I've run through a series of test systems over and over again now with different configurations.
- No HIPS - SP1 Success
- HIPS7 - SP1 Success
- HIPS8 3709 32bit/64bit - Fatal Error C0000022 & No HIPS alerts reported
- HIPS8 3753 32bit (since it fails to install on 64bit) - Fatal Error C0000022 & No HIPS alerts reported
- HIPS8 Adaptive Mode - Fatal Error C0000022 & No HIPS alerts reported
- HIPS8 Adaptive Mode and Low/Warning Mode - SP1 Success & No Detection
- HIPS8 Services Disabled - SP1 Success
Every time a system fails it is always on the same registry key. In W7 Gold this hive does not exist and is being created by the SP1 installer.
However I did just get one of the machines that failed after getting it to fix itself in Safe mode to drop an alert finally when I let it load in safe mode with networking.
Signature ID 3829
I've just added a rule for it and I'm going to test another deployment.
The install finally fixed itself and made it to Windows and in doing so has now feed 4 more items into the ePO system.
Signature ID 111 - NETCFG.EXE
Signature ID 1148 - SVCHOST.EXE
Signature ID 111 - DRVINST.EXE
Signature ID 850 - SERVICES.EXE
However I'm not sure which of these are just post SP items or things related to installation. Going to permit them and try again...
I was looking over settings again and came across the "Startup IPS protection enabled" which is enabled. I had compeltely forgotten about this setting which is new to HIPS8 I believe and it's enabled. I'm betting this is the issue since it puts a set of hard blocks on files and registry settings prior to system booting which is when this issues occures. I've changed this setting now and retesting.
Yup that did it. Disaling the "Startup IPS protection enabled" setting allows the W7 SP1 to install to completion.
Since this seems to be more of an admin selection item it should be added to a McAfee tech doc alerting users to disable this setting during SP installation. Oddly this setting has been set since we started testing this product since it came out and this is the first item that has caused this issue.