I recently deployed SCEP 2012 R2 client as part of our SCCM installation. Its worked for 61 of our workstations without any issues at all. I am seeing 62 of them show SCEP installed but clients are at risk, the same 62 are not showing any definitions found on them. I have physically walked over to several workstations and the clients are showing they are running and up-to-date. It appears they just aren't checking in for some reason. I have forced a policy update on these clients and it hasnt helped. Anyone have any ideas what to try next? 

Thanks,

Matt

Can you look at %windir%\CCM\Logs\EndpointProtectionagent.log on one of the computer showing at risk. You will probably get the info you need in that file.

Endpoint is triggered by message. EndpointProtectionAgent 6/29/2015 5:35:47 AM 7984 (0x1F30)
File C:\Windows\ccmsetup\SCEPInstall.exe version is 4.6.305.0. EndpointProtectionAgent 6/29/2015 5:35:47 AM 7984 (0x1F30)
EP version 4.8.204.0 is already installed. EndpointProtectionAgent 6/29/2015 5:35:47 AM 7984 (0x1F30)
EP 4.8.204.0 is installed, version is higher than expected installer version 4.6.305.0. EndpointProtectionAgent 6/29/2015 5:35:47 AM 7984 (0x1F30)
Starting download definition action... EndpointProtectionAgent 6/29/2015 5:35:47 AM 7984 (0x1F30)
Create Process Command line: "c:\Program Files\Microsoft Security Client\MpCmdRun.exe" -SignatureUpdate. EndpointProtectionAgent 6/29/2015 5:35:47 AM 7984 (0x1F30)
Trigger the application c:\Program Files\Microsoft Security Client\MpCmdRun.exe starting successfully. EndpointProtectionAgent 6/29/2015 5:35:47 AM 7984 (0x1F30)
Endpoint is triggered by message. EndpointProtectionAgent 6/29/2015 5:35:47 AM 7156 (0x1BF4)
Send State Message with topic type = 2003, state id = 3, and message = <INSTANCE><PROPERTY NAME="ProcessTime" TYPE="datetime"><VALUE>2015-06-29T12:35:47.337Z</VALUE></PROPERTY><PROPERTY NAME="ErrorCode" TYPE="int32"><VALUE>0</VALUE></PROPERTY><PROPERTY NAME="Error" TYPE="string"><VALUE></VALUE></PROPERTY></INSTANCE> EndpointProtectionAgent 6/29/2015 5:35:47 AM 7984 (0x1F30)
File C:\Windows\ccmsetup\SCEPInstall.exe version is 4.6.305.0. EndpointProtectionAgent 6/29/2015 5:35:47 AM 7156 (0x1BF4)
EP version 4.8.204.0 is already installed. EndpointProtectionAgent 6/29/2015 5:35:47 AM 7156 (0x1BF4)
EP 4.8.204.0 is installed, version is higher than expected installer version 4.6.305.0. EndpointProtectionAgent 6/29/2015 5:35:47 AM 7156 (0x1BF4)
Starting SUM sync action... EndpointProtectionAgent 6/29/2015 5:35:47 AM 7156 (0x1BF4)
Sending EvaluateAssignments Trigger to Updates Deployment Agent EndpointProtectionAgent 6/29/2015 5:35:47 AM 7156 (0x1BF4)
Sending message to endpoint UpdatesDeploymentAgent EndpointProtectionAgent 6/29/2015 5:35:47 AM 7156 (0x1BF4)
Send State Message with topic type = 2003, state id = 3, and message = <INSTANCE><PROPERTY NAME="ProcessTime" TYPE="datetime"><VALUE>2015-06-29T12:35:47.457Z</VALUE></PROPERTY><PROPERTY NAME="ErrorCode" TYPE="int32"><VALUE>0</VALUE></PROPERTY><PROPERTY NAME="Error" TYPE="string"><VALUE></VALUE></PROPERTY></INSTANCE> EndpointProtectionAgent 6/29/2015 5:35:47 AM 7156 (0x1BF4)
Endpoint is triggered by message. EndpointProtectionAgent 6/29/2015 7:09:00 AM 10036 (0x2734)
