none
Failed to trigger EP Installer to install.- R2 client

    Question

  • Over the past couple of days following an upgrade from SP1 CU3 to R2, as clients have been updating via the Automatic Client Upgrade process I have been noticing some very odd behavior in the SCEP console.

    Firs thing I noticed is the detected malware list is missing about 90% of the history on malware detected. Looking at the SCEP status, I found that only 10% of clients in one of the largest SCEP collections report as active, the rest have a status of "Endpoint Protection client installation failed"

    I've since installed KB2907566 to see if possibly my SCEP installer was corrupt or something but didn't have any other luck.

    I have tried removing the deployments for each client policy that enforces SCEP and the antimalware policy that configures it and didn't have any results.

    Digging into the logs several machines I see the following:

    EP 4.3.215.0 is installed, version is lower than expected installer version 4.4.304.0. EndpointProtectionAgent 12/9/2013 6:56:05 AM 1964 (0x07AC)
    Endpoint is triggered by WMI notification. EndpointProtectionAgent 12/9/2013 6:56:05 AM 1964 (0x07AC)
    File C:\Windows\ccmsetup\SCEPInstall.exe version is 4.4.304.0. EndpointProtectionAgent 12/9/2013 6:56:05 AM 1964 (0x07AC)
    EP version 4.3.215.0 is already installed. EndpointProtectionAgent 12/9/2013 6:56:05 AM 1964 (0x07AC)
    EP 4.3.215.0 is installed, version is lower than expected installer version 4.4.304.0. EndpointProtectionAgent 12/9/2013 6:56:05 AM 1964 (0x07AC)
    Sending ack to MTC for task {9BCF7827-E04F-4C3A-8D8C-B943316A2D7F} EndpointProtectionAgent 12/9/2013 6:56:05 AM 1964 (0x07AC)
    SCEP client is not present, SCEP client will be installed with the latest AM policy. EndpointProtectionAgent 12/9/2013 6:56:05 AM 1964 (0x07AC)
    Sending message to external event agent to disable notification EndpointProtectionAgent 12/9/2013 6:56:05 AM 1964 (0x07AC)
    Sending message to endpoint ExternalEventAgent EndpointProtectionAgent 12/9/2013 6:56:05 AM 1964 (0x07AC)
    <![LOG[Failed to load xml from string <?xml version="1.0"?><SecurityPolicy xmlns="http://forefront.microsoft.com/FEP/2010/01/PolicyData"  Name="&#10;Custom Antimalware Policy - Servers Exceptions & Threat overrides&#10;Custom Antimalware Policy - Servers File&#10;Default Client Antimalware Policy"  Version="1" Description="XML contains all the AM Policy settings" IsBuiltIn="0"  CreatedBy="Microsoft" LastModifiedBy="FEP-S">  <PolicySection Name="FEP.AmPolicy" >    <LocalGroupPolicySettings >      <IgnoreKey Name="SOFTWARE\Policies\Microsoft\Microsoft Antimalware"/><AddKey Name="SOFTWARE\Policies\Microsoft\Microsoft Antimalware\Scan"><AddValue Name="ScanParameters" Type="REG_DWORD" Disabled="false">2</AddValue><AddValue Name="ScheduleDay" Type="REG_DWORD" Disabled="false">1</AddValue><AddValue Name="ScheduleTime" Type="REG_DWORD" Disabled="false">120</AddValue><AddValue Name="ScheduleQuickScanTime" Type="REG_DWORD" Disabled="false">61</AddValue><AddValue Name="CheckForSignaturesBeforeRunningScan" Type="REG_DWORD" Disabled="false">1</AddValue><AddValue Name="ScanOnlyIfIdle" Type="REG_DWORD" Disabled="false">1</AddValue><AddValue Name="DisableCatchupFullScan" Type="REG_DWORD" Disabled="false">1</AddValue><AddValue Name="DisableCatchupQuickScan" Type="REG_DWORD" Disabled="false">1</AddValue><AddValue Name="AvgCPULoadFactor" Type="REG_DWORD" Disabled="false">30</AddValue></AddKey><AddKey Name="SOFTWARE\Policies\Microsoft\Microsoft Antimalware\Threats\ThreatSeverityDefaultAction"><AddValue Name="5" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="4" Type="REG_DWORD" Disabled="false">2</AddValue><AddValue Name="2" Type="REG_DWORD" Disabled="false">2</AddValue><AddValue Name="1" Type="REG_DWORD" Disabled="false">2</AddValue></AddKey><AddKey Name="SOFTWARE\Policies\Microsoft\Microsoft Antimalware\Exclusions\Paths"><AddValue Name="%windir%\SoftwareDistribution\Datastore\Datastore.edb" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="%windir%\SoftwareDistribution\Datastore\Logs\Res*.log" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="%windir%\SoftwareDistribution\Datastore\Logs\Res*.jrs" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="%windir%\SoftwareDistribution\Datastore\Logs\Edb.chk" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="%windir%\SoftwareDistribution\Datastore\Logs\Tmp.edb" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="%windir%\Security\Database\*.edb" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="%windir%\Security\Database\*.sdb" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="%windir%\Security\Database\*.log" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="%windir%\Security\Database\*.chk" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="%windir%\Security\Database\*.jrs" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="%ALLUSERSPROFILE%\NTuser.pol" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="%SystemRoot%\System32\GroupPolicy\registry.pol" Type="REG_DWORD" Disabled="false">0</AddValue></AddKey><AddKey