Endpoint Protection not managed or installed on ConfigMgr clients

Posted: December 11, 2013 in Configuration Manager, Solved, System Center
Tags: , ,

This is one of those really simple and stupid problems that had me stuck for a while. I kept getting distracted with other things so it took a while before I got around to looking into it properly.

About a week after upgrading ConfigMgr 2012 to R2 I noticed some of the rebuilt servers didn’t have the Endpoint agent installed. The clients were working correctly, deploying windows updates and software deployments fine. Client Policy and inventory processing correctly, Endpoint Policy was assigned to machine in console and appearing on client (policyspy)

On new computers, Endpoint Protection did not install at all, and on computers when SCEP setup run manually, Endpoint policy never applies. Registry key indicates no policy is applied, even though “Generated Policy shows the correct values


Failed to get EP event code under registry key SOFTWARE\Microsoft\CCM\EPAgent EndpointProtectionAgent 10/12/2013 3:02:14 PM 5764 (0x1684)
Failed to get EP event message under registry key SOFTWARE\Microsoft\CCM\EPAgent EndpointProtectionAgent 10/12/2013 3:02:14 PM 5764 (0x1684)

And the EPAgent registry only showed:

policyapplicationstate = 0
state = 1


There’s probably a really obvious and easy way to identify the cause, but nothing jumped out at me and the details as shown above don’t really give any indication.

Quite simply, there is a setting in the Client Policy for Endpoint Protection that I must have missed at some point that is set by default to NOT allow installing EP outside of maintenance windows.


Set the “Allow Endpoint Protection client installation and restarts outside of maintenance windows…” to “Yes” and it will just sort out the rest on its own.

  1. Mark says:

    After my client installs successfully my SCEP agent is not installed. I do not have an EndpointProtectionAgent.log file in the Logs folder. There are no errors in ccmsetup.log and no errors in client.msi.log. Any ideas?

    • Scott says:

      Does ccmsetup have an entry showing it doing the scep install? Also check the client settings deployed to this machine to make sure it is set to manage AV enabled.
      One other thing to try is what happens when you run scepinstall from the ccmsetup folder on the client machine?

      • Mark Giemza says:

        The machine ended up being in the wrong OU. Boundaries are based on OUs and thus it didn’t have a boundary and couldn’t get any policies until I moved the computer to the correct OU.

  2. Pierre says:

    Thanks, this helpled me and saved me lots of time.

  3. Anthony says:

    Thanks – helped me a lot.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s