Of note this can be fixed by pressing F8 and loading into Safe Mode. The SP1 installation will complete and reboot the computer and "seems" to function as normal afterwards.
I will review that information and test it agaisnt the W7 SP1 isntalls to see if it resolves it. The install process works perfectly fine with HIPS7 running though, only HIPS8 so it's something that should still be reviewed by McAfee in my opinion.
Actually I just verified that HIPS8 on all of these machines are already in adaptive mode. There are no new policies being made or any blocks/warnings being thrown during this entire process.
I've run through a series of test systems over and over again now with different configurations.
- No HIPS - SP1 Success
- HIPS7 - SP1 Success
- HIPS8 3709 32bit/64bit - Fatal Error C0000022 & No HIPS alerts reported
- HIPS8 3753 32bit (since it fails to install on 64bit) - Fatal Error C0000022 & No HIPS alerts reported
- HIPS8 Adaptive Mode - Fatal Error C0000022 & No HIPS alerts reported
- HIPS8 Adaptive Mode and Low/Warning Mode - SP1 Success & No Detection
- HIPS8 Services Disabled - SP1 Success
Every time a system fails it is always on the same registry key. In W7 Gold this hive does not exist and is being created by the SP1 installer.
However I did just get one of the machines that failed after getting it to fix itself in Safe mode to drop an alert finally when I let it load in safe mode with networking.
Signature ID 3829
I've just added a rule for it and I'm going to test another deployment.
Nope, that didn't do it. It still Fatal Error C0000022's with that setting in place. Booting that machine in safe mode now to see if it throws another alert.
So far the only solution is HIPS Off or HIPS in Log mode only.
The install finally fixed itself and made it to Windows and in doing so has now feed 4 more items into the ePO system.
Signature ID 111 - NETCFG.EXE
Signature ID 1148 - SVCHOST.EXE
Signature ID 111 - DRVINST.EXE
Signature ID 850 - SERVICES.EXE
However I'm not sure which of these are just post SP items or things related to installation. Going to permit them and try again...
I was looking over settings again and came across the "Startup IPS protection enabled" which is enabled. I had compeltely forgotten about this setting which is new to HIPS8 I believe and it's enabled. I'm betting this is the issue since it puts a set of hard blocks on files and registry settings prior to system booting which is when this issues occures. I've changed this setting now and retesting.
Yup that did it. Disaling the "Startup IPS protection enabled" setting allows the W7 SP1 to install to completion.
Since this seems to be more of an admin selection item it should be added to a McAfee tech doc alerting users to disable this setting during SP installation. Oddly this setting has been set since we started testing this product since it came out and this is the first item that has caused this issue.