Antimalware Policy not apply to windows 2019 server

WZJ 101 Reputation points
2021-04-26T21:37:44.183+00:00

Hello ,
Our MECM is on version 2010, hotfix KB4594177.
I currently found the issue, that is the Antimalware Police works perfect for all the other windows 2012R2, windows 2016 servers, but no for Windows 2019 server. It is not be applied to all of our 7 windows 2019 servers. And windows 2019 servers are included in the deployment collection.

EndpointProtectionAgent.log

<![LOG[Service startup notification received]LOG]!><time="13:15:23.360+300" date="04-26-2021" component="EndpointProtectionAgent" context="" type="1" thread="4264" file="fepsettingendpoint.cpp:297">
<![LOG[Endpoint is triggered by CCMTask Execute.]LOG]!><time="13:15:23.376+300" date="04-26-2021" component="EndpointProtectionAgent" context="" type="1" thread="4264" file="fepsettingendpoint.cpp:266">
<![LOG[Deployment WMI is NOT ready.]LOG]!><time="13:15:23.376+300" date="04-26-2021" component="EndpointProtectionAgent" context="" type="1" thread="4264" file="epagentimpl.cpp:920">
<![LOG[Endpoint is triggered by WMI notification.]LOG]!><time="13:15:43.957+300" date="04-26-2021" component="EndpointProtectionAgent" context="" type="1" thread="4848" file="fepsettingendpoint.cpp:155">
<![LOG[This machine is not a workstation, returning false for MDMIsExternallyManaged.]LOG]!><time="13:15:43.972+300" date="04-26-2021" component="EndpointProtectionAgent" context="" type="1" thread="4848" file="ccmcomgmt.cpp:835">
<![LOG[Not a workstation, this device is SCCM managed.]LOG]!><time="13:15:43.972+300" date="04-26-2021" component="EndpointProtectionAgent" context="" type="1" thread="4848" file="ccmcomgmt.cpp:767">
<![LOG[Endpoint protection workload is NOT migrated to Intune. SCCM will apply policy.]LOG]!><time="13:15:43.972+300" date="04-26-2021" component="EndpointProtectionAgent" context="" type="1" thread="4848" file="epagentutil.cpp:1348">
<![LOG[Failed to get EP event code under registry key SOFTWARE\Microsoft\CCM\EPAgent]LOG]!><time="13:15:43.972+300" date="04-26-2021" component="EndpointProtectionAgent" context="" type="2" thread="4848" file="epagentimpl.cpp:1653">
<![LOG[Failed to get EP event message under registry key SOFTWARE\Microsoft\CCM\EPAgent]LOG]!><time="13:15:43.972+300" date="04-26-2021" component="EndpointProtectionAgent" context="" type="2" thread="4848" file="epagentimpl.cpp:1658">
<![LOG[EP State and Error Code didn't get changed, skip resend state message.]LOG]!><time="13:15:43.972+300" date="04-26-2021" component="EndpointProtectionAgent" context="" type="1" thread="4848" file="epagentimpl.cpp:173">
<![LOG[Failed to get EP event code under registry key SOFTWARE\Microsoft\CCM\EPAgent]LOG]!><time="13:15:43.972+300" date="04-26-2021" component="EndpointProtectionAgent" context="" type="2" thread="4848" file="epagentimpl.cpp:1653">
<![LOG[Failed to get EP event message under registry key SOFTWARE\Microsoft\CCM\EPAgent]LOG]!><time="13:15:43.972+300" date="04-26-2021" component="EndpointProtectionAgent" context="" type="2" thread="4848" file="epagentimpl.cpp:1658">
<![LOG[State 1, error code 0 and detail message are not changed, skip updating registry value]LOG]!><time="13:15:43.972+300" date="04-26-2021" component="EndpointProtectionAgent" context="" type="1" thread="4848" file="epagentimpl.cpp:226">
<![LOG[Handle EP AM policy.]LOG]!><time="13:15:43.972+300" date="04-26-2021" component="EndpointProtectionAgent" context="" type="1" thread="4848" file="fepsettingendpoint.cpp:184">
<![LOG[This machine is not a workstation, returning false for MDMIsExternallyManaged.]LOG]!><time="13:15:43.972+300" date="04-26-2021" component="EndpointProtectionAgent" context="" type="1" thread="4848" file="ccmcomgmt.cpp:835">
<![LOG[Not a workstation, this device is SCCM managed.]LOG]!><time="13:15:43.972+300" date="04-26-2021" component="EndpointProtectionAgent" context="" type="1" thread="4848" file="ccmcomgmt.cpp:767">
<![LOG[Endpoint protection workload is NOT migrated to Intune. SCCM will apply policy.]LOG]!><time="13:15:43.972+300" date="04-26-2021" component="EndpointProtectionAgent" context="" type="1" thread="4848" file="epagentutil.cpp:1348">
<![LOG[Endpoint is triggered by WMI notification.]LOG]!><time="13:15:44.019+300" date="04-26-2021" component="EndpointProtectionAgent" context="" type="1" thread="4288" file="fepsettingendpoint.cpp:155">
<![LOG[Generate AM Policy XML while EP is disabled.]LOG]!><time="13:15:44.113+300" date="04-26-2021" component="EndpointProtectionAgent" context="" type="1" thread="4848" file="epagentimpl.cpp:1272">
<![LOG[This machine is not a workstation, returning false for MDMIsExternallyManaged.]LOG]!><time="13:15:44.129+300" date="04-26-2021" component="EndpointProtectionAgent" context="" type="1" thread="4288" file="ccmcomgmt.cpp:835">
<![LOG[Not a workstation, this device is SCCM managed.]LOG]!><time="13:15:44.129+300" date="04-26-2021" component="EndpointProtectionAgent" context="" type="1" thread="4288" file="ccmcomgmt.cpp:767">
<![LOG[Endpoint protection workload is NOT migrated to Intune. SCCM will apply policy.]LOG]!><time="13:15:44.129+300" date="04-26-2021" component="EndpointProtectionAgent" context="" type="1" thread="4288" file="epagentutil.cpp:1348">
<![LOG[Failed to get EP event code under registry key SOFTWARE\Microsoft\CCM\EPAgent]LOG]!><time="13:15:44.129+300" date="04-26-2021" component="EndpointProtectionAgent" context="" type="2" thread="4288" file="epagentimpl.cpp:1653">
<![LOG[Failed to get EP event message under registry key SOFTWARE\Microsoft\CCM\EPAgent]LOG]!><time="13:15:44.129+300" date="04-26-2021" component="EndpointProtectionAgent" context="" type="2" thread="4288" file="epagentimpl.cpp:1658">
<![LOG[EP State and Error Code didn't get changed, skip resend state message.]LOG]!><time="13:15:44.129+300" date="04-26-2021" component="EndpointProtectionAgent" context="" type="1" thread="4288" file="epagentimpl.cpp:173">
