Endpoint Protection

Hello

I have an issue about Windows 10,  when windows is looking for updates, it shows a message:

• Symantec Endpoint Protection " Uninstall this app now beacuase it isn't copatible with Windows 10"  due to that issue windows doesn't allow to upgrade

You need a version of SEP that is supported on Windows 10...see here for correct version info:

http://www.symantec.com/docs/TECH235458

Hello Brian

thanks, for you help I have seen the version "it is 14 RU1 (14.0.1)"  however, the message continues appearing.

Do you have idea why this is happening ?

Do you have older install folder on the machien somewhere? If so, they should be deleted.

This post may help you out: https://www.symantec.com/connect/forums/solved-windows-10-1709-cant-update-and-clean-wipe-cant-full-remove-endpoint-protection

Hi Kenia,

Has this been resolved?  Please mark a solution if so.

 

Thanks!

I have seen this when I have done a manual upgrade to Windows 10 rather than using a ghost image. When we use the ghost image or image over network, we don't get the message to uninstall.

I have this problem too. The PC is running Symantec 14.0 MP2 build 2415 ( 14.0.2415.0200 )  and is running Windows 10 version 1703 build 15063.850

Windows is trying to install Feature update to Windows 10 version 1709

2018-1 Cumulative update V1703 KB4057144

Sounds like there will be some SEP 12.x folders still on the machines impacted

There are no SEP12 components on the computer as far as I can see. None in Program Files (x86) , none in System32 or SysWOW64.

I checked the registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat and it contains ”cadca5fe-87d3-4b96-b7fb-a231484277cc”

I downloaded KB4057144 as an msu from the update catalog.

This stalled for a long time then appeared to install. The PC was re-booted, however Windows 10 About is still reporting version 1703 build 15063.877

Ver reports 10.0.15063

The new Windows 10  Update History is useless - it only shows a failed install of the Feature Update , but not the time - so I think this was the original non-msu install.

It still says KB4057144 is available to install.

BUT if you look in the Event Viewer the event for WindowsUpdateClient says "Installation successful: Windows succesfully installed update KB4057144".

Also Symanec System Tray is  is no longer reporting multiple errors ( as per https://support.symantec.com/en_US/article.TECH248552.html )

 

I have checked this link :

https://www.experts-exchange.com/questions/29063538/Windows-10-1709-Upgrade-error-0xC1900209.html. 

and I have some quiestions 

1.In this path:

C:\$WINDOWS.~BT\Sources\Panther

Say us that I will find a or many files such as:

_APPRAISER_HumanReadable.xml

when he erased this files, he solved the problem but when I erased this files, the files continues appearing 

This is going to be a long post.  it is to fix issues with Windows 10 1803 getting notification that Symantec must be manually uninstalled.

First you have to be at SEP Client 14.0.3 for Windows 10 1803 update of this to work. My version is 14.0.3929.1200.105 on server and most of my clients.

Script is saved as .txt and attached (I think) on this post,

Bottom of post has the text of the powershell script.

 

Some suggested fixes that did not work:

Cleanwipe will not resolve this issue, I tried that.

Re-installing windows also will not work unless you delete everything on the drive or format the drive during install.

 

Causes:

Essentially, what happened is that Symantec install is sent by a zipped package that has the executables in it.

Once you unzip the package, the executables that Windows update looks for is found in the install folder.

Windows 1803 update does not look everywhere, but will look anywhere that the system can access.

So if you are deploying with SCCM, there is an install package in ccmcache from the last install.

If you contacted support on a previous version and they sent you a 7zip exe to extract, then the exe's are somewhere else.

If you deployed using SCCM then the exe's will be in a subdirectory under the c:\windows\ccmcache directory.

If you deployed using a single exe, then it extracted somewhere and you may have the exe's there.

I called support for a script to fix this.  Got nowhere.  That is anothe story, best left out.

