Missing Key HKLM>SOFTWARE> Microsoft>CCM>ExternalEventAgent

Duchemin, Dominique 2,006 Reputation points
2023-10-26T21:40:22.57+00:00

Hello,

I have installed uninstalled reinstalled System Center Endpoint Protection on several Windows Server 2016 but the registry: HKLM>SOFTWARE> Microsoft>CCM>ExternalEventAgent was never created.

Windows Defender Features is installed as well...

System Center Endpoint Protection is listed in Control Panel > Programs > Programs and features.

SCEP is not reporting to the console ...

  1. Uninstall SCEP 
  2. Uncheck Windows Defender features
  3. Reboot
  4. Check Windows Defender Features
  5. Install SCEP
  6. Machine Policy Retrieval 

Still no registry ...Any idea? Any log on this issue?

Thanks,

Dom

Microsoft Configuration Manager
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. AllenLiu-MSFT 46,371 Reputation points Microsoft Vendor
    2023-10-27T07:32:31.1066667+00:00

    Hi, @Duchemin, Dominique

    Thank you for posting in Microsoft Q&A forum.

    This issue occurs because the instance of the MSFT_MpComputerStatus class doesn't exist in the root\Microsoft\ProtectionManagement namespace. The client queries this instance to populate the related registry keys.

    Try the resolution in this article to see if it helps:

    https://learn.microsoft.com/en-us/troubleshoot/mem/configmgr/endpoint-protection/configmgr-console-shows-out-of-date-values#symptoms


    If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Add comment".

    0 comments No comments

  2. Duchemin, Dominique 2,006 Reputation points
    2023-10-27T14:47:17.75+00:00

    Hello @AllenLiu-MSFT

    This has been tried several times even with several platform and it does not resolved the issue, the registry is still missing:

    1. C:\ProgramData\Microsoft\Windows Defender\Platform<<Latest Version>>\ProtectionManagement.dll Verify the version Verify the file ProtectionManagement.dll exists
    2. Run Windows Powershell ISE as Administrator
    3. Copy/paste the command Register-CimProvider -ProviderName ProtectionManagement -Namespace root\Microsoft\protectionmanagement -Path 'C:\ProgramData\Microsoft\Windows Defender\Platform<<latest version>>\ProtectionManagement.dll' -Impersonation True -HostingModel LocalServiceHost -SupportWQL -ForceUpdate PS C:\Windows\system32> Register-CimProvider -ProviderName ProtectionManagement -Namespace root\Microsoft\protectionmanagement -Path 'C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23050.5-0\ProtectionManagement.dll' -Impersonation True -HostingModel LocalServiceHost -SupportWQL -ForceUpdate Successfully registered the provider. Warning: The provider DLL 'C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\ProtectionManagement.dll' was built to be used with a MUI file, but no MUI fi le was specified in the registration. Localizable qualifiers' value will be displayed as resource IDs.
    4. Restart SMS Agent Host Service
    5. C:\Windows\ccm\cmtrace.exe 5.a Open the folder: logs 5.b. ExternalEventAgent.log Service startup notification received ExternalEventAgent 10/26/2023 2:19:30 PM 6500 (0x1964) CExternalEventEndpoint::Execute, will collect fired events. ExternalEventAgent 10/26/2023 2:19:30 PM 5688 (0x1638) Collect fired events from last notification. ExternalEventAgent 10/26/2023 2:19:30 PM 5688 (0x1638) Could not open the registry key SOFTWARE\Microsoft\CCM\ExternalEventAgent\Criterias\Differentiation\ATPHealthStatusStateMessage\SyncStatus with error 0x80070002. ExternalEventAgent 10/26/2023 2:19:30 PM 5688 (0x1638) Could not open the registry key SOFTWARE\Microsoft\CCM\ExternalEventAgent\Criterias\Differentiation\ATPHealthStatusStateMessage with error 0x80070002. ExternalEventAgent 10/26/2023 2:19:30 PM 5688 (0x1638) Failed to load previous values of Differentiation criteria ATPHealthStatusStateMessage with error 0x80070002. ExternalEventAgent 10/26/2023 2:19:30 PM 5688 (0x1638) Failed to load criteria before processing input. ExternalEventAgent 10/26/2023 2:19:30 PM 5688 (0x1638) Sent 0 state messages successfully and skipped 0 input entries. ExternalEventAgent 10/26/2023 2:19:30 PM 5688 (0x1638) Send State Message finished. ExternalEventAgent 10/26/2023 2:19:30 PM 5688 (0x1638) 5.c. StateMessage.log Processing PreStartup event StateMessage 10/26/2023 2:19:30 PM 6500 (0x1964) [IsClientOnVolatileDesktop] bVirtual=0 bMachineChangesPersisted=1 bAssignedToUser=1 bClientOnVolatileDesktop=0 StateMessage 10/26/2023 2:19:30 PM 6500 (0x1964) State message(State ID : 2:HEALTH_ATTESTATION_NOTSUPPORTED) with TopicType 8001:HAS_REPORT and TopicId 0 has been recorded for SYSTEM, priority 5 StateMessage 10/26/2023 2:19:34 PM 5224 (0x1468) Successfully forwarded State Messages to the MP StateMessage 10/26/2023 2:20:34 PM 6440 (0x1928) Received positive messaging acknowledgement message StateMessage 10/26/2023 2:20:34 PM 6440 (0x1928) State message with TopicType 2100:WP_CLIENT_DEPLOYMENT, and TopicId WPDeploymentState and State 1:WPCLIENT_NOT_INSTALLED has been updated StateMessage 10/26/2023 2:20:34 PM 6440 (0x1928) State message with TopicType 1600:USER_AFFINITY, and TopicId ad/anthonyg1_Auto1 and State 2:USER_AFFINITY_REMOVE has been updated StateMessage 10/26/2023 2:21:34 PM 5732 (0x1664) State message with TopicType 1600:USER_AFFINITY, and TopicId ad/rmppqx_Auto1 and State 2:USER_AFFINITY_REMOVE has been updated StateMessage 10/26/2023 2:21:34 PM 5732 (0x1664)
    6. Open Control Panel > System and Security > Configuration Manager Action Tab Machine Policy Retrieval & Evaluation Cycle Click Run Now Click OK Software Updates Scan Cycle Click Run Now Click OK

    Software Updates Deployment Evaluation Cycle Click Run Now Click OK

    Also the Class \VRPWINS1\root\Microsoft\ exists

    thanks,

    Dom

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.