Name="SOFTWARE\Policies\Microsoft\Microsoft Antimalware\Exclusions\Paths"><AddValue Name="%allusersprofile%\NTUser.pol" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="%systemroot%\system32\GroupPolicy\registry.pol" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="%windir%\Security\database\*.chk" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="%windir%\Security\database\*.edb" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="%windir%\Security\database\*.jrs" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="%windir%\Security\database\*.log" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="%windir%\Security\database\*.sdb" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="%windir%\SoftwareDistribution\Datastore\Datastore.edb" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="%windir%\SoftwareDistribution\Datastore\Logs\edb.chk" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="%windir%\SoftwareDistribution\Datastore\Logs\edb*.log" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="%windir%\SoftwareDistribution\Datastore\Logs\Edbres00001.jrs" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="%windir%\SoftwareDistribution\Datastore\Logs\Edbres00002.jrs" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="%windir%\SoftwareDistribution\Datastore\Logs\Res1.log" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="%windir%\SoftwareDistribution\Datastore\Logs\Res2.log" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="%windir%\SoftwareDistribution\Datastore\Logs\tmp.edb" Type="REG_DWORD" Disabled="false">0</AddValue></AddKey><AddKey Name="SOFTWARE\Policies\Microsoft\Microsoft Antimalware\Exclusions\Paths"><AddValue Name="%windir%\SoftwareDistribution\Datastore\Datastore.edb" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="%windir%\SoftwareDistribution\Datastore\Logs\Res*.log" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="%windir%\SoftwareDistribution\Datastore\Logs\Res*.jrs" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="%windir%\SoftwareDistribution\Datastore\Logs\Edb.chk" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="%windir%\SoftwareDistribution\Datastore\Logs\Tmp.edb" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="%windir%\Security\Database\*.edb" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="%windir%\Security\Database\*.sdb" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="%windir%\Security\Database\*.log" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="%windir%\Security\Database\*.chk" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="%windir%\Security\Database\*.jrs" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="%ALLUSERSPROFILE%\NTuser.pol" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="%SystemRoot%\System32\GroupPolicy\registry.pol" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="F:\BACKUP\*" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="F:\NBU_VSP_Cache\*" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="F:\ORADATA\*" Type="REG_DWORD" Disabled="false">0</AddValue></AddKey><AddKey Name="SOFTWARE\Policies\Microsoft\Microsoft Antimalware\Real-Time Protection"><AddValue Name="DisableRealtimeMonitoring" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="DisableIOAVProtection" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="DisableBehaviorMonitoring" Type="REG_DWORD" Disabled="false">1</AddValue><AddValue Name="DisableIntrusionPreventionSystem" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="LocalSettingOverrideDisableRealTimeMonitoring" Type="REG_DWORD" Disabled="false">1</AddValue><AddValue Name="LocalSettingOverrideDisableIntrusionPreventionSystem" Type="REG_DWORD" Disabled="false">1</AddValue><AddValue Name="LocalSettingOverrideDisableOnAccessProtection" Type="REG_DWORD" Disabled="false">1</AddValue><AddValue Name="LocalSettingOverrideDisableIOAVProtection" Type="REG_DWORD" Disabled="false">1</AddValue><AddValue Name="LocalSettingOverrideDisableBehaviorMonitoring" Type="REG_DWORD" Disabled="false">1</AddValue><AddValue Name="LocalSettingOverrideDisableScriptScanning" Type="REG_DWORD" Disabled="false">1</AddValue><AddValue Name="LocalSettingOverrideRealTimeScanDirection" Type="REG_DWORD" Disabled="false">1</AddValue><AddValue Name="DisableOnAccessProtection" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="RealTimeScanDirection" Type="REG_DWORD" Disabled="false">1</AddValue><AddValue Name="DisableScriptScanning" Type="REG_DWORD" Disabled="false">0</AddValue></AddKey><AddKey Name="SOFTWARE\Policies\Microsoft\Microsoft Antimalware\Scan"><AddValue Name="DisableRestorePoint" Type="REG_DWORD" Disabled="false">1</AddValue><AddValue Name="DisableReparsePointScanning" Type="REG_DWORD" Disabled="false">1</AddValue></AddKey><AddKey Name="SOFTWARE\Policies\Mi 1/1/1601 12:00:00 AM 2003852139 (0x77705B6B)
