question

AlexanderDavid-1013 avatar image
0 Votes"
AlexanderDavid-1013 asked AndyKinseley-4385 edited

CcmEval.log "Failed to get SOFTWARE\Policies\Microsoft\Microsoft Antimalware\Real-Time Protection\DisableIntrusionDetection"

Attached is an excerpt from the CcmEval.log that is not correctly reporting status back to the SCCM Server. We are using a 3rd party antimalware software suite.
I have approximately 500 clients with this error and not correctly updating status. The referenced key does not exist on any of our systems. Any suggestions / resolutions would be greatly appreciated.

-DA


<![LOG[==========[ ccmeval started in process 18392 ]====================================]LOG]!><time="18:04:54.176+360" date="02-10-2021" component="CcmEval" context="" type="1" thread="11236" file="ccmeval.cpp:105">
<![LOG[ccmeval version: 5.0.8968.1010]LOG]!><time="18:04:54.185+360" date="02-10-2021" component="CcmEval" context="" type="1" thread="11236" file="ccmeval.cpp:123">
<![LOG[Loading manifest file: C:\WINDOWS\CCM\CcmEval.xml]LOG]!><time="18:04:54.187+360" date="02-10-2021" component="CcmEval" context="" type="1" thread="11236" file="ccmevalmanifest.cpp:30">
<![LOG[Successfully loaded ccmeval manifest file.]LOG]!><time="18:04:54.230+360" date="02-10-2021" component="CcmEval" context="" type="1" thread="11236" file="ccmevalmanifest.cpp:41">
<![LOG[Begin evaluating client health rules.]LOG]!><time="18:04:54.230+360" date="02-10-2021" component="CcmEval" context="" type="1" thread="11236" file="ccmeval.cpp:248">
<![LOG[Successfully retrieved all client health checks.]LOG]!><time="18:04:54.232+360" date="02-10-2021" component="CcmEval" context="" type="1" thread="11236" file="ccmevalmanifest.cpp:130">
<![LOG[Evaluating health check rule {4AB7D77D-3BB0-4EAB-BEFD-7C0F7DA10296} : Verify WMI service exists.]LOG]!><time="18:04:54.232+360" date="02-10-2021" component="CcmEval" context="" type="1" thread="11236" file="ccmeval.cpp:283">
<![LOG[Evaluating health check rule {518C0699-03F8-4F38-85C4-4D319EAEFC05} : Verify/Remediate WMI service startup type.]LOG]!><time="18:04:54.232+360" date="02-10-2021" component="CcmEval" context="" type="1" thread="11236" file="ccmeval.cpp:283">
<![LOG[Evaluating health check rule {7F4B6E15-2221-455B-9615-93C379E470D5} : Verify/Remediate WMI service status.]LOG]!><time="18:04:54.233+360" date="02-10-2021" component="CcmEval" context="" type="1" thread="11236" file="ccmeval.cpp:283">
<![LOG[Evaluating health check rule {14E6774A-1795-4E09-B17D-B6F36A124205} : WMI Repository Read/Write Test.]LOG]!><time="18:04:54.233+360" date="02-10-2021" component="CcmEval" context="" type="1" thread="11236" file="ccmeval.cpp:283">
<![LOG[Evaluating health check rule {690A959D-6210-4930-865F-E3BB82F02133} : Verify/Remediate client WMI provider.]LOG]!><time="18:04:55.137+360" date="02-10-2021" component="CcmEval" context="" type="1" thread="11236" file="ccmeval.cpp:283">
<![LOG[Evaluating health check rule {A81778B5-9A1E-4A52-9C6E-6939CEFAA118} : WMI Repository Integrity Test.]LOG]!><time="18:04:55.824+360" date="02-10-2021" component="CcmEval" context="" type="1" thread="11236" file="ccmeval.cpp:283">
<![LOG[Evaluating health check rule {5CC6C949-5001-4765-84B4-DD4FDC1E6940} : Verify BITS exists.]LOG]!><time="18:04:56.058+360" date="02-10-2021" component="CcmEval" context="" type="1" thread="11236" file="ccmeval.cpp:283">
<![LOG[Evaluating health check rule {C6E29CF5-F9B2-450B-AE61-C4B256A75023} : Verify/Remediate BITS startup type.]LOG]!><time="18:04:56.058+360" date="02-10-2021" component="CcmEval" context="" type="1" thread="11236" file="ccmeval.cpp:283">
<![LOG[Evaluating health check rule {2F373187-6295-4CBB-BE9E-8E43C459883A} : Verify/Remediate client prerequisites.]LOG]!><time="18:04:56.058+360" date="02-10-2021" component="CcmEval" context="" type="1" thread="11236" file="ccmeval.cpp:283">
