Endpoint Protection Control Manager reporting error after in place upgrade of Windows Server from 2012 R2 to 2016

Question

Endpoint Protection Control Manager reporting error after in place upgrade of Windows Server from 2012 R2 to 2016

Nicholas Palmer 81

Hi,

I did an in-place upgrade of the OS of my Config Manager 2111 server from Windows Server 2012 R2 to Windows Server 2016.

After the in-place upgrade everything seems to be working ok, except for one issue with the Endpoint Protection role which is installed on this server.

When I check the status messages for Endpoint Protection role I see this error:

Endpoint Protection Control Manager failed to update malware definition. Verify that the Endpoint Protection client is installed and running on the Endpoint Protection role server. Verify that the Endpoint Protection client on the role server can receive updated definitions. Error code returned is:"0x80070002".

If I look at the Endpoint Protection role logs I see these errors:

ThreadMain (SMS_ENDPOINT_PROTECTION_CONTROL_MANAGER) ... SMS_ENDPOINT_PROTECTION_CONTROL_MANAGER 10/31/2022 9:42:53 AM 1164 (0x048C)
Checking threat definitions in 900 seconds... SMS_ENDPOINT_PROTECTION_CONTROL_MANAGER 10/31/2022 9:42:53 AM 1164 (0x048C)
Key "SOFTWARE\Microsoft\Microsoft Antimalware" not found, trying key "SOFTWARE\Microsoft\Windows Defender" SMS_ENDPOINT_PROTECTION_CONTROL_MANAGER 10/31/2022 9:57:53 AM 1164 (0x048C)
RegQueryValueEx failed with 0X80070002 SMS_ENDPOINT_PROTECTION_CONTROL_MANAGER 10/31/2022 9:57:53 AM 1164 (0x048C)
GetAMInstallLocation failed with 0X80070002 SMS_ENDPOINT_PROTECTION_CONTROL_MANAGER 10/31/2022 9:57:53 AM 1164 (0x048C)
Failed to load common client library (0x80070002) SMS_ENDPOINT_PROTECTION_CONTROL_MANAGER 10/31/2022 9:57:53 AM 1164 (0x048C)
Failed to initialize AMMetadataUpdater (0x80070002) SMS_ENDPOINT_PROTECTION_CONTROL_MANAGER 10/31/2022 9:57:53 AM 1164 (0x048C)
STATMSG: ID=9200 SEV=E LEV=M SOURCE="SMS Server" COMP="SMS_ENDPOINT_PROTECTION_CONTROL_MANAGER" SYS=TOPANGA.KCICORP.COM SITE=P01 PID=2280 TID=1164 GMTDATE=Mon Oct 31 16:57:53.224 2022 ISTR0="0x80070002" ISTR1="" ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=0 LE=0X0 SMS_ENDPOINT_PROTECTION_CONTROL_MANAGER 10/31/2022 9:57:53 AM 1164 (0x048C)
Checking threat definitions in 900 seconds... SMS_ENDPOINT_PROTECTION_CONTROL_MANAGER 10/31/2022 9:57:53 AM 1164 (0x048C)
Key "SOFTWARE\Microsoft\Microsoft Antimalware" not found, trying key "SOFTWARE\Microsoft\Windows Defender" SMS_ENDPOINT_PROTECTION_CONTROL_MANAGER 10/31/2022 10:12:53 AM 1164 (0x048C)

Per the instructions, I removed the SCEP client from this server before doing the in-place upgrade but it looks like the Endpoint Protection Control role is still looking for the old SCEP client. The Windows Defender definition updates from Microsoft are being correctly pulled down and deployed and if I check Windows Defender on this server, I can see that it has the latest definition updates.

What do I need to do to resolve this issue?

Thanks in advance
Nick

Accepted answer

2 additional answers

Your answer

Answer 1

Hi @Nicholas Palmer ,

Thanks for your feedback and sharing. We're glad that the question is fixed now. Here's a short summary for the problem, we believe this will help other users to search for useful information more quickly. It's appreciated that you could click "Accept Answer" to the helpful reply.

Problem/Symptom:
Endpoint Protection Control Manager reporting error after in place upgrade of Windows Server from 2012 R2 to 2016.

Reason:
The old version SCEP was not uninstalled successfully prior to the in-place upgrade.

Solution/Workaround:
Ran scepinstall.exe program and while the setup dialog was visible then copied the contents of the temporary folder that scepinstall.exe created. From this copied folder and ran the following command <Copied folder path>\amd64\setup -x to remove the old version SCEP. After that, reinstall the new version SCEP.

Thanks again for your time! Have a nice day!

Best regards,
Cherry

Answer 2

Hi @Nicholas Palmer ,

1, Please make sure the following Configuration Manager services are running:
Windows Defender
SMS_EXECUTIVE
SMS_SITE_COMPONENT_MANAGER

The screenshots for your reference:

2, For Antivirus action after the upgrade, most probably an update or re-installation will be needed.
If you use System Center Endpoint Protection, it should be reinstalled to manage Windows Defender.

This link for your reference:
In-place OS upgrade for SCCM site server (systemcenterdudes.com)
Note: Microsoft provides third-party contact information to help you understand the problem. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.

3, Besides, the following thread is very similar to your situation for your reference:
OpsMgr Alert For Endpoint Protection Point Availability Status (microsoft.com)
Note: Microsoft provides third-party contact information to help you understand the problem. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.

