175 systems are currently reporting incorrectly to ePO what modules are actually installed on the affected systems. For instance, many machines are missing Threat Prevention, as if it is not even installed. This is happening on systems that I know had it installed at one time and I have verified the install folder is present. Every day I see different ones with the issue, some even after fixing them one or more times.
Unfortunately though, I'm seeing the same issue with other modules - ATP, Platform and DXL Client. I currently have about 175 systems that are not reporting different modules, and some are not reporting multiple modules. I noticed on one device that TP was not enabled/running from the local console. A reboot did not fix it - I had to run an uninstall task, push a new agent and then reinstall TP. But with 175 affected devices, I'm not sure how to proceed, especially when I know it won't be a permanent solution. I have found that even this process is only temporary in many cases. Something causes the module from starting/enabling.
This appears to have gotten worse with the update from ENS 10.5.3 to 10.5.4. I contacted Support and as they always do, told me to "just use the removal tool." If I had to do that with the number of issues I've had with McAfee, I would never eat or sleep. It's a constant fight. Furthermore, Support just pointed me here so you all are my last hope!
I'm at a loss and extremely dissatisfied with this product but I hope someone here can help me.
I would first start to have a look whether the affected installation(s) is at all working, lets say, the TP module picking up an eicar (eicar.org - copy the string into a file, save, detection should occur, this is atest string to validate functionality). At this stage and keeping in mind the symptoms you have described in your initial post, I would suspect the product overall is "healthy" (on those affected nodes) and its merely the reporting on the ePO end that is affected. This is a working assumption and my change as we progress.
So, once you have reasonable confidence that the issue is indeed only a matter of reporting, by probing a couple of machines in your env. with the eicar test virus we can decide what to do next.
Should it turn out the eicar test is not picked up, then its likley the installation has become defunct, for whatever reason. Catching the exact moment in time with any "debug logging" which would allow to determine causality is probably very difficult in this case. You mention that randomly different sets of nodes appear to be affected, does that imply: you have not touched the affexted nodes and they remedited all by themselves? (i.e. yesterday, nodes 1-5 were affected, today, nodes 6-9 are affected and nodes 1-5 are good without any apparent outside action)
Download the new ePolicy Orchestrator (ePO) Support Center Extension which simplifies ePO management and provides support resources directly in the console. Learn more about ePO Support Center