File C:\Windows\ccmsetup\SCEPInstall.exe version is 4.6.305.0. EndpointProtectionAgent 6/29/2015 7:09:00 AM 10036 (0x2734)
EP version 4.8.204.0 is already installed. EndpointProtectionAgent 6/29/2015 7:09:00 AM 10036 (0x2734)
EP 4.8.204.0 is installed, version is higher than expected installer version 4.6.305.0. EndpointProtectionAgent 6/29/2015 7:09:00 AM 10036 (0x2734)
Check and enforce EP Deployment state. EndpointProtectionAgent 6/29/2015 7:09:00 AM 10036 (0x2734)
EP Client is already installed, will NOT trigger reinstallation. EndpointProtectionAgent 6/29/2015 7:09:00 AM 10036 (0x2734)
Sending message to external event agent to test and enable notification EndpointProtectionAgent 6/29/2015 7:09:00 AM 10036 (0x2734)
Sending message to endpoint ExternalEventAgent EndpointProtectionAgent 6/29/2015 7:09:00 AM 10036 (0x2734)
EP Policy Default Client Antimalware Policy
<company name> EPAP
<company name> Workstation is already applied. EndpointProtectionAgent 6/29/2015 7:09:00 AM 10036 (0x2734)
Firewall provider is installed. EndpointProtectionAgent 6/29/2015 7:09:00 AM 10036 (0x2734)
Installed firewall provider meet the requirements. EndpointProtectionAgent 6/29/2015 7:09:00 AM 10036 (0x2734)
start to send State Message with topic type = 2001, state id = 3, and error code = 0x00000000 EndpointProtectionAgent 6/29/2015 7:09:00 AM 10036 (0x2734)
Skip sending state message due to same state message already exists. EndpointProtectionAgent 6/29/2015 7:09:00 AM 10036 (0x2734)
Endpoint is triggered by WMI notification. EndpointProtectionAgent 6/29/2015 7:09:41 AM 2896 (0x0B50)
File C:\Windows\ccmsetup\SCEPInstall.exe version is 4.6.305.0. EndpointProtectionAgent 6/29/2015 7:09:41 AM 2896 (0x0B50)
EP version 4.8.204.0 is already installed. EndpointProtectionAgent 6/29/2015 7:09:41 AM 2896 (0x0B50)
EP 4.8.204.0 is installed, version is higher than expected installer version 4.6.305.0. EndpointProtectionAgent 6/29/2015 7:09:41 AM 2896 (0x0B50)
Handle EP AM policy. EndpointProtectionAgent 6/29/2015 7:09:41 AM 2896 (0x0B50)
Apply AM Policy. EndpointProtectionAgent 6/29/2015 7:09:41 AM 2896 (0x0B50)
Create Process Command line: "c:\Program Files\Microsoft Security Client\\ConfigSecurityPolicy.exe" "C:\Windows\CCM\EPAMPolicy.xml". EndpointProtectionAgent 6/29/2015 7:09:41 AM 2896 (0x0B50)
Applied the C:\Windows\CCM\EPAMPolicy.xml with ConfigSecurityPolicy.exe successfully. EndpointProtectionAgent 6/29/2015 7:09:43 AM 2896 (0x0B50)
Save new policy state 1 to registry SOFTWARE\Microsoft\CCM\EPAgent\PolicyApplicationState EndpointProtectionAgent 6/29/2015 7:09:43 AM 2896 (0x0B50)
State 1 and ErrorCode 0 and ErrorMsg  and PolicyName Default Client Antimalware Policy
<company name> EPAP
<company name> Workstation and GroupResolveResultHash 2BA66767D68DDFD1DBD855F3A3A90C90A3C597E8 is NOT changed. EndpointProtectionAgent 6/29/2015 7:09:43 AM 2896 (0x0B50)
Skip sending state message due to same state message already exists. EndpointProtectionAgent 6/29/2015 7:09:43 AM 2896 (0x0B50)
Firewall provider is installed. EndpointProtectionAgent 6/29/2015 7:09:43 AM 2896 (0x0B50)
Installed firewall provider meet the requirements. EndpointProtectionAgent 6/29/2015 7:09:43 AM 2896 (0x0B50)

