After upgrading SCCM 2012 SP1 to R2 I am noticing that SCEP fails to install the new SCEP 4.3.220.0 client with error code 0x80004005 on existing computers. If I manually install the new 4.3.220.0 client then the SCEP policy fails with the same error code 0x80004005. On new computers no SCEP get installed unless it is manually installed from the ccmsetup folder and those never get the SCEP policy

I guess nobody know too much about SCEP failures? There is very little that I can find online to point me in the right direction.

Here is a capture from the EndPointProtectionAgent.log on a SCCM client computer that cannot install the latest SCEP client.

Endpoint is triggered by message. EndpointProtectionAgent 12/13/2013 6:54:00 AM 3956 (0x0F74)
File C:\WINDOWS\ccmsetup\SCEPInstall.exe version is 4.3.220.0. EndpointProtectionAgent 12/13/2013 6:54:00 AM 3956 (0x0F74)
EP version 4.3.215.0 is already installed. EndpointProtectionAgent 12/13/2013 6:54:00 AM 3956 (0x0F74)
EP 4.3.215.0 is installed, version is lower than expected installer version 4.3.220.0. EndpointProtectionAgent 12/13/2013 6:54:00 AM 3956 (0x0F74)
Check and enforce EP Deployment state. EndpointProtectionAgent 12/13/2013 6:54:00 AM 3956 (0x0F74)
Endpoint is triggered by WMI notification. EndpointProtectionAgent 12/13/2013 6:54:01 AM 2300 (0x08FC)
Firewall provider is installed. EndpointProtectionAgent 12/13/2013 6:54:01 AM 3956 (0x0F74)
Installed firewall provider meet the requirements. EndpointProtectionAgent 12/13/2013 6:54:01 AM 3956 (0x0F74)
start to send State Message with topic type = 2001, state id = 4, and error code = 0x80004005 EndpointProtectionAgent 12/13/2013 6:54:01 AM 3956 (0x0F74)
Skip sending state message due to same state message already exists. EndpointProtectionAgent 12/13/2013 6:54:01 AM 3956 (0x0F74)
File C:\WINDOWS\ccmsetup\SCEPInstall.exe version is 4.3.220.0. EndpointProtectionAgent 12/13/2013 6:54:01 AM 2300 (0x08FC)
EP version 4.3.215.0 is already installed. EndpointProtectionAgent 12/13/2013 6:54:01 AM 2300 (0x08FC)
EP 4.3.215.0 is installed, version is lower than expected installer version 4.3.220.0. EndpointProtectionAgent 12/13/2013 6:54:01 AM 2300 (0x08FC)
Sending ack to MTC for task {9BCF7827-E04F-4C3A-8D8C-B943316A2D7F} EndpointProtectionAgent 12/13/2013 6:54:01 AM 2300 (0x08FC)
SCEP client is not present, SCEP client will be installed with the latest AM policy. EndpointProtectionAgent 12/13/2013 6:54:01 AM 2300 (0x08FC)
Sending message to external event agent to disable notification EndpointProtectionAgent 12/13/2013 6:54:01 AM 2300 (0x08FC)
Sending message to endpoint ExternalEventAgent EndpointProtectionAgent 12/13/2013 6:54:01 AM 2300 (0x08FC)
<![LOG[Failed to load xml from string <?xml version="1.0"?><SecurityPolicy xmlns="http://forefront.microsoft.com/FEP/2010/01/PolicyData"  Name="&#10;Default Client Antimalware Policy&#10;RS&H Workstation SCEP Policy"  Version="1" Description="XML contains all the AM Policy settings" IsBuiltIn="0"  CreatedBy="Microsoft" LastModifiedBy="FEP-S">  <PolicySection Name="FEP.AmPolicy" >    <LocalGroupPolicySettings >      <IgnoreKey Name="SOFTWARE\Policies\Microsoft\Microsoft Antimalware"/><AddKey Name="SOFTWARE\Policies\Microsoft\Microsoft Antimalware\Scan"><AddValue Name="ScanParameters" Type="REG_DWORD" Disabled="false">1</AddValue><AddValue Name="ScheduleDay" Type="REG_DWORD" Disabled="false">4</AddValue><AddValue Name="ScheduleTime" Type="REG_DWORD" Disabled="false">720</AddValue><AddValue Name="ScheduleQuickScanTime" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="CheckForSignaturesBeforeRunningScan" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="ScanOnlyIfIdle" Type="REG_DWORD" Disabled="false">1</AddValue><AddValue Name="DisableCatchupFullScan" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="DisableCatchupQuickScan" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="AvgCPULoadFactor" Type="REG_DWORD" Disabled="false">20</AddValue></AddKey><AddKey Name="SOFTWARE\Policies\Microsoft\Microsoft Antimalware\Threats\ThreatSeverityDefaultAction"><AddValue Name="5" Type="REG_DWORD" Disabled="false">3</AddValue><AddValue Name="4" Type="REG_DWORD" Disabled="false">2</AddValue><AddValue Name="2" Type="REG_DWORD" Disabled="false">2</AddValue><AddValue Name="1" Type="REG_DWORD" Disabled="false">2</AddValue></AddKey><AddKey Name="SOFTWARE\Policies\Microsoft\Microsoft