<![LOG[Failed to get EP event code under registry key SOFTWARE\Microsoft\CCM\EPAgent]LOG]!><time="13:15:44.129+300" date="04-26-2021" component="EndpointProtectionAgent" context="" type="2" thread="4288" file="epagentimpl.cpp:1653">
<![LOG[Failed to get EP event message under registry key SOFTWARE\Microsoft\CCM\EPAgent]LOG]!><time="13:15:44.129+300" date="04-26-2021" component="EndpointProtectionAgent" context="" type="2" thread="4288" file="epagentimpl.cpp:1658">
<![LOG[State 1, error code 0 and detail message are not changed, skip updating registry value]LOG]!><time="13:15:44.129+300" date="04-26-2021" component="EndpointProtectionAgent" context="" type="1" thread="4288" file="epagentimpl.cpp:226">
<![LOG[Handle EP Deployment policy.]LOG]!><time="13:15:44.129+300" date="04-26-2021" component="EndpointProtectionAgent" context="" type="1" thread="4288" file="fepsettingendpoint.cpp:179">
<![LOG[This machine is not a workstation, returning false for MDMIsExternallyManaged.]LOG]!><time="13:15:44.129+300" date="04-26-2021" component="EndpointProtectionAgent" context="" type="1" thread="4288" file="ccmcomgmt.cpp:835">
<![LOG[Not a workstation, this device is SCCM managed.]LOG]!><time="13:15:44.129+300" date="04-26-2021" component="EndpointProtectionAgent" context="" type="1" thread="4288" file="ccmcomgmt.cpp:767">
<![LOG[Endpoint protection workload is NOT migrated to Intune. SCCM will apply policy.]LOG]!><time="13:15:44.129+300" date="04-26-2021" component="EndpointProtectionAgent" context="" type="1" thread="4288" file="epagentutil.cpp:1348">
<![LOG[Failed to get EP event code under registry key SOFTWARE\Microsoft\CCM\EPAgent]LOG]!><time="13:15:44.129+300" date="04-26-2021" component="EndpointProtectionAgent" context="" type="2" thread="4288" file="epagentimpl.cpp:1653">
<![LOG[Failed to get EP event message under registry key SOFTWARE\Microsoft\CCM\EPAgent]LOG]!><time="13:15:44.129+300" date="04-26-2021" component="EndpointProtectionAgent" context="" type="2" thread="4288" file="epagentimpl.cpp:1658">
<![LOG[start to send State Message with topic type = 2001, state id = 1, and error code = 0x00000000]LOG]!><time="13:15:44.129+300" date="04-26-2021" component="EndpointProtectionAgent" context="" type="1" thread="4288" file="epagentimpl.cpp:1628">
<![LOG[Start to send state message.]LOG]!><time="13:15:44.129+300" date="04-26-2021" component="EndpointProtectionAgent" context="" type="1" thread="4288" file="epagentutil.cpp:1321">
<![LOG[Send state message successfully]LOG]!><time="13:15:44.144+300" date="04-26-2021" component="EndpointProtectionAgent" context="" type="1" thread="4288" file="epagentutil.cpp:1323">
<![LOG[Endpoint is triggered by WMI notification.]LOG]!><time="15:08:51.781+300" date="04-26-2021" component="EndpointProtectionAgent" context="" type="1" thread="4700" file="fepsettingendpoint.cpp:155">
<![LOG[This machine is not a workstation, returning false for MDMIsExternallyManaged.]LOG]!><time="15:08:51.781+300" date="04-26-2021" component="EndpointProtectionAgent" context="" type="1" thread="4700" file="ccmcomgmt.cpp:835">
<![LOG[Not a workstation, this device is SCCM managed.]LOG]!><time="15:08:51.781+300" date="04-26-2021" component="EndpointProtectionAgent" context="" type="1" thread="4700" file="ccmcomgmt.cpp:767">
<![LOG[Endpoint protection workload is NOT migrated to Intune. SCCM will apply policy.]LOG]!><time="15:08:51.781+300" date="04-26-2021" component="EndpointProtectionAgent" context="" type="1" thread="4700" file="epagentutil.cpp:1348">
<![LOG[Failed to get EP event code under registry key SOFTWARE\Microsoft\CCM\EPAgent]LOG]!><time="15:08:51.781+300" date="04-26-2021" component="EndpointProtectionAgent" context="" type="2" thread="4700" file="epagentimpl.cpp:1653">
<![LOG[Failed to get EP event message under registry key SOFTWARE\Microsoft\CCM\EPAgent]LOG]!><time="15:08:51.781+300" date="04-26-2021" component="EndpointProtectionAgent" context="" type="2" thread="4700" file="epagentimpl.cpp:1658">
<![LOG[EP State and Error Code didn't get changed, skip resend state message.]LOG]!><time="15:08:51.781+300" date="04-26-2021" component="EndpointProtectionAgent" context="" type="1" thread="4700" file="epagentimpl.cpp:173">
<![LOG[Failed to get EP event code under registry key SOFTWARE\Microsoft\CCM\EPAgent]LOG]!><time="15:08:51.781+300" date="04-26-2021" component="EndpointProtectionAgent" context="" type="2" thread="4700" file="epagentimpl.cpp:1653">
<![LOG[Failed to get EP event message under registry key SOFTWARE\Microsoft\CCM\EPAgent]LOG]!><time="15:08:51.781+300" date="04-26-2021" component="EndpointProtectionAgent" context="" type="2" thread="4700" file="epagentimpl.cpp:1658">
<![LOG[State 1, error code 0 and detail message are not changed, skip updating registry value]LOG]!><time="15:08:51.781+300" date="04-26-2021" component="EndpointProtectionAgent" context="" type="1" thread="4700" file="epagentimpl.cpp:226">
<![LOG[Handle EP AM policy.]LOG]!><time="15:08:51.781+300" date="04-26-2021" component="EndpointProtectionAgent" context="" type="1" thread="4700" file="fepsettingendpoint.cpp:184">
<![LOG[This machine is not a workstation, returning false for MDMIsExternallyManaged.]LOG]!><time="15:08:51.781+300" date="04-26-2021" component="EndpointProtectionAgent" context="" type="1" thread="4700" file="ccmcomgmt.cpp:835">
<![LOG[Not a workstation, this device is SCCM managed.]LOG]!><time="15:08:51.781+300" date="04-26-2021" component="EndpointProtectionAgent" context="" type="1" thread="4700" file="ccmcomgmt.cpp:767">
<![LOG[Endpoint protection workload is NOT migrated to Intune. SCCM will apply policy.]LOG]!><time="15:08:51.781+300" date="04-26-2021" component="EndpointProtectionAgent" context="" type="1" thread="4700" file="epagentutil.cpp:1348">
<![LOG[Generate AM Policy XML while EP is disabled.]LOG]!><time="15:08:51.828+300" date="04-26-2021" component="EndpointProtectionAgent" context="" type="1" thread="4700" file="epagentimpl.cpp:1272">