I dont see any errors in there besides the day I pushed it out. It was stating the EP didnt have an XML policy but those were resolved.

check the Windows SCCM log to see if it has a problem with installing the updates, check the DP, are the 62 all under the same Secondary or DP

my numbers are going up and down now. Before I went to lunch my active protected were 70 and now they are 66. The 4 went from protected to at risk. I'll look in the DPs but I don't think its a download issue.

Matt

Antimalware Client Version: 4.8.204.0
Engine Version: 1.1.11804.0
Antivirus definition: 1.201.391.0
Antispyware definition: 1.201.391.0
Network Inspection System Engine Version: 2.1.11502.0
Network Inspection System Definition Version: 114.3.0.0
Policy Name: Default Client Antimalware Policy
EPAP
Workstation
Policy Applied: 6/29/2015 at 3:09 PM

That is from one of the workstations, the funny thing is the policy applied time says 3:09 PM however its only 12:27 PM here.

I went to 5 other workstations and see a future time for each of them as well also.

Hi,

Please do a test of applying a antimalware policy now. Update the machine policy. Then check the Policy Applied time and Time zone on the client. The Policy Applied time is a UTC time. If the time zone is (UTC-08:00) Pacific Time (US & Canada), use the Policy Applied time minus 8, we would get the time of the client.

Best Regards,

Joyce

I think I fixed that issue, I had the ADR set to use UTC instead of local time. My issue still remains half my SCEP Agents are failing. I see this in the logs but its not giving much help onto what is wrong.

start to send State Message with topic type = 2001, state id = 3, and error code = 0x00000000

I found that there was another policy being applied with a different collection with a different malware policy that someone else made. I limited their to not include my workstations and did the policy update and now get below.

start to send State Message with topic type = 2002, state id = 1, error code = 0x00000000, and message = <Instance><AppliedAmPolicies><Policy ID="{eed5e7b7-9abe-4371-b5ab-4c6859770298}"/><Policy ID="{A792A0A7-33D2-4A7E-9988-193E62DC93C0}/200"/></AppliedAmPolicies></Instance>

I'll keep an eye on it this morning and see if that helps.

If stateid =1 is where I want to be, which I think it is. The next line is not sending the command to the SCCM server. Its skipping it even though it hasnt sent it to the server yet.

State 1 and ErrorCode 0 and ErrorMsg  and PolicyName Default Client Antimalware Policy
OLH Workstation and GroupResolveResultHash F6A678ACF1B429B88E4FF1F73D4F72BE029CFED1 is NOT changed. EndpointProtectionAgent 6/30/2015 4:53:39 AM 4400 (0x1130)
Skip sending state message due to same state message already exists. EndpointProtectionAgent 6/30/2015 4:53:39 AM 4400 (0x1130)

I found this article

https://social.technet.microsoft.com/Forums/en-US/004690a5-3671-4a28-bbf8-68b3ed54966d/scep-client-will-not-install-on-client?forum=configmanagersecurity

It helped, along with changing the ADR to local time instead of UTC.

Endpoint is triggered by WMI notification. EndpointProtectionAgent 6/30/2015 7:29:14 AM 5260 (0x148C)
Applied the C:\Windows\CCM\EPAMPolicy.xml with ConfigSecurityPolicy.exe successfully. EndpointProtectionAgent 6/30/2015 7:29:15 AM 1872 (0x0750)
Save new policy state 1 to registry SOFTWARE\Microsoft\CCM\EPAgent\PolicyApplicationState EndpointProtectionAgent 6/30/2015 7:29:15 AM 1872 (0x0750)
start to send State Message with topic type = 2002, state id = 1, error code = 0x00000000, and message = <Instance><AppliedAmPolicies><Policy ID="{eed5e7b7-9abe-4371-b5ab-4c6859770298}"/><Policy ID="{A792A0A7-33D2-4A7E-9988-193E62DC93C0}/200"/></AppliedAmPolicies></Instance>
EndpointProtectionAgent 6/30/2015 7:29:15 AM 1872 (0x0750)
Start to send state message. EndpointProtectionAgent 6/30/2015 7:29:15 AM 1872 (0x0750)
Send state message successfully EndpointProtectionAgent 6/30/2015 7:29:15 AM 1872 (0x0750)
Firewall provider is installed. EndpointProtectionAgent 6/30/2015 7:29:15 AM 1872 (0x0750)
Installed firewall provider meet the requirements. EndpointProtectionAgent 6/30/2015 7:29:15 AM 1872 (0x0750)
File C:\Windows\ccmsetup\SCEPInstall.exe version is 4.6.305.0. EndpointProtectionAgent 6/30/2015 7:29:15 AM 5260 (0x148C)
EP version 4.7.209.0 is already installed. EndpointProtectionAgent 6/30/2015 7:29:15 AM 5260 (0x148C)
EP 4.7.209.0 is installed, version is higher than expected installer version 4.6.305.0. EndpointProtectionAgent 6/30/2015 7:29:15 AM 5260 (0x148C)
Handle EP Deployment policy. EndpointProtectionAgent 6/30/2015 7:29:15 AM 5260 (0x148C)
EP Client is already installed, will NOT trigger reinstallation. EndpointProtectionAgent 6/30/2015 7:29:15 AM 5260 (0x148C)
Sending message to external event agent to test and enable notification EndpointProtectionAgent 6/30/2015 7:29:15 AM 5260 (0x148C)
Sending message to endpoint ExternalEventAgent EndpointProtectionAgent 6/30/2015 7:29:15 AM 5260 (0x148C)
EP Policy Default Client Antimalware Policy
Workstation is already applied. EndpointProtectionAgent 6/30/2015 7:29:15 AM 5260 (0x148C)
Firewall provider is installed. EndpointProtectionAgent 6/30/2015 7:29:15 AM 5260 (0x148C)
Installed firewall provider meet the requirements. EndpointProtectionAgent 6/30/2015 7:29:15 AM 5260 (0x148C)
start to send State Message with topic type = 2001, state id = 3, and error code = 0x00000000 EndpointProtectionAgent 6/30/2015 7:29:15 AM 5260 (0x148C)
Skip sending state message due to same state message already exists. EndpointProtectionAgent 6/30/2015 7:29:15 AM 5260 (0x148C)