    Failed to generate AM policy settings for SCEP installation with error code 0x80004005 EndpointProtectionAgent 12/9/2013 6:56:06 AM 1964 (0x07AC)
    Sending message to external event agent to enable notification EndpointProtectionAgent 12/9/2013 6:56:06 AM 1964 (0x07AC)
    Sending message to endpoint ExternalEventAgent EndpointProtectionAgent 12/9/2013 6:56:06 AM 1964 (0x07AC)
    Sending message to external event agent to execute all on demand actions. EndpointProtectionAgent 12/9/2013 6:56:06 AM 1964 (0x07AC)
    Sending message to endpoint ExternalEventAgent EndpointProtectionAgent 12/9/2013 6:56:06 AM 1964 (0x07AC)
    EP State and Error Code didn't get changed, skip resend state message. EndpointProtectionAgent 12/9/2013 6:56:06 AM 1964 (0x07AC)
    State 4, error code -2147467259 and detail message are not changed, skip updating registry value EndpointProtectionAgent 12/9/2013 6:56:06 AM 1964 (0x07AC)
    Failed to trigger EP Installer to install with error code = 0x80004005. EndpointProtectionAgent 12/9/2013 6:56:06 AM 1964 (0x07AC)
    One timer is already created and running, skip the new timer here. EndpointProtectionAgent 12/9/2013 6:56:06 AM 1964 (0x07AC)
    Firewall provider is installed. EndpointProtectionAgent 12/9/2013 6:56:06 AM 1964 (0x07AC)
    Installed firewall provider meet the requirements. EndpointProtectionAgent 12/9/2013 6:56:06 AM 1964 (0x07AC)
    start to send State Message with topic type = 2001, state id = 4, and error code = 0x80004005 EndpointProtectionAgent 12/9/2013 6:56:06 AM 1964 (0x07AC)
    Skip sending state message due to same state message already exists. EndpointProtectionAgent 12/9/2013 6:56:06 AM 1964 (0x07AC)
    Endpoint is triggered by WMI notification. EndpointProtectionAgent 12/9/2013 6:56:06 AM 1964 (0x07AC)
    File C:\Windows\ccmsetup\SCEPInstall.exe version is 4.4.304.0. EndpointProtectionAgent 12/9/2013 6:56:06 AM 1964 (0x07AC)
    EP version 4.3.215.0 is already installed. EndpointProtectionAgent 12/9/2013 6:56:06 AM 1964 (0x07AC)
    EP 4.3.215.0 is installed, version is lower than expected installer version 4.4.304.0. EndpointProtectionAgent 12/9/2013 6:56:06 AM 1964 (0x07AC)
    Endpoint is triggered by WMI notification. EndpointProtectionAgent 12/9/2013 6:56:06 AM 1964 (0x07AC)
    File C:\Windows\ccmsetup\SCEPInstall.exe version is 4.4.304.0. EndpointProtectionAgent 12/9/2013 6:56:06 AM 1964 (0x07AC)
    EP version 4.3.215.0 is already installed. EndpointProtectionAgent 12/9/2013 6:56:06 AM 1964 (0x07AC)
    EP 4.3.215.0 is installed, version is lower than expected installer version 4.4.304.0. EndpointProtectionAgent 12/9/2013 6:56:06 AM 1964 (0x07AC)

    So from this I can gather that Endpoint detects that the SCEP version is inconsistent with what is stored on the site and needs to upgrade however it seems to be unable to process the policy and fails the install.

    This seems to have only occurred on clients that have completed the Automatic Upgrade process and the hotfix for the new antimalware platform did not resolve anything.

    As far as I can tell the clients are still functioning as they should, and strangely enough alerts are still being triggered for malware detection but they do not show up in the console as being managed.

    Has anyone else seen this or have anything I could try? 

    Monday, December 9, 2013 2:31 PM

Answers

  • I did see that article before but it didn't seem to apply.

    I contacted Microsoft support and worked through the issue and they found a bug that stemmed from special characters in the policy names.

    All of our policies contained at least on of &, (, ), and - in the policy name and as a workaround removing those characters allowed our clients to upgrade and policies to be applied. They said that a hotfix or some other release will fix it in the future.

    • Marked as answer by Slater76 Wednesday, December 11, 2013 1:13 PM
    Wednesday, December 11, 2013 1:13 PM

All replies