ConfigMgr Endpoint Protection Point Failure–0x80070643 or -2147023293

Just a quick workaround post here. I was working with a customer recently who had a newly provisioned Configuration Manager with all GPOs and their standard server products installed. As part of the install, the Endpoint Protection Point was required so that they could use and manage System Center Endpoint Protection/Windows Defender. After picking up from a colleague, I realised that this role had not actually installed despite the role being added.

There were failure in the status messages and also in EPSetup.log I could see exit codes for the installer:

SCEPInstall.exe returns 0x80070643

SMSEP could not be installed. The return code was -2147023293

image

This translates simply to “Fatal error during installation” which I could figure out using the CMTrace error lookup feature.

image

That’s a fairly generic error but it does focus around the SCEPInstall.exe which as we know is the AV installation or in Server 2016 is Windows Defender.

Considering the facts of this one I soon realised that the problem was Defender was disabled and could not be switched on. An installation of SCEP or Windows Defender is required on the server that will host the Endpoint Protection role. My understanding of this is that it is used to download and verify the definition files. (Happy to be corrected though). Regardless, it’s needed. 

clip_image001

Checking the server I could indeed confirm that Defender was disabled, however it was disabled by group policy. The easiest way to get around this would be to speak to your friendly AD and/or security person and have them make an exception for this server. If that’s not an option, there is another way, you’re probably not well advised to do this but be aware there is another way and you make your choice.

As a local Administrator, hit start, run “Edit group policy”

clip_image002

Browse through to Computer Configuration > Administrative Templates > Windows Components > Windows Defender

Look for the policy “Turn off Windows Defender” which is likely to be enabled.

clip_image003

Now you need to disable this setting which should then enable you to switch Defender on.

clip_image004

Don’t enable Defender manually though, the Endpoint Protection point installer will do it’s magic. You can either wait upto an hour or manually make it do the magic by restarting the SMS_SITE_COMPONENT_MANAGER role.

To do this we need to fire up the Configuration Manager Service Manager through the ConfigMgr console. There’s a few ways to do this but:

Browse to Monitoring > System Status > Component Status. Right click any component and go to Start > Configuration Manager Service Manager.

image

Now find the SMS_SITE_COMPONENT_MANAGER component (it will be on a primary site server) and restart it. (Query, Stop, Start)

#image

Within a few minutes the Endpoint Protection point should attempt a re-install. Monitor the EPSetup.log file and you should see the role installation complete.

image

Also, if you now re-visit settings in Windows you should see the change reflected.

clip_image007

So that’s the workaround, but you should absolutely check with your security person for any implications. You’ve been warned, don’t blame me Smile

/Peter

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.