<![LOG[Evaluating health check rule {AD9CAF50-6602-4857-A9F4-64864EA30BDF} : Verify/Remediate client installation.]LOG]!><time="18:04:57.522+360" date="02-10-2021" component="CcmEval" context="" type="1" thread="11236" file="ccmeval.cpp:283">
<![LOG[Evaluating health check rule {8883C683-04C8-4228-BB76-2EDD666BA781} : Verify SMS Agent Host service exists.]LOG]!><time="18:04:57.771+360" date="02-10-2021" component="CcmEval" context="" type="1" thread="11236" file="ccmeval.cpp:283">
<![LOG[Evaluating health check rule {13F46523-5B82-417d-A363-A644E80CAD76} : Verify/Remediate SMS Agent Host service startup type.]LOG]!><time="18:04:57.772+360" date="02-10-2021" component="CcmEval" context="" type="1" thread="11236" file="ccmeval.cpp:283">
<![LOG[Evaluating health check rule {70BECB51-44A1-4b46-8A23-6EA3D345B677} : Verify/Remediate SMS Agent Host service status.]LOG]!><time="18:04:57.772+360" date="02-10-2021" component="CcmEval" context="" type="1" thread="11236" file="ccmeval.cpp:283">
<![LOG[Evaluating health check rule {C35E790D-4C05-40A8-BB46-A68578966D19} : WMI Event Sink Test.]LOG]!><time="18:04:57.773+360" date="02-10-2021" component="CcmEval" context="" type="1" thread="11236" file="ccmeval.cpp:283">
<![LOG[Evaluating health check rule {0614757F-7AA6-4933-965B-06D6A8243D0B} : Microsoft Policy Platform WMI Integrity Test.]LOG]!><time="18:04:57.773+360" date="02-10-2021" component="CcmEval" context="" type="1" thread="11236" file="ccmeval.cpp:283">
<![LOG[Evaluating health check rule {7EF00FDD-3DF0-496A-A999-AADD1B3016C1} : Verify/Remediate Microsoft Policy Platform Service Existence.]LOG]!><time="18:04:57.782+360" date="02-10-2021" component="CcmEval" context="" type="1" thread="11236" file="ccmeval.cpp:283">
<![LOG[Evaluating health check rule {D9D0245D-0617-4C2F-8837-84A397AC5B22} : Verify/Remediate Microsoft Policy Platform service startup type.]LOG]!><time="18:04:57.782+360" date="02-10-2021" component="CcmEval" context="" type="1" thread="11236" file="ccmeval.cpp:283">
<![LOG[Evaluating health check rule {09886543-BE8B-431F-BC00-7D917632E22C} : Verify/Remediate Antimalware service startup type.]LOG]!><time="18:04:57.782+360" date="02-10-2021" component="CcmEval" context="" type="1" thread="11236" file="ccmeval.cpp:283">
<![LOG[Result: Not Applicable, ResultCode: 0, ResultType: 0, ResultDetail: ]LOG]!><time="18:04:57.816+360" date="02-10-2021" component="CcmEval" context="" type="2" thread="11236" file="ccmeval.cpp:328">
<![LOG[Evaluating health check rule {5B50566C-363E-4F1C-8A7D-6F2D2A51B142} : Verify/Remediate Antimalware service status.]LOG]!><time="18:04:57.816+360" date="02-10-2021" component="CcmEval" context="" type="1" thread="11236" file="ccmeval.cpp:283">
<![LOG[Result: Not Applicable, ResultCode: 0, ResultType: 0, ResultDetail: ]LOG]!><time="18:04:57.850+360" date="02-10-2021" component="CcmEval" context="" type="2" thread="11236" file="ccmeval.cpp:328">
<![LOG[Evaluating health check rule {B9274BD3-4B32-4B41-8E4D-7B0306D412CE} : Verify/Remediate Antimalware service startup type for Windows 10 or up.]LOG]!><time="18:04:57.850+360" date="02-10-2021" component="CcmEval" context="" type="1" thread="11236" file="ccmeval.cpp:283">
<![LOG[Result: Not Applicable, ResultCode: 0, ResultType: 0, ResultDetail: ]LOG]!><time="18:04:57.888+360" date="02-10-2021" component="CcmEval" context="" type="2" thread="11236" file="ccmeval.cpp:328">
<![LOG[Evaluating health check rule {B89B8B51-369F-42E6-80BC-FF46B8963B0F} : Verify/Remediate Antimalware service status for Windows 10 or up.]LOG]!><time="18:04:57.889+360" date="02-10-2021" component="CcmEval" context="" type="1" thread="11236" file="ccmeval.cpp:283">
<![LOG[Result: Not Applicable, ResultCode: 0, ResultType: 0, ResultDetail: ]LOG]!><time="18:04:57.924+360" date="02-10-2021" component="CcmEval" context="" type="2" thread="11236" file="ccmeval.cpp:328">