I forced a client wide policy update and will monitor it.

My time issue was not an issue thank you Joyce L for helping me understand that.

I still have my first issue where clients arent reporting in correctly. I reinstalled SCCM client and SCEP on a few of the machines that were having the issue. They report back in after the reinstall until the check in again then report that the "service not runnning" in the console and here is the log. I am totally at a loss at this point.

Handle EP AM policy. EndpointProtectionAgent 6/30/2015 7:18:09 AM 3956 (0x0F74)
Failed to generate AM policy settings with error code 0x8000ffff EndpointProtectionAgent 6/30/2015 7:18:09 AM 3956 (0x0F74)
Endpoint is triggered by WMI notification. EndpointProtectionAgent 6/30/2015 7:18:09 AM 3956 (0x0F74)
Deployment WMI is NOT ready. EndpointProtectionAgent 6/30/2015 7:18:09 AM 3956 (0x0F74)
Handle EP AM policy. EndpointProtectionAgent 6/30/2015 7:18:09 AM 3956 (0x0F74)
Failed to generate AM policy settings with error code 0x8000ffff EndpointProtectionAgent 6/30/2015 7:18:09 AM 3956 (0x0F74)
Endpoint is triggered by WMI notification. EndpointProtectionAgent 6/30/2015 7:18:31 AM 4376 (0x1118)
Deployment WMI is NOT ready. EndpointProtectionAgent 6/30/2015 7:18:31 AM 4376 (0x1118)
Handle EP AM policy. EndpointProtectionAgent 6/30/2015 7:18:31 AM 4376 (0x1118)
No group resolve strategry is found for group id: 201, use default strategy EndpointProtectionAgent 6/30/2015 7:18:31 AM 4376 (0x1118)
No group resolve strategry is found for group id: 202, use default strategy EndpointProtectionAgent 6/30/2015 7:18:31 AM 4376 (0x1118)
No group resolve strategry is found for group id: 203, use default strategy EndpointProtectionAgent 6/30/2015 7:18:31 AM 4376 (0x1118)
No group resolve strategry is found for group id: 204, use default strategy EndpointProtectionAgent 6/30/2015 7:18:31 AM 4376 (0x1118)
No group resolve strategry is found for group id: 205, use default strategy EndpointProtectionAgent 6/30/2015 7:18:31 AM 4376 (0x1118)
No group resolve strategry is found for group id: 207, use default strategy EndpointProtectionAgent 6/30/2015 7:18:31 AM 4376 (0x1118)
No group resolve strategry is found for group id: 208, use default strategy EndpointProtectionAgent 6/30/2015 7:18:31 AM 4376 (0x1118)
No group resolve strategry is found for group id: 209, use default strategy EndpointProtectionAgent 6/30/2015 7:18:31 AM 4376 (0x1118)
Generate AM Policy XML while EP is disabled. EndpointProtectionAgent 6/30/2015 7:18:31 AM 4376 (0x1118)
Service startup notification received EndpointProtectionAgent 6/30/2015 7:19:18 AM 5728 (0x1660)
Endpoint is triggered by CCMTask Execute. EndpointProtectionAgent 6/30/2015 7:19:18 AM 5728 (0x1660)
Deployment WMI is NOT ready. EndpointProtectionAgent 6/30/2015 7:19:18 AM 5728 (0x1660)
EP State and Error Code didn't get changed, skip resend state message. EndpointProtectionAgent 6/30/2015 7:19:18 AM 5728 (0x1660)
State 3, error code 0 and detail message are not changed, skip updating registry value EndpointProtectionAgent 6/30/2015 7:19:18 AM 5728 (0x1660)
Endpoint is triggered by WMI notification. EndpointProtectionAgent 6/30/2015 7:20:09 AM 3516 (0x0DBC)
start to send State Message with topic type = 2001, state id = 1, and error code = 0x00000000 EndpointProtectionAgent 6/30/2015 7:20:09 AM 3516 (0x0DBC)
Start to send state message. EndpointProtectionAgent 6/30/2015 7:20:09 AM 3516 (0x0DBC)
