Windows Defender Installation with SCCM Environment in SOPHOS

Question

Hello,

I have several groups using the same SCCM environment 2006.
I installed the Endpoint Protection Point role as some groups (Desktops) are moving from SOPHOS AV to Windows Defender AV. The other groups (Servers) are staying with SOPHOS.
I noticed an error on the two servers Primary Prod & Test having link to this new role... HRESULT:0x8004FF73Description:System Center Endpoint Protection requires Windows Defender to be installed. Your version of Windows requires that Windows Defender is installed in order to be managed by System Center Endpoint Protection. <a>For more information, see online Help</a>. Error code:0x8004FF73.
"

1. Do I need windows defender on servers? at least the Primary servers hosting the role "Endpoint Protection Point"?
2. Is there any impact keeping SOPHOS on the servers and having Windows Defender on the Desktops?

Thanks,
Dom

Answer 1

Hello,

I am trying to deploy the Script:

Get-WindowsOptionalFeature -Online -FeatureName "Windows-Defender*" | Format-Table
Enable-WindowsOptionalFeature -Online -FeatureName "Windows-Defender-Features" -NoRestart
Enable-WindowsOptionalFeature -Online -FeatureName "Windows-Defender" -NoRestart
Get-WindowsOptionalFeature -Online -FeatureName "Windows-Defender*" | Format-Table

Through a Task Sequence:

But nothing reach the Client...

PolicyAgent.log

Requesting Machine policy assignments from authority 'SMS:UCP' 5/16/2022 3:52:50 PM 10816 (0x2A40)

AppDiscovery.log

Entering ExecQueryAsync for query "select * from CCM_AppDeliveryType where (AppDeliveryTypeId = "ScopeId_67BB9074-421B-4166-A053-A8090F9523EF/DeploymentType_b233b12d-6191-4372-bf7f-28a4970afeda" AND Revision = 7)" 5/16/2022 3:53:04 PM 7784 (0x1E68)
Performing detection of app deployment type ISS - Servers - Deployment Windows Defender Features(ScopeId_67BB9074-421B-4166-A053-A8090F9523EF/DeploymentType_b233b12d-6191-4372-bf7f-28a4970afeda, revision 7) for system. 5/16/2022 3:53:05 PM 7784 (0x1E68)
+++ Application not discovered. [AppDT Id: ScopeId_67BB9074-421B-4166-A053-A8090F9523EF/DeploymentType_b233b12d-6191-4372-bf7f-28a4970afeda, Revision: 7] 5/16/2022 3:53:05 PM 7784 (0x1E68)
+++ Did not detect app deployment type ISS - Servers - Deployment Windows Defender Features(ScopeId_67BB9074-421B-4166-A053-A8090F9523EF/DeploymentType_b233b12d-6191-4372-bf7f-28a4970afeda, revision 7) for system. 5/16/2022 3:53:05 PM 7784 (0x1E68)

AppIntentEval.log

No dependencies for DeploymentType ScopeId_67BB9074-421B-4166-A053-A8090F9523EF/DeploymentType_b233b12d-6191-4372-bf7f-28a4970afeda/7. 5/16/2022 3:53:05 PM 10816 (0x2A40)
* Evaluating Application policies for Machine 5/16/2022 3:53:05 PM 10816 (0x2A40)
DT id = ScopeId_67BB9074-421B-4166-A053-A8090F9523EF/RequiredApplication_3a515382-88c6-4987-b3df-2b5c12241f69/10, technology = Script 5/16/2022 3:53:05 PM 10816 (0x2A40)
ScopeId_67BB9074-421B-4166-A053-A8090F9523EF/DeploymentType_b233b12d-6191-4372-bf7f-28a4970afeda/7 :- Current State = NotInstalled, Applicability = Applicable, ResolvedState = Available, ConfigureState = NotNeeded, Title = ISS - Servers - Deployment Windows Defender Features 5/16/2022 3:53:05 PM 10816 (0x2A40)
ScopeId_67BB9074-421B-4166-A053-A8090F9523EF/Application_3a515382-88c6-4987-b3df-2b5c12241f69/10 :- Current State = NotInstalled, Applicability = Applicable, ResolvedState = Available, ConfigureState = NotNeeded, Title = ISS - Servers - Installation Windows features 5/16/2022 3:53:05 PM 10816 (0x2A40)

AppDiscovery.log

Nothing

CAS.log

Nothing

Any idea where to look?
Thanks,
Dom

Answer 2

Hello,

After rebooting the server the features were installed successfully.... Now placing them in a Task Sequence to have all steps:

• Uninstall Sophos
• Add "Windows Defender"
• Install Microsoft Defender Endpoint

The task sequence is set but failed ...

