cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

SCCM 1910 - Win10 In-Place Upgrade Tasksequence failing if ENS is installed

Jump to solution

Hi,

since we upgraded our SCCM to 1910 we have the problem that Win10 In-Place Upgrade Task sequence failing if ENS is installed on the client.

Are there any solutions other than removing the ENS?

1 Solution

Accepted Solutions
Highlighted

Re: SCCM 1910 - Win10 In-Place Upgrade Tasksequence failing if ENS is installed

Jump to solution

The latest Update rollup for 1910, KB4537079 seems to fixed it. 
We use ENS 10.7 latest Febr. Build.

View solution in original post

30 Replies
Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 31

Re: SCCM 1910 - Win10 In-Place Upgrade Tasksequence failing if ENS is installed

Jump to solution

Hi @EDV-0815 

It would be important to understand which component of ENS is causing the issue. From those results, we would be able to suggest further steps. Do you know which component is causing the issue? (For example ENSTP - OAS)

Was my reply helpful?
If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?
Highlighted

Re: SCCM 1910 - Win10 In-Place Upgrade Tasksequence failing if ENS is installed

Jump to solution

I do not know yet. I will check the log files.

Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 31

Re: SCCM 1910 - Win10 In-Place Upgrade Tasksequence failing if ENS is installed

Jump to solution

The logs probably won't help you. You will need to disable each component and test to narrow it down, I'm afraid.

Was my reply helpful?
If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?
Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 5 of 31

Re: SCCM 1910 - Win10 In-Place Upgrade Tasksequence failing if ENS is installed

Jump to solution

Hello @EDV-0815 

May I ask you, did you notice any malfunction with ENS where ENS doesn't work as expected of failing in any of its functions?

If not, may I ask you, did you try to contact Microsoft about this issue and did they have a chance to evaluate the failure on their end, considering the fact that it is their application that is failing to perform as expected:

*** McAfee support statement for compatibility issues between McAfee products and third-party applications
https://kb.mcafee.com/corporate/index?page=content&id=KB73182

Now, this failure can mean that ENS is not causing it, but exposing some bad coding in 3rd party application, or even if it is causing it, we still need Microsoft to tell us what are we doing to cause their failure.

Did you have any issue with earlier version of SCCM?

You may also try troubleshooting steps from:

*** How to troubleshoot high CPU usage by the McAfee real-time anti-malware scanner for Endpoint Security, MOVE Antivirus Agentless/Multi-platform, or VirusScan Enterprise
https://kc.mcafee.com/corporate/index?page=content&id=KB89354

sections related to "ZZZ test" and progressive disablement.

Also you may evaluate your policies against Microsoft recommended exclusions for your software:

*** Microsoft Anti-Virus Exclusion List
https://social.technet.microsoft.com/wiki/contents/articles/953.microsoft-anti-virus-exclusion-list....

However, at the end of the day, if nothing suggested works or we found that the issue can't be alleviated without removal of ENS, Microsoft is the one who will need to tell us why is their software failing especially because, if understood your post properly, it doesn't seem that you changed anything ENS related and only change done is upgrade of Microsoft's software, correct?

Please let me know if you have any additional question.


Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?
Highlighted

Re: SCCM 1910 - Win10 In-Place Upgrade Tasksequence failing if ENS is installed

Jump to solution

We are also experiencing this issue with in-place upgrades on clients with McAfee ENS products installed. We haven't narrowed it down to which part of ENS is causing the issue yet. Apparently Microsoft is blaming McAfee and reading this thread it looks McAfee is blaming MS. 

https://social.technet.microsoft.com/Forums/en-US/4c66e602-bc6c-4ce9-89da-d74e2ec277f7/1909-feature-...

 

https://social.technet.microsoft.com/Forums/en-US/d5f8f899-9c8d-47f5-a267-1f8062c986df/osd-failing-a...

Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 7 of 31

Re: SCCM 1910 - Win10 In-Place Upgrade Tasksequence failing if ENS is installed

Jump to solution

Hello @jasonlawrence 

I am so sorry if my post gave you impression that I am trying to blame any 3rd party vendor, because what I provided is standard methodology when troubleshooting this type of compatibility issue.

For example, Kenchee_etf develops application called MyApplication.exe and the application has low tolerance for timeouts or delays or is running very high I/O:

*** Why some processes should be added to low-risk exclusions
https://kc.mcafee.com/corporate/index?page=content&id=KB66036

Kenchee_etf's application may require to be excluded from scanning otherwise if scanned, MyApplication.exe may fail to do its job. So the symptoms are if you disable or uninstall ENS, application works, however, if you have ENS/VSE doing its job, MyApplication.exe fails.

ENS/VSE in this scenario doesn't do anything extra other than its job aka scanning everything that is not excluded, so failure of application is due to the fact that Kenchee_etf didn't take into consideration that, other than his application on the box, some AV program can be present and that may introduce some delay in its execution which may cause the problem for MyApplication.exe regardles how small delay that may be.

Let us say that ZZZ test is successful and also that disabling ENS/VSE the issue is resolved.

Now, we have 2 options here, Kenchee_etf may decide to make his application more resilient to presence of AV on machine or provide the instructions for users with statement that his application MyApplication.exe needs to be excluded from scanning, where Kenchee_etf is also taking responsibility that if excluded, his application can't be used for any malicious purposes.

Now, the second scenario is if the issue persist event with everything disabled on ENS/VSE side, that means that MyApplication.exe expirience some issue even with ENS/VSE only being installed on machine and again Kenchee_etf is the only one who can tell any AV Engineer what the AV product is doing for his application to fail, because AV Engineer doesn't know how to troubleshoot MyApplication.exe.

