Hello ,
Our MECM is on version 2010, hotfix KB4594177.
I currently found the issue, that is the Antimalware Police works perfect for all the other windows 2012R2, windows 2016 servers, but no for Windows 2019 server. It is not be applied to all of our 7 windows 2019 servers. And windows 2019 servers are included in the deployment collection.
EndpointProtectionAgent.log
<![LOG[Service startup notification received]LOG]!><time="13:15:23.360+300" date="04-26-2021" component="EndpointProtectionAgent" context="" type="1" thread="4264" file="fepsettingendpoint.cpp:297">
<![LOG[Endpoint is triggered by CCMTask Execute.]LOG]!><time="13:15:23.376+300" date="04-26-2021" component="EndpointProtectionAgent" context="" type="1" thread="4264" file="fepsettingendpoint.cpp:266">
<![LOG[Deployment WMI is NOT ready.]LOG]!><time="13:15:23.376+300" date="04-26-2021" component="EndpointProtectionAgent" context="" type="1" thread="4264" file="epagentimpl.cpp:920">
<![LOG[Endpoint is triggered by WMI notification.]LOG]!><time="13:15:43.957+300" date="04-26-2021" component="EndpointProtectionAgent" context="" type="1" thread="4848" file="fepsettingendpoint.cpp:155">
<![LOG[This machine is not a workstation, returning false for MDMIsExternallyManaged.]LOG]!><time="13:15:43.972+300" date="04-26-2021" component="EndpointProtectionAgent" context="" type="1" thread="4848" file="ccmcomgmt.cpp:835">
<![LOG[Not a workstation, this device is SCCM managed.]LOG]!><time="13:15:43.972+300" date="04-26-2021" component="EndpointProtectionAgent" context="" type="1" thread="4848" file="ccmcomgmt.cpp:767">
<![LOG[Endpoint protection workload is NOT migrated to Intune. SCCM will apply policy.]LOG]!><time="13:15:43.972+300" date="04-26-2021" component="EndpointProtectionAgent" context="" type="1" thread="4848" file="epagentutil.cpp:1348">
<![LOG[Failed to get EP event code under registry key SOFTWARE\Microsoft\CCM\EPAgent]LOG]!><time="13:15:43.972+300" date="04-26-2021" component="EndpointProtectionAgent" context="" type="2" thread="4848" file="epagentimpl.cpp:1653">
<![LOG[Failed to get EP event message under registry key SOFTWARE\Microsoft\CCM\EPAgent]LOG]!><time="13:15:43.972+300" date="04-26-2021" component="EndpointProtectionAgent" context="" type="2" thread="4848" file="epagentimpl.cpp:1658">
<![LOG[EP State and Error Code didn't get changed, skip resend state message.]LOG]!><time="13:15:43.972+300" date="04-26-2021" component="EndpointProtectionAgent" context="" type="1" thread="4848" file="epagentimpl.cpp:173">
<![LOG[Failed to get EP event code under registry key SOFTWARE\Microsoft\CCM\EPAgent]LOG]!><time="13:15:43.972+300" date="04-26-2021" component="EndpointProtectionAgent" context="" type="2" thread="4848" file="epagentimpl.cpp:1653">
<![LOG[Failed to get EP event message under registry key SOFTWARE\Microsoft\CCM\EPAgent]LOG]!><time="13:15:43.972+300" date="04-26-2021" component="EndpointProtectionAgent" context="" type="2" thread="4848" file="epagentimpl.cpp:1658">
<![LOG[State 1, error code 0 and detail message are not changed, skip updating registry value]LOG]!><time="13:15:43.972+300" date="04-26-2021" component="EndpointProtectionAgent" context="" type="1" thread="4848" file="epagentimpl.cpp:226">
<![LOG[Handle EP AM policy.]LOG]!><time="13:15:43.972+300" date="04-26-2021" component="EndpointProtectionAgent" context="" type="1" thread="4848" file="fepsettingendpoint.cpp:184">
<![LOG[This machine is not a workstation, returning false for MDMIsExternallyManaged.]LOG]!><time="13:15:43.972+300" date="04-26-2021" component="EndpointProtectionAgent" context="" type="1" thread="4848" file="ccmcomgmt.cpp:835">
<![LOG[Not a workstation, this device is SCCM managed.]LOG]!><time="13:15:43.972+300" date="04-26-2021" component="EndpointProtectionAgent" context="" type="1" thread="4848" file="ccmcomgmt.cpp:767">
<![LOG[Endpoint protection workload is NOT migrated to Intune. SCCM will apply policy.]LOG]!><time="13:15:43.972+300" date="04-26-2021" component="EndpointProtectionAgent" context="" type="1" thread="4848" file="epagentutil.cpp:1348">
<![LOG[Endpoint is triggered by WMI notification.]LOG]!><time="13:15:44.019+300" date="04-26-2021" component="EndpointProtectionAgent" context="" type="1" thread="4288" file="fepsettingendpoint.cpp:155">
