Just a quick workaround post here. I was working with a customer recently who had a newly provisioned Configuration Manager with all GPOs and their standard server products installed. As part of the install, the Endpoint Protection Point was required so that they could use and manage System Center Endpoint Protection/Windows Defender. After picking up from a colleague, I realised that this role had not actually installed despite the role being added.
There were failure in the status messages and also in EPSetup.log I could see exit codes for the installer:
SCEPInstall.exe returns 0x80070643
SMSEP could not be installed. The return code was -2147023293
This translates simply to “Fatal error during installation” which I could figure out using the CMTrace error lookup feature.
That’s a fairly generic error but it does focus around the SCEPInstall.exe which as we know is the AV installation or in Server 2016 is Windows Defender.
Considering the facts of this one I soon realised that the problem was Defender was disabled and could not be switched on. An installation of SCEP or Windows Defender is required on the server that will host the Endpoint Protection role. My understanding of this is that it is used to download and verify the definition files. (Happy to be corrected though). Regardless, it’s needed.
Checking the server I could indeed confirm that Defender was disabled, however it was disabled by group policy. The easiest way to get around this would be to speak to your friendly AD and/or security person and have them make an exception for this server. If that’s not an option, there is another way, you’re probably not well advised to do this but be aware there is another way and you make your choice.
As a local Administrator, hit start, run “Edit group policy”
Browse through to Computer Configuration > Administrative Templates > Windows Components > Windows Defender
Look for the policy “Turn off Windows Defender” which is likely to be enabled.
Now you need to disable this setting which should then enable you to switch Defender on.
Don’t enable Defender manually though, the Endpoint Protection point installer will do it’s magic. You can either wait upto an hour or manually make it do the magic by restarting the SMS_SITE_COMPONENT_MANAGER role.
To do this we need to fire up the Configuration Manager Service Manager through the ConfigMgr console. There’s a few ways to do this but:
Browse to Monitoring > System Status > Component Status. Right click any component and go to Start > Configuration Manager Service Manager.
Now find the SMS_SITE_COMPONENT_MANAGER component (it will be on a primary site server) and restart it. (Query, Stop, Start)
Within a few minutes the Endpoint Protection point should attempt a re-install. Monitor the EPSetup.log file and you should see the role installation complete.
Also, if you now re-visit settings in Windows you should see the change reflected.
So that’s the workaround, but you should absolutely check with your security person for any implications. You’ve been warned, don’t blame me