Antimalware\Exclusions\Paths"><AddValue Name="%windir%\SoftwareDistribution\Datastore\Datastore.edb" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="%windir%\SoftwareDistribution\Datastore\Logs\Res*.log" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="%windir%\SoftwareDistribution\Datastore\Logs\Res*.jrs" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="%windir%\SoftwareDistribution\Datastore\Logs\Edb.chk" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="%windir%\SoftwareDistribution\Datastore\Logs\Tmp.edb" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="%windir%\Security\Database\*.edb" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="%windir%\Security\Database\*.sdb" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="%windir%\Security\Database\*.log" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="%windir%\Security\Database\*.chk" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="%windir%\Security\Database\*.jrs" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="%ALLUSERSPROFILE%\NTuser.pol" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="%SystemRoot%\System32\GroupPolicy\Machine\registry.pol" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="%SystemRoot%\System32\GroupPolicy\User\registry.pol" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="C:\FDOT2008" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="C:\FDOT2004" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="C:\FDOT2002" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="C:\Bentley" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="C:\Program Files\Bentley" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="C:\Program Files\BentleyV8i" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="C:\Program Files\BentleyXM" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="C:\Program Files (x86)\Bentley" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="C:\Program Files (x86)\BentleyV8i" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="C:\Program Files (x86)\BentleyXM" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="C:\FDOT2010" Type="REG_DWORD" Disabled="false">0</AddValue></AddKey><AddKey Name="SOFTWARE\Policies\Microsoft\Microsoft Antimalware\Exclusions\Paths"><AddValue Name="%windir%\SoftwareDistribution\Datastore\Datastore.edb" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="%windir%\SoftwareDistribution\Datastore\Logs\Res*.log" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="%windir%\SoftwareDistribution\Datastore\Logs\Res*.jrs" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="%windir%\SoftwareDistribution\Datastore\Logs\Edb.chk" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="%windir%\SoftwareDistribution\Datastore\Logs\Tmp.edb" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="%windir%\Security\Database\*.edb" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="%windir%\Security\Database\*.sdb" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="%windir%\Security\Database\*.log" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="%windir%\Security\Database\*.chk" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="%windir%\Security\Database\*.jrs" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="%ALLUSERSPROFILE%\NTuser.pol" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="%SystemRoot%\System32\GroupPolicy\Machine\registry.pol" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="%SystemRoot%\System32\GroupPolicy\User\registry.pol" Type="REG_DWORD" Disabled="false">0</AddValue></AddKey><AddKey Name="SOFTWARE\Policies\Microsoft\Microsoft Antimalware\Real-Time Protection"><AddValue Name="DisableRealtimeMonitoring" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="DisableIOAVProtection" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="DisableBehaviorMonitoring" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="DisableIntrusionPreventionSystem" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="LocalSettingOverrideDisableRealTimeMonitoring" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="LocalSettingOverrideDisableIntrusionPreventionSystem" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="LocalSettingOverrideDisableOnAccessProtection" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="LocalSettingOverrideDisableIOAVProtection" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="LocalSettingOverrideDisableBehaviorMonitoring" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="LocalSettingOverrideDisableScriptScanning" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="LocalSettingOverrideRealTimeScanDirection" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="DisableOnAccessProtection" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="RealTimeScanDirection" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="DisableScriptScanning" Type="REG_DWORD" Disabled="false">0</AddValue></AddKey><AddKey