<![LOG[Generate AM Policy XML while EP is disabled.]LOG]!><time="13:15:44.113+300" date="04-26-2021" component="EndpointProtectionAgent" context="" type="1" thread="4848" file="epagentimpl.cpp:1272">
<![LOG[This machine is not a workstation, returning false for MDMIsExternallyManaged.]LOG]!><time="13:15:44.129+300" date="04-26-2021" component="EndpointProtectionAgent" context="" type="1" thread="4288" file="ccmcomgmt.cpp:835">
<![LOG[Not a workstation, this device is SCCM managed.]LOG]!><time="13:15:44.129+300" date="04-26-2021" component="EndpointProtectionAgent" context="" type="1" thread="4288" file="ccmcomgmt.cpp:767">
<![LOG[Endpoint protection workload is NOT migrated to Intune. SCCM will apply policy.]LOG]!><time="13:15:44.129+300" date="04-26-2021" component="EndpointProtectionAgent" context="" type="1" thread="4288" file="epagentutil.cpp:1348">
<![LOG[Failed to get EP event code under registry key SOFTWARE\Microsoft\CCM\EPAgent]LOG]!><time="13:15:44.129+300" date="04-26-2021" component="EndpointProtectionAgent" context="" type="2" thread="4288" file="epagentimpl.cpp:1653">
<![LOG[Failed to get EP event message under registry key SOFTWARE\Microsoft\CCM\EPAgent]LOG]!><time="13:15:44.129+300" date="04-26-2021" component="EndpointProtectionAgent" context="" type="2" thread="4288" file="epagentimpl.cpp:1658">
<![LOG[EP State and Error Code didn't get changed, skip resend state message.]LOG]!><time="13:15:44.129+300" date="04-26-2021" component="EndpointProtectionAgent" context="" type="1" thread="4288" file="epagentimpl.cpp:173">
<![LOG[Failed to get EP event code under registry key SOFTWARE\Microsoft\CCM\EPAgent]LOG]!><time="13:15:44.129+300" date="04-26-2021" component="EndpointProtectionAgent" context="" type="2" thread="4288" file="epagentimpl.cpp:1653">
<![LOG[Failed to get EP event message under registry key SOFTWARE\Microsoft\CCM\EPAgent]LOG]!><time="13:15:44.129+300" date="04-26-2021" component="EndpointProtectionAgent" context="" type="2" thread="4288" file="epagentimpl.cpp:1658">
<![LOG[State 1, error code 0 and detail message are not changed, skip updating registry value]LOG]!><time="13:15:44.129+300" date="04-26-2021" component="EndpointProtectionAgent" context="" type="1" thread="4288" file="epagentimpl.cpp:226">
<![LOG[Handle EP Deployment policy.]LOG]!><time="13:15:44.129+300" date="04-26-2021" component="EndpointProtectionAgent" context="" type="1" thread="4288" file="fepsettingendpoint.cpp:179">
<![LOG[This machine is not a workstation, returning false for MDMIsExternallyManaged.]LOG]!><time="13:15:44.129+300" date="04-26-2021" component="EndpointProtectionAgent" context="" type="1" thread="4288" file="ccmcomgmt.cpp:835">
<![LOG[Not a workstation, this device is SCCM managed.]LOG]!><time="13:15:44.129+300" date="04-26-2021" component="EndpointProtectionAgent" context="" type="1" thread="4288" file="ccmcomgmt.cpp:767">
<![LOG[Endpoint protection workload is NOT migrated to Intune. SCCM will apply policy.]LOG]!><time="13:15:44.129+300" date="04-26-2021" component="EndpointProtectionAgent" context="" type="1" thread="4288" file="epagentutil.cpp:1348">
<![LOG[Failed to get EP event code under registry key SOFTWARE\Microsoft\CCM\EPAgent]LOG]!><time="13:15:44.129+300" date="04-26-2021" component="EndpointProtectionAgent" context="" type="2" thread="4288" file="epagentimpl.cpp:1653">
<![LOG[Failed to get EP event message under registry key SOFTWARE\Microsoft\CCM\EPAgent]LOG]!><time="13:15:44.129+300" date="04-26-2021" component="EndpointProtectionAgent" context="" type="2" thread="4288" file="epagentimpl.cpp:1658">
<![LOG[start to send State Message with topic type = 2001, state id = 1, and error code = 0x00000000]LOG]!><time="13:15:44.129+300" date="04-26-2021" component="EndpointProtectionAgent" context="" type="1" thread="4288" file="epagentimpl.cpp:1628">
<![LOG[Start to send state message.]LOG]!><time="13:15:44.129+300" date="04-26-2021" component="EndpointProtectionAgent" context="" type="1" thread="4288" file="epagentutil.cpp:1321">
<![LOG[Send state message successfully]LOG]!><time="13:15:44.144+300" date="04-26-2021" component="EndpointProtectionAgent" context="" type="1" thread="4288" file="epagentutil.cpp:1323">
<![LOG[Endpoint is triggered by WMI notification.]LOG]!><time="15:08:51.781+300" date="04-26-2021" component="EndpointProtectionAgent" context="" type="1" thread="4700" file="fepsettingendpoint.cpp:155">
