Found this in another thread @Nielsb :

Thank you for the idea! I really need this.

Some extra productstate numbers

401408 = onaccess scan disabled

@meanoldmanning, yes, removed ALL McAfee products with the tool...

So three things I've noticed now:

Clean install and debug logging enabled - success

Running that script and then doing a clean install (though not enabling debugging) - success

Update install, debug logging enabled or not - no success

@SWISS, is yours working now?  Your output looks like mine with duplicate ENS entries, but both have productState 397312 (like mine).

Also, I noticed that after the initial reboot, ENS creates the duplicate WMI entry (checked on another machine after installing the October update, but before reboot and I had only two providers, WDA and ENS.  After reboot, a new ENS provider is added.)

@meanoldmanning:

First, I've updated my previous posts re: 343232... it was 393232... (disregard 343232).

Based on the list of productStates, 393232 indicates AV out of date, and on-access scan off.

I keep having a sneaking suspicion that this is still related to the ENS providers listed in WMI, and WSC potentially receiving a duplicate/errant ENS result (with incorrect productState) from WMI, and basing its decision (to keep WDA on and indicate ENS is OFF) on that...

I really think you should try to clear your providers, but then again, I'm hoping that doesn't fix the issue because there's no way I'm going to run around to all my client computers and manually clear providers...

Back to what I said almost forever ago, ENS really shouldn't be making any duplicate entries in the AV providers DB...

@billmollerOn one laptop I ran the removal tool and the script which cleared the providers, then rebooted and clean installed and everything is hunky dory; ENS shows as the running provider and up to date. Debug logging is NOT enabled

On another test laptop I simply ran the removal tool and did a clean install, then enabled debug logging and ENS is reporting it is the running provider. 

On two other laptops I simply did an update install over what was already installed, one has debugging enabled and the other does not and while the one that does NOT have debugging enabled still does NOT report properly the one that does, now after about 10 minutes has started reporting ENS is running and up to date. I am not sure how stable that result is, and still it seems pretty erratic. Debug enabled shouldn't have to be the weird fix for this issue, but if it works it works and keeps from having to run the removal tool and script.

@chealey, I think there's still an issue... based on what @meanoldmanning posted, and my own experience, the "update" seems to add an additional AV provider.  Regardless of productState, ENS shouldn't be registered more than once in WMI.

Then, if you were lucky enough to have your productState set to 397312 in the previous AV provider entry, it seems it would stay that way forever.  In cases like mine and @SWISS , since both entries indicate 397312, it appears to be "working." 

But this presents another problem... if ENS is ever out of date or on-access scanning is OFF, WSC may continue to get bad results from WMI and improperly report that ENS is ON and up to date and therefore leave WDA off, leaving a computer completely unprotected, which IMHO, is worse than both running and double protection.

Please advise development that ENS should not add duplicate providers AND should have logic to remove duplicate providers.

In my specific cases, the ENS "update" to October release appears to "update" (as in crUd) the one existing ENS provider in WMI (since the timestamp is updated).  Then, after a reboot, ENS creates another provider.  On one of my computers, timestamps are ~10 minutes apart... the time between the update completion, me noticing, and me rebooting...

To test my theory, I manually turned On-Access scan off (between policy enforcements).  Windows immediately indicated that both AV were off, and WMI indicates:

---

__GENUS : 2
__CLASS : AntiVirusProduct
__SUPERCLASS :
__DYNASTY : AntiVirusProduct
__RELPATH : AntiVirusProduct.instanceGuid="{1006DC03-1FB1-9E52-7C81-F2FAB48962E3}"
__PROPERTY_COUNT : 6
__DERIVATION : {}
__SERVER : DEL7810-0219
__NAMESPACE : ROOT\securitycenter2
__PATH : \\DEL7810-0219\ROOT\securitycenter2:AntiVirusProduct.instanceGuid="{1006DC03-1FB1-9E52-7C81-
F2FAB48962E3}"
displayName : McAfee Endpoint Security
instanceGuid : {1006DC03-1FB1-9E52-7C81-F2FAB48962E3}
pathToSignedProductExe : C:\Program Files (x86)\McAfee\Endpoint Security\Threat Prevention\AMCFG.EXE
pathToSignedReportingExe : C:\Program Files\McAfee\Endpoint Security\Threat Prevention\mfeensppl.exe
productState : 397312
timestamp : Wed, 09 Oct 2019 12:29:36 GMT
PSComputerName : DEL7810-0219

__GENUS : 2
__CLASS : AntiVirusProduct
__SUPERCLASS :
__DYNASTY : AntiVirusProduct
__RELPATH : AntiVirusProduct.instanceGuid="{D68DDC3A-831F-4fae-9E44-DA132C1ACF46}"
__PROPERTY_COUNT : 6
__DERIVATION : {}
__SERVER : DEL7810-0219
__NAMESPACE : ROOT\securitycenter2
__PATH : \\DEL7810-0219\ROOT\securitycenter2:AntiVirusProduct.instanceGuid="{D68DDC3A-831F-4fae-9E44-
DA132C1ACF46}"
displayName : Windows Defender
instanceGuid : {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
pathToSignedProductExe : windowsdefender://
pathToSignedReportingExe : %ProgramFiles%\Windows Defender\MsMpeng.exe
productState : 393472
timestamp : Tue, 01 Oct 2019 11:56:37 GMT
PSComputerName : DEL7810-0219

__GENUS : 2
__CLASS : AntiVirusProduct
__SUPERCLASS :
__DYNASTY : AntiVirusProduct
__RELPATH : AntiVirusProduct.instanceGuid="{A37DD4B2-BDFF-70DA-DE19-9F9927D6940F}"
__PROPERTY_COUNT : 6
__DERIVATION : {}
__SERVER : DEL7810-0219
__NAMESPACE : ROOT\securitycenter2
__PATH : \\DEL7810-0219\ROOT\securitycenter2:AntiVirusProduct.instanceGuid="{A37DD4B2-BDFF-70DA-DE19-
9F9927D6940F}"
displayName : McAfee Endpoint Security
instanceGuid : {A37DD4B2-BDFF-70DA-DE19-9F9927D6940F}
pathToSignedProductExe : C:\Program Files (x86)\McAfee\Endpoint Security\Threat Prevention\AMCFG.EXE
pathToSignedReportingExe : C:\Program Files\McAfee\Endpoint Security\Threat Prevention\mfeensppl.exe
productState : 401408
timestamp : Wed, 09 Oct 2019 15:38:06 GMT
PSComputerName : DEL7810-0219

---

One of the ENS entries has an updated productState, and the timestamp seems to be set to when the productState changed.

When I turn on-access scanning back on, WSC again reports ENS is running properly and productState has switched back to 397312.

This leaves my theory inconclusive... Windows could be sorting WMI results by timestamp desc, OR, may be looking at a specific entry, the entry with instance ID A37DD4B2-BDFF-70DA-DE19-9F9927D6940F in my case.

well that was short lived success. On the system where I ran the removal tool and the script and DO NOT have debug logging enabled I rebooted again and now it isn't reporting correctly. So at least in my case debug logging has to be enabled or reporting doesn't work properly.