Name="SOFTWARE\Policies\Microsoft\Microsoft Antimalware\Scan"><AddValue Name="DisableRestorePoint" Type="REG_DWORD" Disabled="false">1</AddValue><AddValue Name="DisableReparsePointScanning" Type="REG_DWORD" Disabled="false">1</AddValue></AddKey><AddKey Name="SOFTWARE\Policies\Microsoft\Microsoft Antimalware\UX Configuration"><AddValue Name="Notification_Suppress" Type="REG_DWORD" Disabled="false">1</AddValue><AddValue Name="DisablePrivacyMode" Type="REG_DWORD" Disabled="false">1</AddValue><AddValue Name="UILockdown" Type="REG_DWORD" Disabled="false">0</AddValue></AddKey><AddKey Name="SOFTWARE\Policies\Microsoft\Microsoft Antimalware\Quarantine"><AddValue Name="PurgeItemsAfterDelay" Type="REG_DWORD" Disabled="false">30</AddValue><AddValue Name="LocalSettingOverridePurgeItemsAfterDelay" Type="REG_DWORD" Disabled="false">0</AddValue></AddKey><AddKey Name="SOFTWARE\Policies\Microsoft\Microsoft Antimalware"><AddValue Name="DisableLocalAdminMerge" Type="REG_DWORD" Disabled="false">1</AddValue><AddValue Name="RandomizeScheduleTaskTimes" Type="REG_DWORD" Disabled="false">0</AddValue></AddKey><AddKey Name="SOFTWARE\Policies\Microso   1/1/1601 12:00:00 AM 1998281579 (0x771B5B6B)
Failed to generate AM policy settings for SCEP installation with error code 0x80004005 EndpointProtectionAgent 12/13/2013 6:54:01 AM 2300 (0x08FC)
Sending message to external event agent to enable notification EndpointProtectionAgent 12/13/2013 6:54:01 AM 2300 (0x08FC)
Sending message to endpoint ExternalEventAgent EndpointProtectionAgent 12/13/2013 6:54:01 AM 2300 (0x08FC)
Sending message to external event agent to execute all on demand actions. EndpointProtectionAgent 12/13/2013 6:54:01 AM 2300 (0x08FC)
Sending message to endpoint ExternalEventAgent EndpointProtectionAgent 12/13/2013 6:54:01 AM 2300 (0x08FC)
EP State and Error Code didn't get changed, skip resend state message. EndpointProtectionAgent 12/13/2013 6:54:01 AM 2300 (0x08FC)
State 4, error code -2147467259 and detail message are not changed, skip updating registry value EndpointProtectionAgent 12/13/2013 6:54:01 AM 2300 (0x08FC)
Failed to trigger EP Installer to install with error code = 0x80004005. EndpointProtectionAgent 12/13/2013 6:54:01 AM 2300 (0x08FC)
Register a timer here to check whether definition get updated in 30 minutes. EndpointProtectionAgent 12/13/2013 6:54:01 AM 2300 (0x08FC)
Firewall provider is installed. EndpointProtectionAgent 12/13/2013 6:54:01 AM 2300 (0x08FC)
Installed firewall provider meet the requirements. EndpointProtectionAgent 12/13/2013 6:54:01 AM 2300 (0x08FC)
start to send State Message with topic type = 2001, state id = 4, and error code = 0x80004005 EndpointProtectionAgent 12/13/2013 6:54:01 AM 2300 (0x08FC)
Skip sending state message due to same state message already exists. EndpointProtectionAgent 12/13/2013 6:54:01 AM 2300 (0x08FC)
Endpoint is triggered by WMI notification. EndpointProtectionAgent 12/13/2013 6:54:01 AM 3416 (0x0D58)
Endpoint is triggered by WMI notification. EndpointProtectionAgent 12/13/2013 6:54:01 AM 2256 (0x08D0)
File C:\WINDOWS\ccmsetup\SCEPInstall.exe version is 4.3.220.0. EndpointProtectionAgent 12/13/2013 6:54:01 AM 3416 (0x0D58)
EP version 4.3.215.0 is already installed. EndpointProtectionAgent 12/13/2013 6:54:01 AM 3416 (0x0D58)
EP 4.3.215.0 is installed, version is lower than expected installer version 4.3.220.0. EndpointProtectionAgent 12/13/2013 6:54:01 AM 3416 (0x0D58)
File C:\WINDOWS\ccmsetup\SCEPInstall.exe version is 4.3.220.0. EndpointProtectionAgent 12/13/2013 6:54:01 AM 2256 (0x08D0)
EP version 4.3.215.0 is already installed. EndpointProtectionAgent 12/13/2013 6:54:01 AM 2256 (0x08D0)
EP 4.3.215.0 is installed, version is lower than expected installer version 4.3.220.0. EndpointProtectionAgent 12/13/2013 6:54:01 AM 2256 (0x08D0)