<![LOG[Evaluating health check rule {6BC824B4-BD8C-4779-BB10-ABDBCD5AFAEB} : Verify/Remediate Network Inspection service startup type.]LOG]!><time="18:04:57.925+360" date="02-10-2021" component="CcmEval" context="" type="1" thread="11236" file="ccmeval.cpp:283">
<![LOG[Result: Not Applicable, ResultCode: 0, ResultType: 0, ResultDetail: ]LOG]!><time="18:04:57.957+360" date="02-10-2021" component="CcmEval" context="" type="2" thread="11236" file="ccmeval.cpp:328">
<![LOG[Evaluating health check rule {BA322036-F3BE-426F-8779-C1C0BF82EC6E} : Verify/Remediate Network Inspection service startup type for Windows 10 or up.]LOG]!><time="18:04:57.957+360" date="02-10-2021" component="CcmEval" context="" type="1" thread="11236" file="ccmeval.cpp:283">
<![LOG[Failed to get SOFTWARE\Policies\Microsoft\Microsoft Antimalware\Real-Time Protection\DisableIntrusionPreventionSystem]LOG]!><time="18:04:57.994+360" date="02-10-2021" component="CcmEval" context="" type="2" thread="11236" file="cmclientevaluator.cpp:1341">
<![LOG[Result: Not Applicable, ResultCode: 0, ResultType: 0, ResultDetail: ]LOG]!><time="18:04:57.994+360" date="02-10-2021" component="CcmEval" context="" type="2" thread="11236" file="ccmeval.cpp:328">
<![LOG[Evaluating health check rule {D6CB32EA-423D-44CB-9C58-97CE55D2148E} : Verify/Remediate Windows Update service startup type.]LOG]!><time="18:04:57.994+360" date="02-10-2021" component="CcmEval" context="" type="1" thread="11236" file="ccmeval.cpp:283">
<![LOG[Result: Not Applicable, ResultCode: 0, ResultType: 0, ResultDetail: ]LOG]!><time="18:04:58.027+360" date="02-10-2021" component="CcmEval" context="" type="2" thread="11236" file="ccmeval.cpp:328">
<![LOG[Evaluating health check rule {E8030BE0-B773-4742-B6A1-0870CF139117} : Verify/Remediate Windows Update service startup type on Windows 8.]LOG]!><time="18:04:58.027+360" date="02-10-2021" component="CcmEval" context="" type="1" thread="11236" file="ccmeval.cpp:283">
<![LOG[Evaluating health check rule {9040BA8C-580D-4FCA-8846-BBD5F5BB1597} : Verify/Remediate Configuration Manager Remote Control service startup type.]LOG]!><time="18:04:58.064+360" date="02-10-2021" component="CcmEval" context="" type="1" thread="11236" file="ccmeval.cpp:283">
<![LOG[Evaluating health check rule {9DCD49EF-E021-46FF-A777-49210B558527} : Verify/Remediate Configuration Manager Remote Control service status.]LOG]!><time="18:04:58.064+360" date="02-10-2021" component="CcmEval" context="" type="1" thread="11236" file="ccmeval.cpp:283">



mem-cm-general
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

FionaYan-MSFT avatar image
0 Votes"
FionaYan-MSFT answered

@AlexanderDavid-1013

Thank you for posting in Microsoft Q&A forum.

Failed to get SOFTWARE\Policies\Microsoft\Microsoft Antimalware\Real-Time Protection\DisableIntrusionPreventionSystem.

Based on my research, many situations may cause this issue. Could we know which step does it failed with this error? Does this mean that an error occurred while checking client activity on the SCCM console?

I have approximately 500 clients with this error and not correctly updating status. The referenced key does not exist on any of our systems.

Could we know what the incorrect updating status of the client is? To narrow down this issue, could you please help share the error screenshot on one problematic client?

Have a good day!

If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AndyKinseley-4385 avatar image
0 Votes"
AndyKinseley-4385 answered AndyKinseley-4385 edited

I had the same issue following a switch in security product. All clients reporting client check failed.

Created Client Settings to have Endpoint Protection set to disabled, applied it to a group with higher priority. Updated policy and rebooted clients.

The error (Taken from "C:\Windows\CCM\Logs\CcmEval.log") still existed but the client switched to healthy in the console.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.