locked
SCEP 2012 installation isn't working... RRS feed

  • Question

  • I've configured everything I can find reference to from various sources regarding SCEP in SCCM 2012.

    I can't get the SCEP client to install, though.

    The EndPointProtectionAgent.Log file gets updated on a reboot of the client with the following:

    <![LOG[Service startup notification received]LOG]!><time="11:24:35.857-60" date="09-13-2012" component="EndpointProtectionAgent" context="" type="1" thread="5668" file="fepsettingendpoint.cpp:234">
    <![LOG[Endpoint is triggered by CCMTask Execute.]LOG]!><time="11:24:36.138-60" date="09-13-2012" component="EndpointProtectionAgent" context="" type="1" thread="5668" file="fepsettingendpoint.cpp:208">
    <![LOG[EP State and Error Code didn't get changed, skip resend state message.]LOG]!><time="11:24:36.326-60" date="09-13-2012" component="EndpointProtectionAgent" context="" type="1" thread="5668" file="epagentimpl.cpp:146">
    <![LOG[State 1 is NOT changed. Skip update registry value]LOG]!><time="11:24:36.326-60" date="09-13-2012" component="EndpointProtectionAgent" context="" type="1" thread="5668" file="epagentimpl.cpp:183">
    <![LOG[File C:\Windows\ccmsetup\SCEPInstall.exe version is 2.2.903.0.]LOG]!><time="11:24:36.670-60" date="09-13-2012" component="EndpointProtectionAgent" context="" type="1" thread="5668" file="epagentutil.cpp:499">
    <![LOG[Unable to query registry key (SOFTWARE\Microsoft\Microsoft Security Client), return (0x80070002) means EP client is NOT installed.]LOG]!><time="11:24:36.670-60" date="09-13-2012" component="EndpointProtectionAgent" context="" type="1" thread="5668" file="epagentutil.cpp:149">
    <![LOG[AM Policy XML is ready.]LOG]!><time="11:24:36.717-60" date="09-13-2012" component="EndpointProtectionAgent" context="" type="1" thread="5668" file="epagentutil.cpp:314">

    Any guidance very welcome!

    Thursday, September 13, 2012 10:39 AM

Answers

  • Neil, you are using the Client Settings correctly; you don't need to configure everything - they are cumulative, with the highest priority (lowest number) having the final say on any setting configured within it.

    I sort of managed to duplicate your problem, in that once I removed the EP agent from a system (where the default client settings were previously set to install/manage the EP agent) I could not get the EP agent re-installed by adding in a custom client settings to install/manage the EP agent.

    However, this soon sorted itself out when I set both policies NOT to install/manage the EP agent, performed a machine policy refresh on the client, waited a while and then re-enabled the install/manage options on my custom EP settings policy.  The EndpointProtectionAgent.log on the client soon ran the SCEPInstall.exe command line, and within about 10 minutes later (after a few 'Run Summarization' clicks in the EP monitoring Node and various client actions) the client showed as managed.

    Andy


    My Personal Blog: http://madluka.wordpress.com

    • Marked as answer by NeilRawlinson Wednesday, September 26, 2012 11:58 AM
    Monday, September 24, 2012 10:57 PM

All replies

  • Hi,

    How have you configured the client to be installed? the above looks like you haven't created a Client Policy with the Endpoint Protection settigns set to install endpoint protection, so the question is how have you configurerd the Endpoint Policy settings??

    The above log files looks like a normal Endpoint Protection log file where the Install Endpoint Protection setting is not configured to install Endpoint Protection..

    Regards,
    Jörgen


    -- My System Center blog ccmexec.com -- Twitter @ccmexec

    Thursday, September 13, 2012 10:55 AM
  • Thanks for the quick reply Jorgen.

    I think I have configured the settings you mention. I have a collection called "SCEP Pilot" with two client members by direct rule.