Registration:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CCM\EPAgent]
"State"=dword:00000001
"PolicyApplicationState"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CCM\EPAgent\GeneratedPolicy]
"Default Client Antimalware Policy (Scan Schedule)"=dword:00000001
"RRC Standard EP Policy (Scan Schedule)"=dword:00000002
"Default Client Antimalware Policy (Threat Default Action)"=dword:00000001
"RRC Standard EP Policy (Threat Default Action)"=dword:00000002
"Default Client Antimalware Policy (Excluded)"=dword:00000002
"RRC Standard EP Policy (Excluded)"=dword:00000002
"Default Client Antimalware Policy (Realtime Config)"=dword:00000001
"RRC Standard EP Policy (Realtime Config)"=dword:00000002
"Default Client Antimalware Policy (Advance Setting)"=dword:00000001
"RRC Standard EP Policy (Advance Setting)"=dword:00000002
"RRC Standard EP Policy (Spynet)"=dword:00000002
"Default Client Antimalware Policy (Spynet)"=dword:00000001
"Default Client Antimalware Policy (Signature Update)"=dword:00000001
"RRC Standard EP Policy (Signature Update)"=dword:00000002
"RRC Standard EP Policy (Scan)"=dword:00000002
"Default Client Antimalware Policy (Scan)"=dword:00000001