Send state message successfully EndpointProtectionAgent 6/30/2015 7:20:09 AM 3516 (0x0DBC)
Save new state 1, error code 0, detail message '' to registry SOFTWARE\Microsoft\CCM\EPAgent\State EndpointProtectionAgent 6/30/2015 7:20:09 AM 3516 (0x0DBC)
File C:\Windows\ccmsetup\SCEPInstall.exe version is 4.6.305.0. EndpointProtectionAgent 6/30/2015 7:20:09 AM 3516 (0x0DBC)
EP version 4.7.209.0 is already installed. EndpointProtectionAgent 6/30/2015 7:20:09 AM 3516 (0x0DBC)
EP 4.7.209.0 is installed, version is higher than expected installer version 4.6.305.0. EndpointProtectionAgent 6/30/2015 7:20:09 AM 3516 (0x0DBC)
Handle EP AM policy. EndpointProtectionAgent 6/30/2015 7:20:09 AM 3516 (0x0DBC)
Generate AM Policy XML while EP is disabled. EndpointProtectionAgent 6/30/2015 7:20:09 AM 3516 (0x0DBC)
Endpoint is triggered by WMI notification. EndpointProtectionAgent 6/30/2015 7:20:09 AM 4800 (0x12C0)
EP State and Error Code didn't get changed, skip resend state message. EndpointProtectionAgent 6/30/2015 7:20:09 AM 4800 (0x12C0)
State 1, error code 0 and detail message are not changed, skip updating registry value EndpointProtectionAgent 6/30/2015 7:20:09 AM 4800 (0x12C0)
File C:\Windows\ccmsetup\SCEPInstall.exe version is 4.6.305.0. EndpointProtectionAgent 6/30/2015 7:20:09 AM 4800 (0x12C0)
EP version 4.7.209.0 is already installed. EndpointProtectionAgent 6/30/2015 7:20:09 AM 4800 (0x12C0)
EP 4.7.209.0 is installed, version is higher than expected installer version 4.6.305.0. EndpointProtectionAgent 6/30/2015 7:20:09 AM 4800 (0x12C0)
Handle EP Deployment policy. EndpointProtectionAgent 6/30/2015 7:20:09 AM 4800 (0x12C0)
start to send State Message with topic type = 2001, state id = 1, and error code = 0x00000000 EndpointProtectionAgent 6/30/2015 7:20:09 AM 4800 (0x12C0)
Skip sending state message due to same state message already exists. EndpointProtectionAgent 6/30/2015 7:20:09 AM 4800 (0x12C0)
Endpoint is triggered by WMI notification. EndpointProtectionAgent 6/30/2015 7:20:10 AM 5652 (0x1614)
EP State and Error Code didn't get changed, skip resend state message. EndpointProtectionAgent 6/30/2015 7:20:10 AM 5652 (0x1614)
State 1, error code 0 and detail message are not changed, skip updating registry value EndpointProtectionAgent 6/30/2015 7:20:10 AM 5652 (0x1614)
File C:\Windows\ccmsetup\SCEPInstall.exe version is 4.6.305.0. EndpointProtectionAgent 6/30/2015 7:20:10 AM 5652 (0x1614)
EP version 4.7.209.0 is already installed. EndpointProtectionAgent 6/30/2015 7:20:10 AM 5652 (0x1614)
EP 4.7.209.0 is installed, version is higher than expected installer version 4.6.305.0. EndpointProtectionAgent 6/30/2015 7:20:10 AM 5652 (0x1614)
Handle EP AM policy. EndpointProtectionAgent 6/30/2015 7:20:10 AM 5652 (0x1614)
Generate AM Policy XML while EP is disabled. EndpointProtectionAgent 6/30/2015 7:20:10 AM 5652 (0x1614)
Service startup notification received EndpointProtectionAgent 6/30/2015 7:21:15 AM 5624 (0x15F8)
Endpoint is triggered by CCMTask Execute. EndpointProtectionAgent 6/30/2015 7:21:15 AM 5624 (0x15F8)
EP State and Error Code didn't get changed, skip resend state message. EndpointProtectionAgent 6/30/2015 7:21:15 AM 5624 (0x15F8)
State 1, error code 0 and detail message are not changed, skip updating registry value EndpointProtectionAgent 6/30/2015 7:21:15 AM 5624 (0x15F8)
File C:\Windows\ccmsetup\SCEPInstall.exe version is 4.6.305.0. EndpointProtectionAgent 6/30/2015 7:21:15 AM 5624 (0x15F8)