I found one error:
'\VRPSCCMPR01\Source\Application\Sophos' 5/17/2022 6:58:50 AM 4156 (0x103C)
CMD.EXE was started with the above path as the current directory. 5/17/2022 6:58:50 AM 4156 (0x103C)
UNC paths are not supported. Defaulting to Windows directory. 5/17/2022 6:58:50 AM 4156 (0x103C)
'"SOPHOS Uninstallation.bat"' is not recognized as an internal or external command, 5/17/2022 6:58:50 AM 4156 (0x103C)
operable program or batch file. 5/17/2022 6:58:50 AM 4156 (0x103C)
Command line is being logged ('OSDDoNotLogCommand' is not set to 'True') 5/17/2022 6:58:50 AM 4156 (0x103C)

Reviewing the location of the command line...

• Should I copy it from F:\Source\Application\Sophos on the Primary Server to a local folder on the client?
• Is it already copied somewhere? ccmcache (like for a regular deployment)?
• What is the next steps to have the .bat file available for this Task Sequence on all clients...?
  . Add a package ?
  
  . Deploy an application?
  
  . Something else

I found one error:
'\VRPSCCMPR01\Source\Application\Sophos' 5/17/2022 6:58:50 AM 4156 (0x103C)
CMD.EXE was started with the above path as the current directory. 5/17/2022 6:58:50 AM 4156 (0x103C)
UNC paths are not supported. Defaulting to Windows directory. 5/17/2022 6:58:50 AM 4156 (0x103C)
'"SOPHOS Uninstallation.bat"' is not recognized as an internal or external command, 5/17/2022 6:58:50 AM 4156 (0x103C)
operable program or batch file. 5/17/2022 6:58:50 AM 4156 (0x103C)
Command line is being logged ('OSDDoNotLogCommand' is not set to 'True') 5/17/2022 6:58:50 AM 4156 (0x103C)

Reviewing the location of the command line...

• Should I copy it from F:\Source\Application\Sophos on the Primary Server to a local folder on the client?
• Is it already copied somewhere? ccmcache (like for a regular deployment)?
• What is the next steps to have the .bat file available for this Task Sequence on all clients...?
  . Add a package ?
  
  . Deploy an application?
  
  . Something else

**which logs will be the ones to review for the progress of the Task Sequence?
on the client: F:\SMS_CCM\Logs\SMSTS.log
on the Site Server??? **

I see the task sequence in the Monitoring pane but I do not see anything on the client?

On the site server I have...

Thanks,
Dom

Answer 3

Hello,

The non starting for the deployment was that it reached the expiration date/time:

---------------------------------------------------------------------------------------------------------------------------------

Severity Type Site code Date / Time System Component Message ID Description
Warning Milestone UCP 5/17/2022 1:29:21 PM VRPSCCMRS01 Software Distribution 10019 Deployment "UCP20828" from site "UCP" was rejected because the deployment has expired. Possible cause: The client received the deployment but rejected it because the deployment expiration date is past. Solution: If the client should accept the deployment, you can extend the life of the deployment by changing the expiration date and time or disabling expiration on the Schedule tab of the deployment's properties. Changes to the Deployment's Properties dialog box will not be detected until the client receives updated policy.

---------------------------------------------------------------------------------------------------------------------------------

So now I see it in the software Center on the Client...

---------------------------------------------------------------------------------------------------------------------------------

Severity Type Site code Date / Time System Component Message ID Description
Information Milestone UCP 5/17/2022 4:09:32 PM VRPSCCMRS01 Software Distribution 10002 Deployment "UCP20828" was received from site "UCP". The client passes any supported platform requirements and Configuration Manager will add the Deployment's program to the list that will be displayed to users and/or run via assignment. If a deployment is received but not displayed on a client, verify that the current time on the client is between the deployment start and expiration times, and that the program specified in the deployment is enabled.
Information Audit UCP 5/17/2022 4:08:36 PM VRPSCCMPR01.ad Microsoft.ConfigurationManagement.exe 30007 User "" modified the deployment properties of a deployment named "ISS-Servers-DeployMicrosoftDefenderEndpoint_UCP00C89_ISS-Servers-DeploymentMicrosoftDefenderEndpoint-TEST-Limitedto1server" (UCP20828) deploying program "*".