 

My Solution

I made a powershell script to find and rename the 2 executables if they are outside of Program Files or Program Files (x86)

For SCCM to be able to use this, the .ps1 probably needs to be signed.

Attached is a sample of the script.

<#
This Script is to look for any Symantec Endpoint Protection files that prevent Windows 10 Update to 1803
If a computer has any install folder for an older version these files will exist in the install folder.  Windows update checks the version.
ccsvchst.exe Version 13.3.1.14
smc.exe Version 14.0.3929.1200
Windows Update to 1803 gives error that 2 Symantecs must be uninstalled, 1 for each file.
To find the offending file names look in this folder (after the update has failed or they will not be listed.)
C:\$WINDOWS.~BT\Sources\Panther\setupact.log
Search for 'Manual uninstall required' (no tick marks.)
References:
https://www.symantec.com/connect/forums/solved-windows-10-1709-cant-update-and-clean-wipe-cant-full-remove-endpoint-protection

Point of contact, Brian VanTassel
Agency for Persons with Disabilities, Florida.

Notes:  This has to be signed to run through SCCM
Built for deployment through SCCM Task Sequence.

#>

Script renames either ccsvchst.exe Version 13.3.1.14 or smc.exe Version 14.0.3929.1200 if version is less than what is shown

In this script, change 'SomeServerName' in the line to your share path.  Create the folders for the path.  The script writes results to the file.  The results are attempted.  Depending on system rights, it may not be the case.  This indicates the steps ran, but you should test it.

$outfile="\\SomeServerName\DeployLogs\Symantec\Win10-1803RenameFix\Win10-FilesRenam_Status-Apps.txt"

This is where the accumulated log is written to.  Domain users and Domain Computers will need read and write to this share.

You will also need a share for deploy files.  This will need to be read for domain users and domain computers.

Sign the script using a code signing certificate (another story there.)

Example of results shows Computer name, path to file, version information and what was attempted:

ComputerName-10;;C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\14.0.3929.1200.105\Bin\ccSvcHst.exe;13.3.1.14;Not Modified
ComputerName-10;;C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\14.0.3929.1200.105\Bin\Smc.exe;14.0.3929.1200;Not Modified
ComputerName-10;;C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\Smc.exe;14.0.3929.1200;Not Modified
ComputerName-10;;C:\ProgramData\Symantec\Symantec Endpoint Protection\14.0.3929.1200.105\Data\Cached Installs\Program Files\Symantec\Name\Version\Bin\ccSvcHst.exe;13.3.1.14;Not Modified
ComputerName-10;;C:\ProgramData\Symantec\Symantec Endpoint Protection\14.0.3929.1200.105\Data\Cached Installs\Program Files\Symantec\Name\Version\Bin\Smc.exe;14.0.3929.1200;Not Modified
ComputerName-10;;C:\ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Cached Installs\Program Files\Symantec\Name\Version\Bin\ccSvcHst.exe;13.3.1.14;Not Modified
ComputerName-10;;C:\ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Cached Installs\Program Files\Symantec\Name\Version\Bin\Smc.exe;14.0.3929.1200;Not Modified
ComputerName-10;;C:\Users\All Users\Symantec\Symantec Endpoint Protection\14.0.3929.1200.105\Data\Cached Installs\Program Files\Symantec\Name\Version\Bin\ccSvcHst.exe;13.3.1.14;Not Modified
ComputerName-10;;C:\Users\All Users\Symantec\Symantec Endpoint Protection\14.0.3929.1200.105\Data\Cached Installs\Program Files\Symantec\Name\Version\Bin\Smc.exe;14.0.3929.1200;Not Modified
ComputerName-10;;C:\Users\All Users\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Cached Installs\Program Files\Symantec\Name\Version\Bin\ccSvcHst.exe;13.3.1.14;Not Modified
ComputerName-10;;C:\Users\All Users\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Cached Installs\Program Files\Symantec\Name\Version\Bin\Smc.exe;14.0.3929.1200;Not Modified

To deploy the script in SCCM I used a Task Sequence, with 2 run command steps.

it will probably work with one step, but I copy the script to a folder I use on the computers for local install logs.

