SCEP definitions not updating when uninstalling MSE

[kerber0s]

First off, let me mention how fantastic this site is. Without it I would have spent months trying to setup and configure my Config Manager 2012 environment.

 

I am in the process of deploying the SCEP client to a pilot group of users. In our environment we have a hodgepodge of Symantec 11.x, 12.x, and Microsoft Security Essentials AV clients. SCEP 2012 is supposed to be able to uninstall Symantec 11.x and Microsoft Security Essentials, which is does flawlessly. However, on the three machines I tested that had Microsoft Security Essentials installed the SCEP client would not update after installation. In order to make this work I had to right-click the resource and tell it to "download definitions" and then force it to run the Machine Policy Retrieval & Evaluation Cycle.

 

On the machines that had Symantec 11.x it uninstalled SEP, installed SCEP and updated the definitions within a matter of a few minutes. Has any one seen this or have any suggestions? I have checked the EndpointProtectionAgent.log and found the following during the time when the client was installed:

 

 

Installed EP client successfully. EndpointProtectionAgent 11/6/2012 10:11:13 AM 5528 (0x1598)

Start to send state message. EndpointProtectionAgent 11/6/2012 10:11:13 AM 5528 (0x1598)

Send State Message with topic type = 2001, state id = 3, and error code = 0x00000000 EndpointProtectionAgent 11/6/2012 10:11:13 AM 5528 (0x1598)

Save new state 3 to registry SOFTWARE\Microsoft\CCM\EPAgent\State EndpointProtectionAgent 11/6/2012 10:11:13 AM 5528 (0x1598)

EP Policy Default Client Antimalware Policy is already applied. EndpointProtectionAgent 11/6/2012 10:11:13 AM 5528 (0x1598)

State 1 and ErrorCode 0 and ErrorMsg and PolicyName Default Client Antimalware Policy is NOT changed, SKip sending State Message. EndpointProtectionAgent 11/6/2012 10:11:13 AM 5528 (0x1598)

Sending EvaluateAssignments Trigger to Updates Deployment Agent EndpointProtectionAgent 11/6/2012 10:11:13 AM 5528 (0x1598)

Register a timer here to check whether definition get updated in 30 minutes. EndpointProtectionAgent 11/6/2012 10:11:13 AM 5528 (0x1598)

Firewall provider is installed. EndpointProtectionAgent 11/6/2012 10:11:13 AM 5528 (0x1598)

Installed firewall provider meet the requirements. EndpointProtectionAgent 11/6/2012 10:11:13 AM 5528 (0x1598)

Endpoint is triggered by Timer. EndpointProtectionAgent 11/6/2012 10:41:13 AM 4936 (0x1348)

Definition is not installed or it's too old. Need to explicitly trigger SCEP client to download latest definition. EndpointProtectionAgent 11/6/2012 10:41:13 AM 4936 (0x1348)

Skip the case for operation DownloadDefinition. EndpointProtectionAgent 11/6/2012 10:41:13 AM 4936 (0x1348)

Endpoint is triggered by message. EndpointProtectionAgent 11/6/2012 1:10:00 PM 5888 (0x1700)

File C:\Windows\ccmsetup\SCEPInstall.exe version is 2.2.903.0. EndpointProtectionAgent 11/6/2012 1:10:00 PM 5888 (0x1700)

EP version 2.2.903.0 is already installed. EndpointProtectionAgent 11/6/2012 1:10:00 PM 5888 (0x1700)

 

I looked at the logs in ProgramData\Microsoft\Microsoft Antimalware\Support but didn't see anything that was out of the ordinary.

 

Any help would be greatly appreciated. Thanks!

 

-Kerb

[anyweb]

hi Kerb,

 

 

First off, let me mention how fantastic this site is. Without it I would have spent months trying to setup and configure my Config Manager 2012 environment.

 

thanks

 

after SCEP is installed, if you reboot those systems that had MSE installed does it make any difference to your issue ?

[kerber0s]

Sorry for not getting back sooner. I'm having mixed results. On my test machine, the first time I installed SCEP it took a reboot before it would uninstall MSE and then wouldn't update the definitions even after a few reboots. I uninstalled SCEP and reinstalled MSE. After I installed MSE I did not do a reboot and when I installed SCEP it required a reboot. The 3rd time I made sure I restarted after installing MSE and the SCEP client uninstalled MSE, installed and updated successfully without a reboot. So it appears that after it runs through the process once it will complete successfully.... not sure how that's possible. I'm going to test my theory on another unsuspecting victim that has MSE installed and will report my findings.

 

-Kerb

[kerber0s]

Ok I did another test today on a freshly built machine with MSE installed. The client installed itself right away and uninstalled MSE but still wouldn't update the definitions. Even after a reboot it still shows not updated.

 

I have used the auto-uninstall feature for Symantec 11 and it works flawlessly. I have also created a task sequence to uninstall Symantec 12.x and manually install SCEP and that works perfectly as well from a definition update standpoint. I'm at a loss as to why MSE is causing problems. If you click the button to update SCEP it will update without a problem.

 

-Kerb