Endpoint Protection not managed or installed on ConfigMgr clients

Posted: December 11, 2013 in Configuration Manager, Solved, System Center
Tags: , ,

This is one of those really simple and stupid problems that had me stuck for a while. I kept getting distracted with other things so it took a while before I got around to looking into it properly.

About a week after upgrading ConfigMgr 2012 to R2 I noticed some of the rebuilt servers didn’t have the Endpoint agent installed. The clients were working correctly, deploying windows updates and software deployments fine. Client Policy and inventory processing correctly, Endpoint Policy was assigned to machine in console and appearing on client (policyspy)

On new computers, Endpoint Protection did not install at all, and on computers when SCEP setup run manually, Endpoint policy never applies. Registry key indicates no policy is applied, even though “Generated Policy shows the correct values


Failed to get EP event code under registry key SOFTWARE\Microsoft\CCM\EPAgent EndpointProtectionAgent 10/12/2013 3:02:14 PM 5764 (0x1684)
Failed to get EP event message under registry key SOFTWARE\Microsoft\CCM\EPAgent EndpointProtectionAgent 10/12/2013 3:02:14 PM 5764 (0x1684)

And the EPAgent registry only showed:

policyapplicationstate = 0
state = 1


There’s probably a really obvious and easy way to identify the cause, but nothing jumped out at me and the details as shown above don’t really give any indication.

Quite simply, there is a setting in the Client Policy for Endpoint Protection that I must have missed at some point that is set by default to NOT allow installing EP outside of maintenance windows.


Set the “Allow Endpoint Protection client installation and restarts outside of maintenance windows…” to “Yes” and it will just sort out the rest on its own.

  1. Mark says:

    After my client installs successfully my SCEP agent is not installed. I do not have an EndpointProtectionAgent.log file in the Logs folder. There are no errors in ccmsetup.log and no errors in client.msi.log. Any ideas?

    • Scott says:

      Does ccmsetup have an entry showing it doing the scep install? Also check the client settings deployed to this machine to make sure it is set to manage AV enabled.
      One other thing to try is what happens when you run scepinstall from the ccmsetup folder on the client machine?

      • Mark Giemza says:

        The machine ended up being in the wrong OU. Boundaries are based on OUs and thus it didn’t have a boundary and couldn’t get any policies until I moved the computer to the correct OU.

  2. Pierre says:

    Thanks, this helpled me and saved me lots of time.

  3. Anthony says:

    Thanks – helped me a lot.

  4. SkeetsMB says:

    I know this post is a couple of years old but my client device settings for Endpoint are all greyed out so I cannot make any changes.
    I am running SCCM 2012 R2 on Server 2012 R2. I have tried running sCCM as administrator, tried recreating the client device settings but I am still unable to make changes. SCEP is installed on the SCMM server so I have no clue as to why this is happening.

    Is there a fix for this?


    • Scott says:

      Do you mean the settings in the SCEP agent itself are greyed out, or in the ConfigMgr console when you try to create a new policy for SCEP?

      • SkeetsMB says:

        The ConfigMgr console. I created a custom client device setting policy and cannot edit any of the Endpoint Protection settings. It occurs even if I delete it and create a new one.

        • JureB says:

          Did you install the Endpoint Protection Point role on your CAS, or Stand-alone Primary site?

        • Scott says:

          In this environment we have the EPP installed on the CAS.

        • SkeetsMB says:

          Yes, EPP role was enabled on the primary SCCM server. I just removed it then re-added it and now I am able to modify the EPP client settings in the console.
          Crazy! I did the same thing a few months back and took notes on the steps I made when troubleshooting this. I think my age is catching up to me; need to look into alternative medication…

          Thanks for the assistance, you guys rock!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s