Friday, September 23, 2016

SCCM Client Health check fails with third party antivirus on Windows 10 computers

Previously I explained how SCCM Client Health check process works, which describes general troubleshooting steps if you are having SCCM Client Health check issues.

Now about an exact issue - if you are using third party (something other than Microsoft) antivirus and health check fails on Windows 10 computers. Probably in ccmeval.log you also see that these checks are failing:
Verify/Remediate Antimalware service status for Windows 10 or up.
- Verify/Remediate Antimalware service startup type for Windows 10 or up.

So the root cause of this is that third party antivirus (or you have done it with group policy) has disabled Windows Defender from starting, but in the same time the computer has still left that Endpoint Protection has to be managed in Client Agent settings:

To resolve the issue you must remove Endpoint Protection policy from the computer. If SCCM client will not manage Endpoint Protection, then Client Health check will not perform tests againts Microsoft Antimalware and Windows Defender services.



4 comments:

  1. Hello, maybe you can help me on this. I started testing SCEP in my environment. I've uninstalled Symantec Endpoint Protection from my testing PCs and about half or getting issues in ccmeval.log about antimalware and failing client check for ccmeval. On machines that are failing ccmeval that I see I setup for SCEP, I see these errors in the ones that are failing:
    Evaluating health check rule {B9274BD3-4B32-4B41-8E4D-7B0306D412CE} : Verify/Remediate Antimalware service startup type for Windows 10 or up. CcmEval 11/13/2018 9:51:45 AM 7308 (0x1C8C)
    Result: Remediation Failed, ResultCode: -2147024891, ResultType: 200, ResultDetail: CcmEval 11/13/2018 9:51:45 AM 7308 (0x1C8C)
    Evaluating health check rule {B89B8B51-369F-42E6-80BC-FF46B8963B0F} : Verify/Remediate Antimalware service status for Windows 10 or up. CcmEval 11/13/2018 9:51:45 AM 7308 (0x1C8C)
    Attempting to change service status for service 'WinDefend' to 'Running'. CcmEval 11/13/2018 9:51:46 AM 7308 (0x1C8C)
    Failed to start the service 'WinDefend', hr=80004005 CcmEval 11/13/2018 9:51:46 AM 7308 (0x1C8C)
    Result: Remediation Failed, ResultCode: -2147467259, ResultType: 200, ResultDetail: CcmEval 11/13/2018 9:51:46 AM 7308 (0x1C8C)
    Can you render any assitance on this?

    ReplyDelete
  2. Hi, are you sure that all Symantec components are completely uninstalled? Something seems to be preventing Windows Defender service from starting.

    ReplyDelete
    Replies
    1. Thanks for responding. I somehow managed to get SEP completely uninstalled on these PCs and now SCEP is working well. Components from SEP that should have been uninstalling wasn't. Also, SCEP won't remove things completely if there is any password set on the permissions to uninstall SEP.

      Delete
    2. Great, glad to hear that :)

      Delete