Here is another capture from the EndPointProtectionAgent.log on another SCCM client computer that I manually installed the SCEP cleint 4.3.220.0 on. After updating SCEP the policy shows as failed in the SCCM console?

Endpoint is triggered by message. EndpointProtectionAgent 12/13/2013 4:20:00 AM 2512 (0x09D0)
File C:\WINDOWS\ccmsetup\SCEPInstall.exe version is 4.3.220.0. EndpointProtectionAgent 12/13/2013 4:20:00 AM 2512 (0x09D0)
EP version 4.3.220.0 is already installed. EndpointProtectionAgent 12/13/2013 4:20:00 AM 2512 (0x09D0)
Expected Version 4.3.220.0 is exactly same with installed version 4.3.220.0. EndpointProtectionAgent 12/13/2013 4:20:00 AM 2512 (0x09D0)
Check and enforce EP Deployment state. EndpointProtectionAgent 12/13/2013 4:20:00 AM 2512 (0x09D0)
EP Client is already installed, will NOT trigger reinstallation. EndpointProtectionAgent 12/13/2013 4:20:00 AM 2512 (0x09D0)
Sending message to external event agent to test and enable notification EndpointProtectionAgent 12/13/2013 4:20:00 AM 2512 (0x09D0)
Sending message to endpoint ExternalEventAgent EndpointProtectionAgent 12/13/2013 4:20:00 AM 2512 (0x09D0)
Failed to get successfully applied EP Policy Name under registry key SOFTWARE\Microsoft\Microsoft Security Client\LastSuccessfullyAppliedPolicy. EP client might be installed manually. EndpointProtectionAgent 12/13/2013 4:20:00 AM 2512 (0x09D0)
Apply AM policy when the applied AM policy is the expected one. EndpointProtectionAgent 12/13/2013 4:20:00 AM 2512 (0x09D0)
Apply AM Policy. EndpointProtectionAgent 12/13/2013 4:20:00 AM 2512 (0x09D0)
<![LOG[Failed to load xml from string <?xml version="1.0"?><SecurityPolicy xmlns="http://forefront.microsoft.com/FEP/2010/01/PolicyData"  Name="&#10;Default Client Antimalware Policy&#10;RS&H Workstation SCEP Policy"  Version="1" Description="XML contains all the AM Policy settings" IsBuiltIn="0"  CreatedBy="Microsoft" LastModifiedBy="FEP-S">  <PolicySection Name="FEP.AmPolicy" >    <LocalGroupPolicySettings >      <IgnoreKey Name="SOFTWARE\Policies\Microsoft\Microsoft Antimalware"/><AddKey Name="SOFTWARE\Policies\Microsoft\Microsoft Antimalware\Scan"><AddValue Name="ScanParameters" Type="REG_DWORD" Disabled="false">1</AddValue><AddValue Name="ScheduleDay" Type="REG_DWORD" Disabled="false">4</AddValue><AddValue Name="ScheduleTime" Type="REG_DWORD" Disabled="false">720</AddValue><AddValue Name="ScheduleQuickScanTime" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="CheckForSignaturesBeforeRunningScan" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="ScanOnlyIfIdle" Type="REG_DWORD" Disabled="false">1</AddValue><AddValue Name="DisableCatchupFullScan" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="DisableCatchupQuickScan" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="AvgCPULoadFactor" Type="REG_DWORD" Disabled="false">20</AddValue></AddKey><AddKey Name="SOFTWARE\Policies\Microsoft\Microsoft Antimalware\Threats\ThreatSeverityDefaultAction"><AddValue Name="5" Type="REG_DWORD" Disabled="false">3</AddValue><AddValue Name="4" Type="REG_DWORD" Disabled="false">2</AddValue><AddValue Name="2" Type="REG_DWORD" Disabled="false">2</AddValue><AddValue Name="1" Type="REG_DWORD" Disabled="false">2</AddValue></AddKey><AddKey Name="SOFTWARE\Policies\Microsoft\Microsoft Antimalware\Exclusions\Paths"><AddValue Name="%windir%\SoftwareDistribution\Datastore\Datastore.edb" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="%windir%\SoftwareDistribution\Datastore\Logs\Res*.log" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="%windir%\SoftwareDistribution\Datastore\Logs\Res*.jrs" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="%windir%\SoftwareDistribution\Datastore\Logs\Edb.chk" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="%windir%\SoftwareDistribution\Datastore\Logs\Tmp.edb" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="%windir%\Security\Database\*.edb" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="%windir%\Security\Database\*.sdb" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="%windir%\Security\Database\*.log" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="%windir%\Security\Database\*.chk" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="%windir%\Security\Database\*.jrs" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="%ALLUSERSPROFILE%\NTuser.pol" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="%SystemRoot%\System32\GroupPolicy\Machine\registry.pol" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="%SystemRoot%\System32\GroupPolicy\User\registry.pol" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="C:\FDOT2008" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="C:\FDOT2004" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="C:\FDOT2002" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="C:\Bentley" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="C:\Program Files\Bentley" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="C:\Program Files\BentleyV8i" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="C:\Program Files\BentleyXM" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="C:\Program Files (x86)\Bentley" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="C:\Program Files (x86)\BentleyV8i" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="C:\Program