In order to resolve a policy issue on client machines, you need to have an account that has local administrator privileges on the targeted machines. You also need full access to the System Center Configuration Manager console.

You will discover that deploying System Center Endpoint Protection on your business machines will be very easy, however some of your clients will have issues that needs to be resolved. And some will actually Endpoint Protection together with Configuration Manager resolve automatically.

But why do we have these kinds of errors now, and not when I was running SCEP?

The answer is that we probably did, but it was hard to discover them in SCCM 2007 or earlier, or if we didn't have any kind of Management product.

Microsoft are good at integrating products and using existing functions and services that are already there, such as Policy, Windows Update, WMI, and so on. For Endpoint Protection, you also have the great management product, Configuration Manager, to handle it, and make sure it's healthy and working well.

Anyway, here we look further into the few clients marked Critical and how we can resolve some issues.

To identify clients with Endpoint Protection issues, navigate to the Monitoring | Overview | Endpoint Protection Status | System Center Endpoint Protection Status, and then click on Active Clients at risk.

In the Endpoint Protection Status view, we can scroll further down to view additional information about the Operational Status of clients, as well as the Definition Status on Computers.

When looking at Operational Status of clients, shown in the following screenshot, we can see that we have one client machine listed, with the state Antimalware policy application failed. This is the most common error I see in different environments. You need to resolve this, as otherwise clients won't get correct policy configurations about their settings.

If we want to know more about clients with this particular state, we can click on the text or count bar:

The preceding screenshot shows you the Operational status of clients. Click here to get more information about these clients.

After clicking the text or bar, we get presented with a list of computers based on the Antimalware policy application failed state, as shown in the following screenshot:

Antimalware policy application status of the machines

This machine seems to have a problem applying the Endpoint Protection policy.

To get detailed information on the error code and description, you can click on the pane named All Systems: Antimalware policy application. We are presented with this information, as shown in the following screenshot:

Error message about the Policy Application

We can also check the log file, which will display the same kind of error message for us.

The log filed is named EndpointProtectionAgent.log and is located in the WindowsCCMLogs folder:

The previous screenshot shows you an example of a log file of a client computer that has an Endpoint Protection Policy issue.

Be aware that there might be multiple causes for this issue and that you might need to resolve both before the issue can be fixed. Also, if there are leftover components from previous antimalware products as well as this policy issue, you will have to solve both.

But what can we do with this policy issue?

I've often seen, particularly in Windows 7 machines, that the local machine policy is corrupt. This is placed in WindowsSystem32GroupPolicyMachine, which, incidentally, is a hidden folder.

You should first try this manually on one or several machines so that you are sure this will work in your environment, but so far, I had only good experiences with this.

The Registry.pol file can be deleted or renamed. Windows will create a new one based on whatever local policies it may have. Often, this is none, except the one Configuration Manager client sets for Windows Update settings and Endpoint Protection.

After the files have been deleted or renamed, you can restart the Configuration Manager client service named SMS Agent and monitor the log to see if the issue is resolved.

If resolved, you should not get all the red error messages; instead you should get something similar to that shown in the following screenshot:

EndpointProtectionAgent.log with Successfully applied Policy

In the Configuration Manager console, when the client has reported back and the status view has updated, it should eventually change the status to EP Policy Application State is Succeeded:

The preceding screenshot shows you the information about EP Policy Application State status view from Configuration Manager Console. In some cases, there will be an additional need to uninstall and reinstall the Configuration Manager client.

However, if the preceding solution should work for your environment as well, you can automate this simply by deploying a script or just deploying a command such as the following:

cmd /c rename %windir%SysnativeGroupPolicyMachineRegistry.pol Registry.old & cmd /c gpupdate

The preceding screenshot shows you an example of a command-line fix program package for registry.pol.

The question is, How can we target these machines with a collection?

Using this query when creating a collection, you will get machines with this state condition. This is shown in the following:

The previous screenshot shows you the collection query for Endpoint Protection with Policy issues.

Membership rules of the Collection

I have named the collection Fix Endpoint because I might want to target other solutions, so that it will repair several issues at the same time.

The following screenshot shows what it will look like on the collection Criteria page. You don't have to use the Query text field; you could also browse your way to Endpoint Protection PolicyApplication.PolicyApplicationState with the value 2: