.  Anyone have any other thoughts on this before I package it up?  This seems a bit ridiculous that the behavior is that inconsistent on identical machines.

    Best, Jacob I'm a PC.

    Tuesday, February 25, 2014 3:38 PM