<![LOG[This machine is not a workstation, returning false for MDMIsExternallyManaged.]LOG]!><time="15:08:51.781+300" date="04-26-2021" component="EndpointProtectionAgent" context="" type="1" thread="4700" file="ccmcomgmt.cpp:835">
<![LOG[Not a workstation, this device is SCCM managed.]LOG]!><time="15:08:51.781+300" date="04-26-2021" component="EndpointProtectionAgent" context="" type="1" thread="4700" file="ccmcomgmt.cpp:767">
<![LOG[Endpoint protection workload is NOT migrated to Intune. SCCM will apply policy.]LOG]!><time="15:08:51.781+300" date="04-26-2021" component="EndpointProtectionAgent" context="" type="1" thread="4700" file="epagentutil.cpp:1348">
<![LOG[Failed to get EP event code under registry key SOFTWARE\Microsoft\CCM\EPAgent]LOG]!><time="15:08:51.781+300" date="04-26-2021" component="EndpointProtectionAgent" context="" type="2" thread="4700" file="epagentimpl.cpp:1653">
<![LOG[Failed to get EP event message under registry key SOFTWARE\Microsoft\CCM\EPAgent]LOG]!><time="15:08:51.781+300" date="04-26-2021" component="EndpointProtectionAgent" context="" type="2" thread="4700" file="epagentimpl.cpp:1658">
<![LOG[EP State and Error Code didn't get changed, skip resend state message.]LOG]!><time="15:08:51.781+300" date="04-26-2021" component="EndpointProtectionAgent" context="" type="1" thread="4700" file="epagentimpl.cpp:173">
<![LOG[Failed to get EP event code under registry key SOFTWARE\Microsoft\CCM\EPAgent]LOG]!><time="15:08:51.781+300" date="04-26-2021" component="EndpointProtectionAgent" context="" type="2" thread="4700" file="epagentimpl.cpp:1653">
<![LOG[Failed to get EP event message under registry key SOFTWARE\Microsoft\CCM\EPAgent]LOG]!><time="15:08:51.781+300" date="04-26-2021" component="EndpointProtectionAgent" context="" type="2" thread="4700" file="epagentimpl.cpp:1658">
<![LOG[State 1, error code 0 and detail message are not changed, skip updating registry value]LOG]!><time="15:08:51.781+300" date="04-26-2021" component="EndpointProtectionAgent" context="" type="1" thread="4700" file="epagentimpl.cpp:226">
<![LOG[Handle EP AM policy.]LOG]!><time="15:08:51.781+300" date="04-26-2021" component="EndpointProtectionAgent" context="" type="1" thread="4700" file="fepsettingendpoint.cpp:184">
<![LOG[This machine is not a workstation, returning false for MDMIsExternallyManaged.]LOG]!><time="15:08:51.781+300" date="04-26-2021" component="EndpointProtectionAgent" context="" type="1" thread="4700" file="ccmcomgmt.cpp:835">
<![LOG[Not a workstation, this device is SCCM managed.]LOG]!><time="15:08:51.781+300" date="04-26-2021" component="EndpointProtectionAgent" context="" type="1" thread="4700" file="ccmcomgmt.cpp:767">
<![LOG[Endpoint protection workload is NOT migrated to Intune. SCCM will apply policy.]LOG]!><time="15:08:51.781+300" date="04-26-2021" component="EndpointProtectionAgent" context="" type="1" thread="4700" file="epagentutil.cpp:1348">
<![LOG[Generate AM Policy XML while EP is disabled.]LOG]!><time="15:08:51.828+300" date="04-26-2021" component="EndpointProtectionAgent" context="" type="1" thread="4700" file="epagentimpl.cpp:1272">
Registration:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CCM\EPAgent]
"State"=dword:00000001
"PolicyApplicationState"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CCM\EPAgent\GeneratedPolicy]
"Default Client Antimalware Policy (Scan Schedule)"=dword:00000001
"RRC Standard EP Policy (Scan Schedule)"=dword:00000002
"Default Client Antimalware Policy (Threat Default Action)"=dword:00000001
"RRC Standard EP Policy (Threat Default Action)"=dword:00000002
"Default Client Antimalware Policy (Excluded)"=dword:00000002
"RRC Standard EP Policy (Excluded)"=dword:00000002
"Default Client Antimalware Policy (Realtime Config)"=dword:00000001
"RRC Standard EP Policy (Realtime Config)"=dword:00000002
"Default Client Antimalware Policy (Advance Setting)"=dword:00000001
"RRC Standard EP Policy (Advance Setting)"=dword:00000002
"RRC Standard EP Policy (Spynet)"=dword:00000002
"Default Client Antimalware Policy (Spynet)"=dword:00000001
"Default Client Antimalware Policy (Signature Update)"=dword:00000001
"RRC Standard EP Policy (Signature Update)"=dword:00000002
"RRC Standard EP Policy (Scan)"=dword:00000002
"Default Client Antimalware Policy (Scan)"=dword:00000001
Please help...
