Endpoint Protection

We have been rolling out Windows 10 within our organization. When we deploy a computer we install SEP 12.x manually per computer and verify it's installed and managed correctly. Recently however our Windows 10 users are noticing that SEP is no longer instaled. Our end users do not have administrative permissions on the computers. How can SEP uninstall itself without any user intervention. This has happed on all of our 200 Windows 10 computers and seems like a HUGE security flaw that SEP can uninstall itself and leave the computer unprotected.

I've seen the recent Windows 10 SEP install issue with Windows Defender and KB3140743. Is this related? I think you should warn customers that the computers could now be unprotected.

Thanks for any information you can provide.

SEP won't uninstall itself. Are you sure it was even installed or did it hit the known issue?

This is the only known Windows 10 issue related to not installing:

http://www.symantec.com/docs/TECH234344

We verify every install and also get notification from the management server that the client was installed and is communicating. We've also had to put exclusions in for certain applications so we know it was installed and working on all 200+ Windows 10 clients. Seems strange that 200+ computers that were working fine now have no SEP installed. It's just gone. There are remnants of the install under the program folder but the client is not installed nor displays under programs and features. I am wondering if some recent Windows 10 update forced the symantec client to rollback the install. Could anyone else check their Windows 10 deployments that have the most recent windows updates applied still have SEP client is still installed and working? I can't see how 200+ clients can all of suddend do this. Our Windows 7 and Windows 8 clients are still working and communicating. It's only Windows 10 computers that this has happened to.

Then you need to get a case open immediately with Symantec. I've never seen the client simply uninstall itself. Something else is at work here. What shows in your event logs? There should be some clue there as to what's going on.

I would strongly check the Event Viewer and find the date & time of the install and also the uninstall - see which service/user is doing the uninstall. Then work from that point. If you think it's SEP doing the uninstall itself, then raise a case with Symantec support with your findings.

However I think it's somethinhg else is going on within your network which you need to investigate and resolve it.

I'm keen to know what you have found, so please report back with your findings.

Good luck.

Unfortunately our event logs were cleared so we can't go back to see what happened. We have verified KB3140743 was installed on the computers. After disabling defender we were able to get symantec reinstalled. The workstation team is not working on reinstalling it on the Windows 10 clients. We are going to monitor symantec client status very closely over the next few weeks and during Windows update deployments. Very strange stuff. I wonder if we put a password on the client install if it would prevent the ability for any system to remove the product without typing in the install password?

Thanks for the help.

Put a pw on it to increase the security. Strange how there is no audit trail.

Due to the fact that the Event Logs are cleared out, I suspect there is somethng else is happening as it shouldn't be cleared out unless done manually...

Good idea on enabling the password to uninstall it - see if it helps you.

12.1.6 MP4 was just released which corrects the patch issue linked above:

http://www.symantec.com/docs/INFO3517