EP version 4.7.209.0 is already installed. EndpointProtectionAgent 6/30/2015 7:21:15 AM 5624 (0x15F8)
EP 4.7.209.0 is installed, version is higher than expected installer version 4.6.305.0. EndpointProtectionAgent 6/30/2015 7:21:15 AM 5624 (0x15F8)
Endpoint is triggered by WMI notification. EndpointProtectionAgent 6/30/2015 7:22:53 AM 5724 (0x165C)
start to send State Message with topic type = 2001, state id = 2, and error code = 0x00000000 EndpointProtectionAgent 6/30/2015 7:22:53 AM 5724 (0x165C)
Start to send state message. EndpointProtectionAgent 6/30/2015 7:22:53 AM 5724 (0x165C)
Send state message successfully EndpointProtectionAgent 6/30/2015 7:22:53 AM 5724 (0x165C)
Save new state 2, error code 0, detail message '' to registry SOFTWARE\Microsoft\CCM\EPAgent\State EndpointProtectionAgent 6/30/2015 7:22:53 AM 5724 (0x165C)
File C:\Windows\ccmsetup\SCEPInstall.exe version is 4.6.305.0. EndpointProtectionAgent 6/30/2015 7:22:53 AM 5724 (0x165C)
EP version 4.7.209.0 is already installed. EndpointProtectionAgent 6/30/2015 7:22:53 AM 5724 (0x165C)
EP 4.7.209.0 is installed, version is higher than expected installer version 4.6.305.0. EndpointProtectionAgent 6/30/2015 7:22:53 AM 5724 (0x165C)
start to send State Message with topic type = 2001, state id = 3, and error code = 0x00000000 EndpointProtectionAgent 6/30/2015 7:22:53 AM 5724 (0x165C)
Start to send state message. EndpointProtectionAgent 6/30/2015 7:22:53 AM 5724 (0x165C)
Send state message successfully EndpointProtectionAgent 6/30/2015 7:22:53 AM 5724 (0x165C)
Sending message to external event agent to enable notification EndpointProtectionAgent 6/30/2015 7:22:53 AM 5724 (0x165C)
Sending message to endpoint ExternalEventAgent EndpointProtectionAgent 6/30/2015 7:22:53 AM 5724 (0x165C)
Sending message to external event agent to execute all on demand actions. EndpointProtectionAgent 6/30/2015 7:22:53 AM 5724 (0x165C)
Sending message to endpoint ExternalEventAgent EndpointProtectionAgent 6/30/2015 7:22:53 AM 5724 (0x165C)
Save new state 3, error code 0, detail message '' to registry SOFTWARE\Microsoft\CCM\EPAgent\State EndpointProtectionAgent 6/30/2015 7:22:53 AM 5724 (0x165C)
Handle EP Deployment policy. EndpointProtectionAgent 6/30/2015 7:22:53 AM 5724 (0x165C)
EP Client is already installed, will NOT trigger reinstallation. EndpointProtectionAgent 6/30/2015 7:22:53 AM 5724 (0x165C)
Sending message to external event agent to test and enable notification EndpointProtectionAgent 6/30/2015 7:22:53 AM 5724 (0x165C)
Sending message to endpoint ExternalEventAgent EndpointProtectionAgent 6/30/2015 7:22:53 AM 5724 (0x165C)
EP Policy Default Client Antimalware Policy
Workstation is already applied. EndpointProtectionAgent 6/30/2015 7:22:53 AM 5724 (0x165C)
Apply AM policy when the applied AM policy is the expected one. EndpointProtectionAgent 6/30/2015 7:22:53 AM 5724 (0x165C)
Apply AM Policy. EndpointProtectionAgent 6/30/2015 7:22:53 AM 5724 (0x165C)
Create Process Command line: "c:\Program Files\Microsoft Security Client\\ConfigSecurityPolicy.exe" "C:\Windows\CCM\EPAMPolicy.xml". EndpointProtectionAgent 6/30/2015 7:22:53 AM 5724 (0x165C)
Applied the C:\Windows\CCM\EPAMPolicy.xml with ConfigSecurityPolicy.exe successfully. EndpointProtectionAgent 6/30/2015 7:22:54 AM 5724 (0x165C)
Save new policy state 1 to registry SOFTWARE\Microsoft\CCM\EPAgent\PolicyApplicationState EndpointProtectionAgent 6/30/2015 7:22:54 AM 5724 (0x165C)