Please help...

Microsoft Configuration Manager Deployment
Microsoft Configuration Manager Deployment
Microsoft Configuration Manager: An integrated solution for for managing large groups of personal computers and servers.Deployment: The process of delivering, assembling, and maintaining a particular version of a software system at a site.
899 questions
0 comments

4 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. SunnyNiu-MSFT 1,696 Reputation points
    2021-04-27T10:30:07.387+00:00

    @WZJ
    Here is an answer to your question that hopefully you find helpful!
    Have we verified that the Endpoint Protection client is actually installed yet?
    We may need to check and remove any group policies that may have been configured to disable Windows Defender on domain machines.

    We could try to follow the below troubleshooting steps:

    1. Create a new customized client setting > Disable “manage Endpoint Protection on the client computers” in this client setting.
    2. Create a collection to list those affected clients.
    3. Deploy the client settings to this customized collection.
    4. After 2 hours, ensure all the client get this machine policy (we may manually trigger the “machine policy retrieval and evaluation cycle” on the CM client). They should
      report the state message to CM server.
    5. Change the customized client setting to Enable “manage endpoint protection on the client computers”.
    6. After another 2 hours, the client can get the policy and upload the correct state to the CM server.

    In addition, We may also check the client settings applied on that device and see if there are custom settings that conflict with each other.
    91687-1.png

    If the response is helpful, please click "Accept Answer"and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    1 person found this answer helpful.
    0 comments
  2. WZJ 101 Reputation points
    2021-04-28T13:30:33.203+00:00

    Still don't know why windows 2019 needs this steps?Windows security has been installed on the server by default, we just need deploy the policy to these windows 2019 servers and make them managed servers. All the windows 2012, 2016 servers doesn't need these steps.

    0 comments
  3. SunnyNiu-MSFT 1,696 Reputation points
    2021-04-30T07:56:37.143+00:00

    @JanetWang-5269
    Here is an answer to your question that hopefully you find helpful!
    In these windows 2019 servers, there is a setting in the Client Policy for Endpoint Protection that we must have missed at some point that is set by default to NOT allow installing EP outside of maintenance windows.

    Set the “Allow Endpoint Protection client installation and restarts outside of maintenance windows…” to “Yes”.

    And then use the Manage Endpoint Protection client on client computers client setting to let Configuration Manager manage the installed Endpoint Protection client.

    Anti-malware policies could be normally applied to Windows 2019 Server.

    If the response is helpful, please click "Accept Answer"and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments
  4. Sebastian Cerazy 306 Reputation points
    2022-02-05T20:46:37.913+00:00

    OPS! I forgot to add Deployment to a group in which Server 2022 was a member!
    Once done & "synced" with SCCM, all worked as expected!

    0 comments