Search This Blog

Friday, September 23, 2016

SCCM Client Health check fails with third party antivirus on Windows 10 computers

Previously I explained how SCCM Client Health check process works, which describes general troubleshooting steps if you are having SCCM Client Health check issues.

Now about an exact issue - if you are using third party (something other than Microsoft) antivirus and health check fails on Windows 10 computers. Probably in ccmeval.log you also see that these checks are failing:
Verify/Remediate Antimalware service status for Windows 10 or up.
- Verify/Remediate Antimalware service startup type for Windows 10 or up.

So the root cause of this is that third party antivirus (or you have done it with group policy) has disabled Windows Defender from starting, but in the same time the computer has still left that Endpoint Protection has to be managed in Client Agent settings:

To resolve the issue you must remove Endpoint Protection policy from the computer. If SCCM client will not manage Endpoint Protection, then Client Health check will not perform tests againts Microsoft Antimalware and Windows Defender services.



7 comments:

  1. Hello, maybe you can help me on this. I started testing SCEP in my environment. I've uninstalled Symantec Endpoint Protection from my testing PCs and about half or getting issues in ccmeval.log about antimalware and failing client check for ccmeval. On machines that are failing ccmeval that I see I setup for SCEP, I see these errors in the ones that are failing:
    Evaluating health check rule {B9274BD3-4B32-4B41-8E4D-7B0306D412CE} : Verify/Remediate Antimalware service startup type for Windows 10 or up. CcmEval 11/13/2018 9:51:45 AM 7308 (0x1C8C)
    Result: Remediation Failed, ResultCode: -2147024891, ResultType: 200, ResultDetail: CcmEval 11/13/2018 9:51:45 AM 7308 (0x1C8C)
    Evaluating health check rule {B89B8B51-369F-42E6-80BC-FF46B8963B0F} : Verify/Remediate Antimalware service status for Windows 10 or up. CcmEval 11/13/2018 9:51:45 AM 7308 (0x1C8C)
    Attempting to change service status for service 'WinDefend' to 'Running'. CcmEval 11/13/2018 9:51:46 AM 7308 (0x1C8C)
    Failed to start the service 'WinDefend', hr=80004005 CcmEval 11/13/2018 9:51:46 AM 7308 (0x1C8C)
    Result: Remediation Failed, ResultCode: -2147467259, ResultType: 200, ResultDetail: CcmEval 11/13/2018 9:51:46 AM 7308 (0x1C8C)
    Can you render any assitance on this?

    ReplyDelete
  2. Hi, are you sure that all Symantec components are completely uninstalled? Something seems to be preventing Windows Defender service from starting.

    ReplyDelete
    Replies
    1. Thanks for responding. I somehow managed to get SEP completely uninstalled on these PCs and now SCEP is working well. Components from SEP that should have been uninstalling wasn't. Also, SCEP won't remove things completely if there is any password set on the permissions to uninstall SEP.

      Delete
    2. Great, glad to hear that :)

      Delete
    3. Jonathan I'm in the same situation. Is there something particular you had to look for that was leftover from SEP?

      Delete
  3. I first had to make sure the team removed the password from the uninstall of SEP. Running the uninstall locally than did most of the work for me. In a couple of cases if I recall correctly, I had to use the Symantec clean wipe program. https://support.symantec.com/en_US/article.HOWTO74877.html

    ReplyDelete
  4. Thanks for the blog loaded with so many information. Stopping by your blog helped me to get what I was looking for. koktale

    ReplyDelete