SCCM 2012 Client Deployment – SCEP Installation Craziness

I just finished an SCCM 2012 deployment and began upgrading all of the systems from the 2007 client to the new SCCM 2012 client.

First batch of 30 or so went fine.  Then, all of a sudden, a good sized handful (about 40 servers) failed to install SCEP.

Basically, no errors.  The only thing I saw was an entry in the \\<machinename>\admin$\ccm\logs\EndpointProtectionAgent.log was the following message:

“Unable to query registry key (SOFTWARE\Microsoft\Microsoft Security Client), return (0x80070002) means EP client is NOT installed.”

The closest I came to seeing an example of my issue was explained here:

So, why not try that? It didn’t exactly fit my problem. In my case, the systems were both 2003 R2 and 2008 R2. So, I gave it a try. Won’t hurt.

Unfortunately, it didn’t work.

I’ve had stranger things happen, so I got to thinking, why not create the key and see what happens. Here’s what I did:

  • Uninstalled SCCM “ccmsetup.exe /uninstall”
  • Create the key “HKLM\Software\Microsoft\Microsoft Security Client”
  • Reinstall the SCCM client from the console

VOILA! The SCEP client installs just fine.

I’ve tried just creating the key and re-installing the agent, but that doesn’t seem to work.

Just as an FYI, I originally wrote this post on the 01/07/2013. The next day, I added a package, no files, with the command line:
reg add "HKLM\SOFTWARE\Microsoft\Microsoft Security Client"

I deployed that to a direct membership collection.

Within just a few minutes, the SCEP client installed on it’s own. So, I found it wasn’t necessary to uninstall the SCCM client.

Try either method. See what works. We noticed this does not always work on Windows 7 workstations.