Please note, this is note that here I am not blaming Kenchee_etf and I am not deniying ENS/VSE involvement in the issue, however, I need Kenchee_etf's help to resolve this issue like, ENS/VSE is scanning my process when trying to perform this action so please exclude those files and folders from your scan or do not scan my process at all.

So for this specific issue:
01. Does ENS being disable resolve the issue or does ENS have to be removed completely?
02. If ENS being just disable resolves the issue can you test ZZZ test or do you have vendors recommended exclusions in place, like the one mentioned in my original post or additional one I found:
*** Recommended antivirus exclusions for Configuration Manager 2012 and current branch site servers, site systems, and clients
https://support.microsoft.com/en-us/help/327453/recommended-antivirus-exclusions-for-configuration-m...

I hope, this explains proper troubleshooting sequence to get to the bottom of this problem.

Please let me know if you have any additional question.


Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?
Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 8 of 31

Re: SCCM 1910 - Win10 In-Place Upgrade Tasksequence failing if ENS is installed

Jump to solution

Hi @EDV-0815,

I have noticed a few cases coming in related to this type of issue, usually specific to the Windows 10 1909 update deploying through SCCM.

Your best bet is going to be to first implement the Microsoft Recommended SCCM exclusions, as shown below, as this has successfully resolved the issue in a couple different scenarios. You can also refer to the article I will link following that for the source of where I've pulled this information:

Low Risk Processes:

  1. Smsexec.exe
  2. Ccmexec.exe
  3. CmRcService.exe
  4. Ccmrepair.exe
  5. Sitecomp.exe
  6. Smswriter.exe
  7. Smssqlbkup.exe
  8. Cmupdate.exe

File/Folder exclusions:

  1. Client Installation Folder\*.sdf
  2. Client Installation Folder\ServiceData
  3. C:\Windows\CCMCache
  4. C:\Windows\CCMSetup
  5. Client Installation Folder\Logs

https://support.microsoft.com/en-us/help/327453/recommended-antivirus-exclusions-for-configuration-m...

One other thing that is important to note, is that you should ensure that you are running AT LEAST ENS 10.6.1 July Repost update, and preferrably October or December 2019 on the systems before upgrading to Windows 10 1909. Any releases prior to this are not compatible with Windows 10 1909 and would lead to a block of the upgrade before allowing the deployment to occur.

Thank you,

Mitchell Buehler

Was my reply helpful?
If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?
Highlighted

Re: SCCM 1910 - Win10 In-Place Upgrade Tasksequence failing if ENS is installed

Jump to solution

Thanks for the suggestions above, I took the time to try to implement them but unfortunately we still have the same issue. I have narrowed it down to ENS Threat Prevention module being installed, or at least when we removed TP the upgrade task seems to work like normal. 

  • SCCM 1906 Agent + McAfee installed = Upgrade OK
  • SCCM 1910 Agent + McAfee installed = Upgrade BROKEN
  • SCCM 1910 Agent + McAfee installed with no ENS TP module = OK

I started testing by adding the exclusions mentioned above with no luck, I have tried disabling the Access Protection, Exploit Protection and On-Access scans hoping that in those would make it work but the only thing I have found is to remove Threat Prevention. 

Here is the information of the versions that were are using at first

OS = Windows 10 1809

SCCM Client = 1910

McAfee ENS with DE

Mcafee Epo Agent = 5.0.6.220

McAfee Disc Encryption Agent=7.2.9.5

McAfee Disc Encryption = 7.2.9.5

McAfee Drive Encryption GO = 7.2.9.5

McAfee Endpoint Security = 10.6

  • Endpoint Security Platform Version=10.6.1.1607
  • Endpoint Threat Prevention Version=10.6.1.1666
  • Endpoint Firewall Version=10.6.1.1340
  • Endpoint WebControl Version=10.6.1.1435
 
We then upgraded our McAfee versions to the following:
 

OS = Windows 10 1809

SCCM Client = 1910

McAfee ENS with DE

Mcafee Epo Agent = 5.6.3.157

McAfee Disc Encryption Agent=7.2.9.14

McAfee Disc Encryption = 7.2.9.14

McAfee Drive Encryption GO = 7.2.9.14

McAfee Endpoint Security = 10.7

  • Endpoint Security Platform Version=10.7.0.1285
  • Endpoint Threat Prevention Version=10.7.0.1415
  • Endpoint Firewall Version=10.7.945
  • Endpoint WebControl Version=10.7.0.1086

I have been following this MS post while I try to figure out who can open a support ticket with MS. https://social.technet.microsoft.com/Forums/en-US/d5f8f899-9c8d-47f5-a267-1f8062c986df/osd-failing-a...

 

 

McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 10 of 31

Re: SCCM 1910 - Win10 In-Place Upgrade Tasksequence failing if ENS is installed

Jump to solution

Hello @jasonlawrence 

Thank you for your update.

I would like to ask:

01. When you said that ENS is completely disabled, you did it via policy in ePO, correct?
02. When you disabled OAS in ENSTP policy, did you also un-checked "Enable On-Access Scan on system startup (Windows only)"?

I am asking 01. just to make sure policy enforcement doesn't enable modules back and as for 02. if you tested OAS disabled with "Enable On-Access Scan on system startup (Windows only)" checked in policy, will it be possible to perform one additional test making sure that this setting is not selected and let me know results.


Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community