This is one of those really simple and stupid problems that had me stuck for a while. I kept getting distracted with other things so it took a while before I got around to looking into it properly.
About a week after upgrading ConfigMgr 2012 to R2 I noticed some of the rebuilt servers didn’t have the Endpoint agent installed. The clients were working correctly, deploying windows updates and software deployments fine. Client Policy and inventory processing correctly, Endpoint Policy was assigned to machine in console and appearing on client (policyspy)
On new computers, Endpoint Protection did not install at all, and on computers when SCEP setup run manually, Endpoint policy never applies. Registry key indicates no policy is applied, even though “Generated Policy shows the correct values
Failed to get EP event code under registry key SOFTWARE\Microsoft\CCM\EPAgent EndpointProtectionAgent 10/12/2013 3:02:14 PM 5764 (0x1684)
Failed to get EP event message under registry key SOFTWARE\Microsoft\CCM\EPAgent EndpointProtectionAgent 10/12/2013 3:02:14 PM 5764 (0x1684)
And the EPAgent registry only showed:
policyapplicationstate = 0
state = 1
There’s probably a really obvious and easy way to identify the cause, but nothing jumped out at me and the details as shown above don’t really give any indication.
Quite simply, there is a setting in the Client Policy for Endpoint Protection that I must have missed at some point that is set by default to NOT allow installing EP outside of maintenance windows.
Set the “Allow Endpoint Protection client installation and restarts outside of maintenance windows…” to “Yes” and it will just sort out the rest on its own.