    Under Administration/Client Settings I have created a Custom Client Device Setting called "EndPoint Protection Client Settings"

    And the following settings under "EndPoint Protection"

    This is then deployed to the SCEP Pilot Collection.

    However, the client never installs - I can't see any attempts to install, and no errors. I'm stumped.


    Neil Rawlinson


    Thursday, September 13, 2012 11:03 AM
  • Hi,

    Is the client Active In the adminconsole? can you view the clientsw hardware inventory for instance?

    Regards,
    Jörgen


    -- My System Center blog ccmexec.com -- Twitter @ccmexec

    Thursday, September 13, 2012 11:58 AM
  • Silly question, but have you actually added the Endpoint Protection as a role to your site server, and has it installed successfully (EPSetup.log)?

    Andy


    My Personal Blog: http://madluka.wordpress.com

    Thursday, September 13, 2012 1:01 PM
  • Hi Andy  - yes, I've installed the Role and "Installation successful" in EPSetup.log. Thanks.


    Neil Rawlinson

    Thursday, September 13, 2012 1:17 PM
  • Hi again Jorgen - yes, Clients are active - I can see all hardware details, such as BIOS details, serial number etc in resource explorer.

    Neil Rawlinson

    Thursday, September 13, 2012 1:20 PM
  • Slightly different tack, although still relevant...

    As you can see by the images, I've made an assumption that the Custom Client settings work in a similar way to Group Policies...which I'm hoping is the case!

    I've configured the client settings for my EndPoint Protection pilot completely separately. I'm assuming that the settings from other configuration sections found in "Default Client Settings", also get applied...is this the case?

    Or do I have to build a complete set of client settings in each custom policy? Do I need to add all the relevant sections?


    Neil Rawlinson

    Thursday, September 13, 2012 2:01 PM
  • Still no joy on this front. SCCM 2012 is happily installing applications and packages to these machines, but not the SCEP client.

    Neil Rawlinson

    Monday, September 17, 2012 1:36 PM
  • Hi, can I check

    if you have one or two Client settings, one Default Client Settings and one EndPoint Protection settings?
    Have you made multiple changes to your Client settings and did not refresh the policies on your machines?

    This works for me when SCEP2012 does not install onto my computer. 

    1. Go to Configuration Manager in Control Panel of your clients computers
    2. Click on Action tab
    3. Click on Machine Policy Retrievel and Evaluation Cycle.
    4. Run TaskMgr, Show all Processes, wait for SCEPInstall.exe to appear, it should take about 10 to 20 minutes for it appear.

    Cheers

    Wednesday, September 19, 2012 9:52 AM
  • Thanks Alexis, but I've tried that already. As I say, these machines install applications fine - I deployed Adobe Reader X using SCCM the other day. It appears just to be SCEP. I've even tried installing SCEPInstall manually, from the CCMSetup directory. It installs, but doesn't report back to Config Manager.

    Neil Rawlinson

    Monday, September 24, 2012 1:24 PM
  • Neil, you are using the Client Settings correctly; you don't need to configure everything - they are cumulative, with the highest priority (lowest number) having the final say on any setting configured within it.

    I sort of managed to duplicate your problem, in that once I removed the EP agent from a system (where the default client settings were previously set to install/manage the EP agent) I could not get the EP agent re-installed by adding in a custom client settings to install/manage the EP agent.

    However, this soon sorted itself out when I set both policies NOT to install/manage the EP agent, performed a machine policy refresh on the client, waited a while and then re-enabled the install/manage options on my custom EP settings policy.  The EndpointProtectionAgent.log on the client soon ran the SCEPInstall.exe command line, and within about 10 minutes later (after a few 'Run Summarization' clicks in the EP monitoring Node and various client actions) the client showed as managed.

    Andy


    My Personal Blog: http://madluka.wordpress.com

    • Marked as answer by NeilRawlinson Wednesday, September 26, 2012 11:58 AM
    Monday, September 24, 2012 10:57 PM