So, here's something fun and should not have to be the acceptable 'solution'. I had NOT enabled debug logging on the test laptops because, you know, that shouldn't be how this gets fixes. I decided to assign a policy to the clean install computer that enabled logging and after a reboot it reports correctly - for now. We'll see how long that last because the laptop I use daily also has debug logging enabled and does NOT report correctly (update install)

@meanoldmanning, agreed.

When I had debugging on before the October update release, it changed the productState to 397312, so appeared to work (see my posts re: workaround), however, after a random daily update (perhaps AMCore) the productState returned to 343232 which reintroduced the issue.

I also noticed, during "clean install" testing, the Endpoint Product Removal Tool does not delete errant/old McAfee AV providers, which is when I ran that VBScript.

@chealey, is there a chart or link you could post that indicates how to decode productState?  i.e. what's 397312 vs. 343232?

Did you remove the agent as well when you ran the removal tool? 

I don't have a chart as such, but here are the states I know about:

ProductState=262144 = Up to Date Defs, On Access Scanning OFF

ProductState=266240 = Up to Date Defs, ON Access Scanning ON

ProductState=397328 = not Up to Date Defs, ON Access Scanning

ProductState=393216 = Up to Date Defs, On Access Scanning OFF

ProductState=397312 = Up to Date Defs, ON Access Scanning ON

Found this in another thread @Nielsb :

Thank you for the idea! I really need this.

Some extra productstate numbers

401408 = onaccess scan disabled

@meanoldmanning, yes, removed ALL McAfee products with the tool...

So three things I've noticed now:

Clean install and debug logging enabled - success

Running that script and then doing a clean install (though not enabling debugging) - success

Update install, debug logging enabled or not - no success

@SWISS, is yours working now?  Your output looks like mine with duplicate ENS entries, but both have productState 397312 (like mine).

Also, I noticed that after the initial reboot, ENS creates the duplicate WMI entry (checked on another machine after installing the October update, but before reboot and I had only two providers, WDA and ENS.  After reboot, a new ENS provider is added.)

@meanoldmanning:

First, I've updated my previous posts re: 343232... it was 393232... (disregard 343232).

Based on the list of productStates, 393232 indicates AV out of date, and on-access scan off.

I keep having a sneaking suspicion that this is still related to the ENS providers listed in WMI, and WSC potentially receiving a duplicate/errant ENS result (with incorrect productState) from WMI, and basing its decision (to keep WDA on and indicate ENS is OFF) on that...

I really think you should try to clear your providers, but then again, I'm hoping that doesn't fix the issue because there's no way I'm going to run around to all my client computers and manually clear providers...

Back to what I said almost forever ago, ENS really shouldn't be making any duplicate entries in the AV providers DB...