Endpoint Protection Control Manager critical post SCCM 1511 upgrade


Not a issue with the actual upgrade process itself, but caused by upgrading the site, and hence the roles, to release 1511. After upgrading I noticed that the Endpoint Protection Control Manager reporting as critical.

In Component Status the following errors were reported:

‘Site Component Manager failed to install component SMS_ENDPOINT_PROTECTION_CONTROL_MANAGER on server <siteserver> SCEPInstall.exe returns error 0x80070006.’

and

‘Site Component Manager failed to reinstall this component on this site system. Solution: Review the previous status messages to determine the exact reason for the failure. Site Component Manager will automatically retry the reinstallation in 60 minutes. To force Site Component Manager to immediately retry the reinstallation, stop and restart Site Component Manager using the Configuration Manager Service Manager.’

Checking the EPSetup.log file I noticed that SCEP was failing to be detected:

‘File D:\Microsoft Configuration Manager\Client\SCEPInstall.exe version is 4.7.214.0.
Failed to detect whether SCEP client is installed with error = 0x80070006
 SMSEP could not be installed. The return code was -2147024890′

ConfigMgr needs to be able to access the registry key ‘HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Microsoft Security Client’ to be able to perform this check.

I checked the permissions to that registry key and no access was granted to the ConfigMgr site server. So fix the problem I added in local administrators to have full access to the key. Why didn’t the ConfigMgr site server have access? Quite simple a GPO had been set to allow access to a particular AD group.

After adding I removed the Endpoint Role from the site server. Allowed it to uninstall and then added back in.

‘ ======== Completed Installation of Pre Reqs for Role SMSEP ========
Installing the SMSEP
Passed OS version check.
File D:\Microsoft Configuration Manager\Client\SCEPInstall.exe version is 4.7.214.0.
EP version 4.5.216.0 is already installed.
EP 4.5.216.0 is installed, version is lower than expected installer version 4.7.214.0.
Invoking process “D:\Microsoft Configuration Manager\Client\SCEPInstall.exe” /s /q /noreplace /policy “D:\Microsoft Configuration Manager\Client\EP_DefaultPolicy.xml”
CreateProcess: D:\Microsoft Configuration Manager, “D:\Microsoft Configuration Manager\Client\SCEPInstall.exe” /s /q /noreplace /policy “D:\Microsoft Configuration Manager\Client\EP_DefaultPolicy.xml”
CreateProcess: 0
Installation was successful.
~RoleSetup().’

Happy Holidays!

 

2 comments

  1. I’m not sure if I understand this… The lack of permissions on the reg key made the Endpoint role to be updated. Is the role installed on the ConfigMgr server or different server (I assume the same…)… Should we also give local administrator to the “ConfigMgr” in the configmgr server ? That’s the part I didn’t get…

  2. This is a role in the site server. Gpo has locked down access to that reg key so SCEP would not uninstall the older release and therefore the reinstall of the SCEP role as part of the upgrade to 1511 failed

Leave a Reply to José Cancel reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s