Looking forward to your feedback.

Best regards,
Cherry

If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 3

Nicholas Palmer 81

Hi Cherry,

Thanks for the response. I've checked the services you listed and they are all running.

I actually used the link "In-place OS upgrade for SCCM site server (systemcenterdudes.com)" that you provided as the basis my upgrade process so I am familiar with it. I re-read the page again carefully looking for references to end point and in the pre upgrade steps it says to remove the System Center Endpoint Protection client, and then for the post upgrade steps it says this:

Do not forget about Antivirus action after the upgrade. Most probably an update or re-installation will be needed.

If you use System Center Endpoint Protection, it should be reinstalled to manage Windows Defender, just like Windows 10

I read the second link you provided and at the end of the post, another SCCM user appears to have the same issue that I'm having and they appear to have resolved the issue by install the System Endpoint Protection client again on their 2016 server.

So it seems to resolve my issue I would need to install the System Center Endpoint Protection client. But I'm not sure how I would manually install System Endpoint Protection on this server. And wouldn't installing System Endpoint Protection cause issues with Windows Defender?

Thanks
Nick

CherryZhang-MSFT 6,496 Reputation points

2022-11-03T02:32:29.587+00:00

Hi @Nicholas Palmer ,

1, We can find the SCEP installation package from the following path.

> …Microsoft Configuration Manager\CMUClient\scepinstall.exe

2, My SCCM server is installed in Windows Server 2016 and I also have SCEP installed by default. So far, it has not caused any problems.

Looking forward to your feedback.

Best regards,
Cherry
Nicholas Palmer 81 Reputation points

2022-11-03T16:15:04.86+00:00

Hi Cherry,

I found the scepinstall.exe file on my SCCM server and I tried to run it several times. In all cases the setup reported this error:

System Center Endpoint Protection is already installed

A newer version of System Center Endpoint Protection is already installed on your computer.

I've checked the installed programs on this system and System Center Endpoint Protection is not listed as it is in your screen shot.

Also, my scepinstall.exe file is dated 6/20/2016, not 5/6/2020 as yours is, but this is possibly because

I did find a C:\Program Files\Microsoft Security Client folder but it only has some backup files in it.

Is it possible that scepinstall.exe cannot be run on a Windows 2016 server?

Thanks
Nick
Nicholas Palmer 81 Reputation points

2022-11-03T17:49:28.957+00:00

Just to update. I tried installing the same client on a different Windows 2016 server and the setup got to the point where it asked me to confirm the setup.

I did some searching around the internet and found a newer version of the Scep install program which I tried running on my SCCM server. Now I get the following message:

System Center Endpoint Protection is already installed. Only one copy of System Center Endpoint Protection can be installed on your computer at a time. To reinstall System Center Endpoint Protection on this computer, first uninstall the current version, and then try installing System Center Endpoint Protection again. Error code:0x4FF02.

So I think that there is something still on this system that makes it think the System Center Endpoint Protection is installed.

I found some logs for the actual System Center Endpoint Protection install program in the C:\ProgramData\Microsoft\Microsoft Security Client\Support folder and I've attached the EppSetup.log file.

Thanks256941-eppsetup.log
CherryZhang-MSFT 6,496 Reputation points

2022-11-04T10:12:30.617+00:00

Hi @Nicholas Palmer ,

> The Windows Defender definition updates from Microsoft are being correctly pulled down and deployed and if I check Windows Defender on this server, I can see that it has the latest definition updates.

1, Have you tried install the pushed updates?

2, I tried to uninstall and reinstall scep successfully. Therefore, scepinstall.exe can be run on Windows 2016 server.
.
The screenshots for your reference:

The EppSetup.log for your reference:

I will research this issue continue. I will be back if I have any progress. Thank you for your time and patience!

Best regards,
Cherry
Nicholas Palmer 81 Reputation points

2022-11-04T20:46:54.75+00:00

I tried to re-install the System Center Endpoint Protection on a different Windows 2016 server that I also upgraded from Windows 2012 R2 (where I also uninstalled the SCEP client prior to the upgrade) and the SCEP setup starts successfully. So I think that SCEP wasn't correctly uninstalled on my SCCM server.

I checked the registry on the two 2016 server systems, and on the server where the SCEP setup starts successfully I don't see the following registry key

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Microsoft Security Client

But on my Config Manager server I do see the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Microsoft Security Client key and it has all the standard uninstall entries.

I think my issue is that for some reason the SCEP wasn't successfully/completely removed/un-installed on my Config Manager server when I uninstalled it before I did the upgrade to Windows Server 2016.

I solved the issue by doing the following. I ran the scepinstall.exe program and while the setup dialog was visible, I copied the contents of the temporary folder that scepinstall.exe created. From this copied folder I ran the following command <Copied folder path>\amd64\setup -x

This brought up the SCEP setup dialog asking me if I wanted to remove SCEP. I responded yes and the SCEP setup ran successfully and removed SCEP. I checked UnInstall registry node and entry for the Microsoft Security Client was gone. I did a server restart then ran the scepinstall.exe program which ran successfully.

Thanks

Share via

Endpoint Protection Control Manager reporting error after in place upgrade of Windows Server from 2012 R2 to 2016

2 additional answers

Your answer