---------------------------------------------------------------------------------------------------------------------------------

But still failing.

I do not see anything any data in the F:\SMS_CCM\Logs\smts.log for the period of time after 4:08 pm...

-------------------------------------------------------------------------------------------------------------------------------
The Certificate [Thumbprint 6C9FC6EFB7632286E235645683F7319DC80795FE] issued to 'VRPSCCMRS01.ad' doesn't have 'Client Authentication' capability. 5/17/2022 7:07:59 AM 8916 (0x22D4)
Completed validation of Certificate [Thumbprint 6C9FC6EFB7632286E235645683F7319DC80795FE] issued to 'VRPSCCMRS01.ad' 5/17/2022 7:07:59 AM 8916 (0x22D4)
The certificate [Thumbprint 6C9FC6EFB7632286E235645683F7319DC80795FE] found using 'VRPSCCMRS01.ad' as cert name is not valid for ConfigMgr usage. 5/17/2022 7:07:59 AM 8916 (0x22D4)
Client selected the PKI Certificate [Thumbprint 327D911DDFE65BD7E344E0861B7C3F3CA3334C87] issued to 'VRPSCCMRS01.ad' 5/17/2022 7:07:59 AM 8916 (0x22D4)
SSL, using authenticator in request. 5/17/2022 7:07:59 AM 8916 (0x22D4)
Successfully finalized logs to SMS client log directory from F:\SMS_CCM\Logs 5/17/2022 7:07:59 AM 8916 (0x22D4)

--------------------------------------------------------------------------------------------------------------------------------

Any other logs to check?

Thanks,
Dom

Answer 4

Hello,

Uninstallation of SOPHOS:

REM Uninstallation of Sophos

REM Stop the AutoUpdate Service
net stop "Sophos AutoUpdate Service"

REM Sophos Remote Management System
REM HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall{FED1005D-CBC8-45D5-A288-FFC7BB304121}
MsiExec.exe /X{FED1005D-CBC8-45D5-A288-FFC7BB304121} /qn /L*v %windir%\Temp\Uninstall_SRMS_Log.txt

REM Sophos Anti-Virus
REM HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall{723D5504-CE98-4785-AF5F-E91E250086B3}
MsiExec.exe /X{723D5504-CE98-4785-AF5F-E91E250086B3} /qn /L*v %windir%\Temp\Uninstall_SAV_Log.txt

REM Sophos AutoUpdate
REM HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall{644ADF05-0B2E-452C-B720-3CF1580A9368}
MsiExec.exe /X{644ADF05-0B2E-452C-B720-3CF1580A9368} /qn /L*v %windir%\Temp\Uninstall_SAU_Log.txt

REM Sophos Endpoint Defense
REM HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Sophos Endpoint Defense
"C:\Program Files\Sophos\Endpoint Defense\SEDuninstall.exe" /qn /L*v %windir%\Temp\Uninstall_SDE_Log.txt

RESTART

It never got uninstalled

Then Add Windows Defender Feature

Get-WindowsOptionalFeature -Online -FeatureName "Windows-Defender*" | Format-Table

Enable-WindowsOptionalFeature -Online -FeatureName "Windows-Defender-Features" -NoRestart
Enable-WindowsOptionalFeature -Online -FeatureName "Windows-Defender" -NoRestart
Get-WindowsOptionalFeature -Online -FeatureName "Windows-Defender*" | Format-Table

When the Task Sequence is seen on the Software Center on the client...

Then I click install...

Any logs to check the smsts.log is empty
Not sure which step(s) failed!!!???

F:_SMSTaskSequence folder is empty

Thanks,
Dom

Answer 5

Hello,

Find out that even the Task Sequence contains the bat file as a Run Command line I need to distribute the content of the same file through a package and attached to the Task Sequence.

Then the "Windows Defender" got added ...

One more step...
Now failing on another step !!!

SMSTS.log

Severity Type Site code Date / Time System Component Message ID Description
Error Milestone UCP 5/18/2022 7:36:20 AM VRPSCCMRS01 Task Sequence Manager 11170 The task sequence manager could not successfully complete execution of the task sequence. A failure exit code of 16389 was returned.

Severity Type Site code Date / Time System Component Message ID Description
Error Milestone UCP 5/18/2022 7:35:50 AM VRPSCCMRS01 Task Sequence Engine 11141 The task sequence execution engine failed execution of a task sequence. The operating system reported error 2147500037: Unspecified error

Thanks,
Dom