SOLVED SMS Agent won't Stop on Windows 10 clients after OS upgrade

[cnewell]

I am having an issue on some clients in my environment, the sccm client will only work temporarily on start-up. During this short period of about 30 mins to 1 hour , the client will work perfect. Software updates , Application installs , i can restart SMS service without issue, everything works. After that , nothing works. If i reboot , everything works again temporarily. This only appears to be an issue when installing the Windows 10 version 1903 feature update on any of our Windows 10 1803 and 1809 devices. Even tried the newest ccmexec client (5.00.8553.1020) with no success. If we image a device directly to Windows 10 1903 the client works fine. This is happening on about 500 devices

I am on SCCM 1906 client version 5.00.8853.1006 (however, i have same issue on other client versions, as well as working machines on 8853.1006)

To troubleshoot this i have attempted to
1. Restart the SMS service and i realized that i can't. The service will remain in a "Stopping" state until i reboot or Force kill it with "taskkill /f /pid".
2. Stopping the CCMEXEC service manually. Service will not stop , and will return "error code 1053: the service did not respond to the start or control request in a timely fashion."
3. Restarting the WMI service(which also stops SMS Agent). Same results as above.
4. I have monitored the ccmexec log while I initiated the service shutdown or restart and I only see one error "Failed to asynchronously register WMI notification query, with error code 0x80041032."
5. Removed or reinstalled the SCCM client. The client will usually install fine but after the 30min time frame it goes unresponsive again.

 

[JonnyFenomic]

Hello cnewell,

I've have the same problem at the company for months.
About 400 clients are affected. I have tried everything by now.
I have already installed the latest SCCM 1910 update. Unfortunately without success.

Do you already have a solution to the problem? please say YES ........

 

[kheldorn]

I've found the solution to this. You need the following registry keys:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=dword:00000000
"DisableAntiVirus"=dword:00000000
"PassiveMode"=dword:00000002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdBoot]
"Group"="Early-Launch"
"Start"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdFilter]
"Start"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDefend]
"Start"=dword:00000002

The whole story of how I arrived at this solution was documented on https://beingwinsysadmin.blogspot.com/2020/02/sccm-sms-agent-host-ccmexec-hangs-on.html

 

[JonnyFenomic]

First, great respect for your tireless work.

I have tested the procedure on some clients.
It seems that this is the solution.
I will be monitoring the clients this week.

I'll be monitoring the clients this week.
Forwarded your entry to Microsoft. There we have a premium ticket for this. I hope this buggy problem is fixed.

Is it absolutely necessary to activate Defender in passive mode or are these entries sufficient?

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdBoot]
"Group"="Early-Launch"
"Start"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdFilter]
"Start"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDefend]
"Start"=dword:00000002

What are your experiences?

Thanks for everything. You're saving my ass. RESPECT!

 

[kheldorn]

I know that the "WinDefend" service needs to be running. For that to be the case both the "WdBoot" and the "WdFilter" need to be enabled. Whether the rest is strictly necessary I am not sure. But I don't think it will hurt to have the Defender Antivirus to be running in passive mode either.

 

[JonnyFenomic]

Thank you very much.
I'll do it the way you described it.
I hope that Microsoft will fix the problem.

 

[kheldorn]

By now I've gotten some additional information.

You might be able to achieve the same working SCCM client when you disable the Endpoint Protection feature within SCCM completely.

Since I don't have access to our SCCM I can't test this myself though.

 

[JonnyFenomic]

I already did that last week.
At the same time, I upgraded to a new SCCM server with Defender management disabled. On the new server the clients didn't have this problem anymore. I wanted to move the clients one by one.
Nevertheless I wanted to make sure that I didn't take the bug with me into the new environment.
I will apply your workaround to all problem clients. Leave it out later when i upgrading the clients. Then I will see if that is enough. i hope

 

[JonnyFenomic]

how much time did it take you to see the problem?

 

[kheldorn]

how much time did it take you to see the problem?

For the SCCM client to become broken? Couple hours or so after freshly installing the SCCM client. I usually tried it the next day. Before the fix I'd get 100% broken clients after that period of time.

With the fix applied I have yet to see any broken clients at all. You just have to make sure that the Windows Defender Antivirus service is actually running.