Most of my Task Sequences create this folder if it does not exist:  "C:\ProgramData\CM_Install_logs"

Copy Command line: 

cmd.exe /c copy /y "\\ServerName\Deploy File Share\Scripts\Win101803SymFileRenamFix.ps1" "C:\ProgramData\CM_Install_logs"

Run powershell cmd:

cmd.exe /c PowerShell.exe -executionpolicy unrestricted -file "C:\ProgramData\CM_Install_logs\Win101803SymFileRenamFix.ps1"

 

Powershell Script (was named Win101803SymFileRenamFix.ps1) Start below this line

<#
This Script is to look for any Symantec Endpoint Protection files that prevent Windows 10 Update to 1803
If a computer has any install folder for an older version these files will exist in the install folder.  Windows update checks the version.
ccsvchst.exe Version 13.3.1.14
smc.exe Version 14.0.3929.1200
Windows Update to 1803 gives error that 2 Symantecs must be uninstalled, 1 for each file.
To find the offending file names look in this folder (after the update has failed or they will not be listed.)
C:\$WINDOWS.~BT\Sources\Panther\setupact.log
Search for 'Manual uninstall required' (no tick marks.)
References:
https://www.symantec.com/connect/forums/solved-windows-10-1709-cant-update-and-clean-wipe-cant-full-remove-endpoint-protection

Point of contact, Brian VanTassel
Agency for Persons with Disabilities, Florida.

Notes:  This has to be signed to run through SCCM
Built for deployment through SCCM Task Sequence.

#>
$outfile="\\SomeServerName\DeployLogs\Symantec\Win10-1803RenameFix\Win10-FilesRenam_Status-Apps.txt"

#$env:COMPUTERNAME
#Get-Childitem –Path C:\ -Include ccsvchst.exe,smc.exe -File -Recurse –force -ErrorAction SilentlyContinue | Select *
#$Paths2Files = Get-Childitem –Path "C:\" -Include ccsvchst.exe,smc.exe -File -Recurse –force -ErrorAction SilentlyContinue | Select name,Fullname
$Paths2Files = Get-Childitem –Path "C:\" -Include ccsvchst.exe,smc.exe -File -Recurse -ErrorAction SilentlyContinue | Select name,Fullname
foreach ($file in $Paths2Files){

$VersionInfo = (Get-Item $file.fullname).VersionInfo
    $FileVersion = ("{0}.{1}.{2}.{3}" -f $VersionInfo.FileMajorPart,
    $VersionInfo.FileMinorPart,
    $VersionInfo.FileBuildPart,
    $VersionInfo.FilePrivatePart)

#Write-Host $file.fullname $fileversion

If ($file.fullname -like "*Program Files*\Symantec\Symantec Endpoint Protection*") {$action="ProgramFiles Not Modified"}
ElseIf ($file.name -eq "ccsvchst.exe") {
If ($FileVersion -lt "13.3.1.14") {$action="renamed"
Rename-Item -Path $file.fullname -NewName "ccsvchst.ex_"}
ElseIf ($FileVersion -eq "13.3.1.14") {$action="Not Modified"}
}

ElseIf ($file.name -eq "smc.exe") {
If ($FileVersion -lt "14.0.3929.1200") {$action="renamed"
Rename-Item -Path $file.fullname -NewName "smc.ex_"}
ElseIf ($FileVersion -eq "14.0.3929.1200") {$action="Not Modified"}
}

Write-Host $file.fullname $fileversion $action
$out2file=$env:COMPUTERNAME+";"+$date+";"+$file.fullname+";"+$fileversion+";"+$action
$out2file | out-file -filepath $outfile -append
}

 

# SIGNATURE BLOCK WAS HERE
# End signature block WAS HERE

End of script above this line