start to send State Message with topic type = 2002, state id = 1, error code = 0x00000000, and message = <Instance><AppliedAmPolicies><Policy ID="{eed5e7b7-9abe-4371-b5ab-4c6859770298}"/></AppliedAmPolicies></Instance>
EndpointProtectionAgent 6/30/2015 7:22:55 AM 5724 (0x165C)
Start to send state message. EndpointProtectionAgent 6/30/2015 7:22:55 AM 5724 (0x165C)
Send state message successfully EndpointProtectionAgent 6/30/2015 7:22:55 AM 5724 (0x165C)
Firewall provider is installed. EndpointProtectionAgent 6/30/2015 7:22:55 AM 5724 (0x165C)
Installed firewall provider meet the requirements. EndpointProtectionAgent 6/30/2015 7:22:55 AM 5724 (0x165C)
start to send State Message with topic type = 2001, state id = 3, and error code = 0x00000000 EndpointProtectionAgent 6/30/2015 7:22:55 AM 5724 (0x165C)
Skip sending state message due to same state message already exists. EndpointProtectionAgent 6/30/2015 7:22:55 AM 5724 (0x165C)
Endpoint is triggered by WMI notification. EndpointProtectionAgent 6/30/2015 7:28:53 AM 1872 (0x0750)
File C:\Windows\ccmsetup\SCEPInstall.exe version is 4.6.305.0. EndpointProtectionAgent 6/30/2015 7:29:12 AM 1872 (0x0750)
EP version 4.7.209.0 is already installed. EndpointProtectionAgent 6/30/2015 7:29:12 AM 1872 (0x0750)
EP 4.7.209.0 is installed, version is higher than expected installer version 4.6.305.0. EndpointProtectionAgent 6/30/2015 7:29:12 AM 1872 (0x0750)
Handle EP AM policy. EndpointProtectionAgent 6/30/2015 7:29:12 AM 1872 (0x0750)
Apply AM Policy. EndpointProtectionAgent 6/30/2015 7:29:12 AM 1872 (0x0750)
Create Process Command line: "c:\Program Files\Microsoft Security Client\\ConfigSecurityPolicy.exe" "C:\Windows\CCM\EPAMPolicy.xml". EndpointProtectionAgent 6/30/2015 7:29:13 AM 1872 (0x0750)
Endpoint is triggered by WMI notification. EndpointProtectionAgent 6/30/2015 7:29:14 AM 5260 (0x148C)
Applied the C:\Windows\CCM\EPAMPolicy.xml with ConfigSecurityPolicy.exe successfully. EndpointProtectionAgent 6/30/2015 7:29:15 AM 1872 (0x0750)
Save new policy state 1 to registry SOFTWARE\Microsoft\CCM\EPAgent\PolicyApplicationState EndpointProtectionAgent 6/30/2015 7:29:15 AM 1872 (0x0750)
start to send State Message with topic type = 2002, state id = 1, error code = 0x00000000, and message = <Instance><AppliedAmPolicies><Policy ID="{eed5e7b7-9abe-4371-b5ab-4c6859770298}"/><Policy ID="{A792A0A7-33D2-4A7E-9988-193E62DC93C0}/200"/></AppliedAmPolicies></Instance>
EndpointProtectionAgent 6/30/2015 7:29:15 AM 1872 (0x0750)
Start to send state message. EndpointProtectionAgent 6/30/2015 7:29:15 AM 1872 (0x0750)
Send state message successfully EndpointProtectionAgent 6/30/2015 7:29:15 AM 1872 (0x0750)
Firewall provider is installed. EndpointProtectionAgent 6/30/2015 7:29:15 AM 1872 (0x0750)
Installed firewall provider meet the requirements. EndpointProtectionAgent 6/30/2015 7:29:15 AM 1872 (0x0750)
File C:\Windows\ccmsetup\SCEPInstall.exe version is 4.6.305.0. EndpointProtectionAgent 6/30/2015 7:29:15 AM 5260 (0x148C)
EP version 4.7.209.0 is already installed. EndpointProtectionAgent 6/30/2015 7:29:15 AM 5260 (0x148C)
EP 4.7.209.0 is installed, version is higher than expected installer version 4.6.305.0. EndpointProtectionAgent 6/30/2015 7:29:15 AM 5260 (0x148C)
Handle EP Deployment policy. EndpointProtectionAgent 6/30/2015 7:29:15 AM 5260 (0x148C)
EP Client is already installed, will NOT trigger reinstallation. EndpointProtectionAgent 6/30/2015 7:29:15 AM 5260 (0x148C)