Files (x86)\BentleyXM" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="C:\FDOT2010" Type="REG_DWORD" Disabled="false">0</AddValue></AddKey><AddKey Name="SOFTWARE\Policies\Microsoft\Microsoft Antimalware\Exclusions\Paths"><AddValue Name="%windir%\SoftwareDistribution\Datastore\Datastore.edb" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="%windir%\SoftwareDistribution\Datastore\Logs\Res*.log" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="%windir%\SoftwareDistribution\Datastore\Logs\Res*.jrs" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="%windir%\SoftwareDistribution\Datastore\Logs\Edb.chk" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="%windir%\SoftwareDistribution\Datastore\Logs\Tmp.edb" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="%windir%\Security\Database\*.edb" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="%windir%\Security\Database\*.sdb" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="%windir%\Security\Database\*.log" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="%windir%\Security\Database\*.chk" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="%windir%\Security\Database\*.jrs" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="%ALLUSERSPROFILE%\NTuser.pol" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="%SystemRoot%\System32\GroupPolicy\Machine\registry.pol" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="%SystemRoot%\System32\GroupPolicy\User\registry.pol" Type="REG_DWORD" Disabled="false">0</AddValue></AddKey><AddKey Name="SOFTWARE\Policies\Microsoft\Microsoft Antimalware\Real-Time Protection"><AddValue Name="DisableRealtimeMonitoring" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="DisableIOAVProtection" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="DisableBehaviorMonitoring" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="DisableIntrusionPreventionSystem" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="LocalSettingOverrideDisableRealTimeMonitoring" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="LocalSettingOverrideDisableIntrusionPreventionSystem" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="LocalSettingOverrideDisableOnAccessProtection" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="LocalSettingOverrideDisableIOAVProtection" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="LocalSettingOverrideDisableBehaviorMonitoring" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="LocalSettingOverrideDisableScriptScanning" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="LocalSettingOverrideRealTimeScanDirection" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="DisableOnAccessProtection" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="RealTimeScanDirection" Type="REG_DWORD" Disabled="false">0</AddValue><AddValue Name="DisableScriptScanning" Type="REG_DWORD" Disabled="false">0</AddValue></AddKey><AddKey Name="SOFTWARE\Policies\Microsoft\Microsoft Antimalware\Scan"><AddValue Name="DisableRestorePoint" Type="REG_DWORD" Disabled="false">1</AddValue><AddValue Name="DisableReparsePointScanning" Type="REG_DWORD" Disabled="false">1</AddValue></AddKey><AddKey Name="SOFTWARE\Policies\Microsoft\Microsoft Antimalware\UX Configuration"><AddValue Name="Notification_Suppress" Type="REG_DWORD" Disabled="false">1</AddValue><AddValue Name="DisablePrivacyMode" Type="REG_DWORD" Disabled="false">1</AddValue><AddValue Name="UILockdown" Type="REG_DWORD" Disabled="false">0</AddValue></AddKey><AddKey Name="SOFTWARE\Policies\Microsoft\Microsoft Antimalware\Quarantine"><AddValue Name="PurgeItemsAfterDelay" Type="REG_DWORD" Disabled="false">30</AddValue><AddValue Name="LocalSettingOverridePurgeItemsAfterDelay" Type="REG_DWORD" Disabled="false">0</AddValue></AddKey><AddKey Name="SOFTWARE\Policies\Microsoft\Microsoft Antimalware"><AddValue Name="DisableLocalAdminMerge" Type="REG_DWORD" Disabled="false">1</AddValue><AddValue Name="RandomizeScheduleTaskTimes" Type="REG_DWORD" Disabled="false">0</AddValue></AddKey><AddKey Name="SOFTWARE\Policies\Microso   1/1/1601 12:00:00 AM 1998281579 (0x771B5B6B)
Failed to generate AM policy XML with error code 0x80004005 EndpointProtectionAgent 12/13/2013 4:20:00 AM 2512 (0x09D0)
Save new policy state 2 to registry SOFTWARE\Microsoft\CCM\EPAgent\PolicyApplicationState EndpointProtectionAgent 12/13/2013 4:20:00 AM 2512 (0x09D0)
State 2 and ErrorCode -2147467259 and ErrorMsg Failed to generate Antimalware policy file. and PolicyName Default Client Antimalware Policy
RS&H Workstation SCEP Policy and GroupResolveResultHash 09E7590480C470E452036EAB9CFE48437CA09340 is NOT changed. EndpointProtectionAgent 12/13/2013 4:20:00 AM 2512 (0x09D0)
Skip sending state message due to same state message already exists. EndpointProtectionAgent 12/13/2013 4:20:00 AM 2512 (0x09D0)
Firewall provider is installed. EndpointProtectionAgent 12/13/2013 4:20:00 AM 2512 (0x09D0)
Installed firewall provider meet the requirements. EndpointProtectionAgent 12/13/2013 4:20:00 AM 2512 (0x09D0)
start to send State Message with topic type = 2001, state id = 3, and error code = 0x00000000 EndpointProtectionAgent 12/13/2013 4:20:00 AM 2512 (0x09D0)
Skip sending state message due to same state message already exists. EndpointProtectionAgent 12/13/2013 4:20:00 AM 2512 (0x09D0)

