ECM client dissappear after reboot and first user login

Kiessling, Rolf 1 Reputation point
2022-11-16T10:54:54.067+00:00

Hi

Facing a very strange behavior with ECM 2207 and Client 5.00.9088.107

When installing a fresh new machine, the Software Center is installed and working. We can install new packages and so on. Also all required packages are installed.
In Management Console you can see the green checkmark and clinet is installed. Checking c:\windows\ccm shows about a dozend subfolder including the "ClientUX".

Then then the computer is rebooted
Checking the folder again (via remote access to c$) shows the ccm folder is still filled.

Now a user log in to the machine and want to open the Software Center which failed.
When checking the ccm folder it is quiet empty. Just some files are left. Also the subfolder "ClientUX" is gone.

It looks as something is deinstalling the clinet.

It is no problem to push the client again to the machine or manually install it from ccmsetup folder but that can't be the solution for it.
Once you reinstall the client it stays active also after reboots.

To make it even more strange this behavior only show up with special computer models. Fujitsu Lifbook5511 and Lifebook7411.
A Lifebook5510 does NOT have this problem with vanishing client. The Problem with the 5511/7411 show up after ECM update from 2203 to 2207.

I have no more idear where to look for this problem. Checked logs and eventlog but nothing found until now.

Microsoft Configuration Manager
0 comments

4 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Sherry Kissinger 3,806 Reputation points
    2022-11-16T14:59:39.23+00:00

    If someone/something is running ccmsetup.exe /uninstall, that will be logged in the logs under %windir%\ccmsetup\logs.

    But... if something/someone is running something like "find ProductName like '%client%' in installed applications, and run the msiexec /x {Discovered GUID}", that wouldn't be logged there; that's something directly uninstalling the MSI, and not using the ccmsetup /uninstall routine.

    Basically I'm saying this might be difficult to track down what is doing that, at user login.

    Since it is "at user login", I'd potentially look at GPOs assigned to Users (not devices necessarily); but maybe someone made a GPO with a WMI Filter for just the Lifebook5511 / 7411.

    That would be very interesting, but apparently you have an interesting issue.

    1 person found this answer helpful.
    0 comments
  2. Kiessling, Rolf 1 Reputation point
    2022-11-17T06:54:47.527+00:00

    There is no GPO (User or Computer) dealing with any uninstalltions especialy no GPO with 5511/7411 WMI filter.

    Once I get access to a 5511 (probably Monday) will check the logfiles and eventview again searching deeper for GUID or ccmsetup.exe.

    Yesterday we got a brandnew 7412 (for the first time) and here also the Client vanish.
    The guy installalling this machine report that the client come back automatically after 10min.
    There was no client push from server nor could there be an old cued push since the machine was brand new in the system.
    Unfortunally I can't confirm this "coming back" with another machine as this was the only one and already shipped to the end user.
    But we had some 5511 runing over night with user logged in and here the client does not com back.
    So this 7412 has another different behavior.

    Hope you now have a guess how confused I'm about this very strange behavior.

    0 comments
  3. CherryZhang-MSFT 6,481 Reputation points
    2022-11-17T08:24:33.867+00:00

    Hi @Kiessling, Rolf ,

    We can try to track who deleted the ccm folders on Windows file servers by check Audit log. It can easily track these events in Windows security logs.

    You will have to follow these three steps:

    1. Enable “Audit Object Access” through GPO.
    2. Enable Auditing of Files and Folders.
    3. Track File and Folder Deletion Events in Event Viewer.

    For details about how to configure it, please check this link:
    Audit File and Folder Deletion on Windows File Servers (lepide.com)
    Note: Microsoft provides third-party contact information to help you understand the problem. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.

    Looking forward to your feedback.

    Best regards
    Cherry

  4. Kiessling, Rolf 1 Reputation point
    2022-11-21T08:35:14.673+00:00

    Update: With help of CherryZhang-MSFT Method I find 2 different events and it really look as someone or something trigger a msiexex.exe deinstalltion.
    But this information doesn't really help me.

    I will now reinstall the computer again (as error just occure once) and activate msi logging as mentioned here
    https://learn.microsoft.com/en-us/troubleshoot/windows-client/application-management/enable-windows-installer-logging

    Ein Objekt wurde gelöscht.

    Antragsteller:
    Sicherheits-ID: SYSTEM
    Kontoname: BCHF9GGC$
    Kontodomäne: GIGA
    Anmelde-ID: 0x3E7

    Objekt:
    Objektserver: Security
    Handle-ID: 0x36c

    Prozessinformationen:
    Prozess-ID: 0x2d44
    Prozessname: C:\Windows\System32\msiexec.exe
    Transaktion-ID: {00000000-0000-0000-0000-000000000000}

    Ein Objekt wurde gelöscht.

    Antragsteller:
    Sicherheits-ID: SYSTEM
    Kontoname: BCHF9GGC$
    Kontodomäne: GIGA
    Anmelde-ID: 0x3E7

    Objekt:
    Objektserver: Security
    Handle-ID: 0x5e4

    Prozessinformationen:
    Prozess-ID: 0x138c
    Prozessname: C:\Windows\System32\msiexec.exe
    Transaktion-ID: {00000000-0000-0000-0000-000000000000}