Sending message to external event agent to test and enable notification EndpointProtectionAgent 6/30/2015 7:29:15 AM 5260 (0x148C)
Sending message to endpoint ExternalEventAgent EndpointProtectionAgent 6/30/2015 7:29:15 AM 5260 (0x148C)
EP Policy Default Client Antimalware Policy
Workstation is already applied. EndpointProtectionAgent 6/30/2015 7:29:15 AM 5260 (0x148C)
Firewall provider is installed. EndpointProtectionAgent 6/30/2015 7:29:15 AM 5260 (0x148C)
Installed firewall provider meet the requirements. EndpointProtectionAgent 6/30/2015 7:29:15 AM 5260 (0x148C)
start to send State Message with topic type = 2001, state id = 3, and error code = 0x00000000 EndpointProtectionAgent 6/30/2015 7:29:15 AM 5260 (0x148C)
Skip sending state message due to same state message already exists. EndpointProtectionAgent 6/30/2015 7:29:15 AM 5260 (0x148C)
Service startup notification received EndpointProtectionAgent 6/30/2015 8:13:40 AM 5748 (0x1674)
Endpoint is triggered by CCMTask Execute. EndpointProtectionAgent 6/30/2015 8:13:40 AM 5748 (0x1674)
File C:\Windows\ccmsetup\SCEPInstall.exe version is 4.6.305.0. EndpointProtectionAgent 6/30/2015 8:13:40 AM 5748 (0x1674)
EP version 4.7.209.0 is already installed. EndpointProtectionAgent 6/30/2015 8:13:40 AM 5748 (0x1674)
EP 4.7.209.0 is installed, version is higher than expected installer version 4.6.305.0. EndpointProtectionAgent 6/30/2015 8:13:40 AM 5748 (0x1674)
EP State and Error Code didn't get changed, skip resend state message. EndpointProtectionAgent 6/30/2015 8:13:40 AM 5748 (0x1674)
State 3, error code 0 and detail message are not changed, skip updating registry value EndpointProtectionAgent 6/30/2015 8:13:40 AM 5748 (0x1674)
Service startup notification received EndpointProtectionAgent 6/30/2015 8:23:32 AM 5168 (0x1430)
Endpoint is triggered by CCMTask Execute. EndpointProtectionAgent 6/30/2015 8:23:32 AM 5168 (0x1430)
File C:\Windows\ccmsetup\SCEPInstall.exe version is 4.6.305.0. EndpointProtectionAgent 6/30/2015 8:23:32 AM 5168 (0x1430)
EP version 4.7.209.0 is already installed. EndpointProtectionAgent 6/30/2015 8:23:32 AM 5168 (0x1430)
EP 4.7.209.0 is installed, version is higher than expected installer version 4.6.305.0. EndpointProtectionAgent 6/30/2015 8:23:32 AM 5168 (0x1430)
EP State and Error Code didn't get changed, skip resend state message. EndpointProtectionAgent 6/30/2015 8:23:32 AM 5168 (0x1430)
State 3, error code 0 and detail message are not changed, skip updating registry value EndpointProtectionAgent 6/30/2015 8:23:32 AM 5168 (0x1430)
Endpoint is triggered by message. EndpointProtectionAgent 6/30/2015 10:03:09 AM 4956 (0x135C)
Endpoint is triggered by message. EndpointProtectionAgent 6/30/2015 10:03:09 AM 5076 (0x13D4)
File C:\Windows\ccmsetup\SCEPInstall.exe version is 4.6.305.0. EndpointProtectionAgent 6/30/2015 10:03:09 AM 4956 (0x135C)
EP version 4.7.209.0 is already installed. EndpointProtectionAgent 6/30/2015 10:

I'm still having 35 workstations that are showing bad SCEP installs but 103 that are. Almost seems like I need to manually delete the SCCM and SCEP settings and push them back out. Tested that on one of them going to see if that fixes it tomorrow.

The SCEP 4.8.204.0 update seems to be fixing the remaining that are having the issue, I have repaired a few of the 35 and down to 22. Even after the weekend I am still holding at 22. I guess I'll be sending the  repair command to the remaining and slowly work them.

• Marked as answer by Matt Novitsch 19 hours 26 minutes ago