Do you have special characters in your policy name?

You might have the same issue I did here. Remove any & () - and see if that helps you out. Support identified it as a product bug in R2 and are supposedly working on a fix.

Immediately after changing policy names my ~4000 clients started fixing themselves.

• Marked as answer by thomasmcf 17 hours 43 minutes ago

Thank you!!!!!!!!

You my friend are a genius! Both of my 2 main custom endpoint policys (servers and workstations) had the "&" character in them. I have renamed both and performed a policy update on the endpoint collections and everything magically started working!!!! No more errors in the EnpointProtectionAgent.log. I am waiting to see if the SCCM console updates and the errors disappear.

Glad it helped! It consumed the better part of my weekend/week and I was thankful it as a very easy workaround.

I know exactly what you mean. It was driving me crazy for the better part of a week now. Thank you again for the answer!

Do you have special characters in your policy name?

You might have the same issue I did here. Remove any & () - and see if that helps you out. Support identified it as a product bug in R2 and are supposedly working on a fix.

Immediately after changing policy names my ~4000 clients started fixing themselves.

• Marked as answer by thomasmcf Friday, December 13, 2013 6:35 PM

Dashes seem to work fine, but I was kicking myself as to why only one of my policies wasn't applying properly.  Found this thread, removed the &, now as far as the logs go, the clients appear to be correcting themselves.

I too had issues with & in policy names.

My recommendation to my client is to always avoid using special characters.

SCCM should block that when creating the policy but it's not.