Block uninstallation of SCCM Endpoint Protection(SCEP)

When a client is installed with System Center Endpoint Protection, user can uninstall SCEP if the user had admin right to the local machine. How to block uninstallation of SCEP?  This is Microsoft product so as i guess, if the user has admin right, he can do whatever he wants. Is there a way to block even the admin to uninstall SCEP?

And once SCEP is uninstalled, the client doesn't receive reinstallation for SCEP. It just remains unprotected. Why does SCCM not reevaluate the applied Client Settings and reinstall SCEP? And the status for SCEP is still 'managed' for 2 hours in CAS server.
Sungpill HanAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

RobertSystem AdminCommented:
It should reevaluate the policy. check your client settings policy and under endpoint protection check that "Allow endpoint protection client installation and restarts outside maintenance window. " is set to yes. also check that the policy is applying to the machine if it is already set.
Capture.PNG
0
Sungpill HanAuthor Commented:
Yes and yes. But it takes 30 mins-2 hours to get it back.

I think there is no way to block uninstallation if a user has local admin rights.
0
RobertSystem AdminCommented:
If the user is an admin there is no way to block the uninstall that I am aware of.

You could hide it from the programs and features list so the user would need to know how to uninstall it via command line.
REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
locate system center install and set the systemcomponent dword value to 1 and it should hide from list.

If the value does not exist create it.

i.e. for my machine (windows 10)
REG ADD “HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Microsoft Security Client” /v SystemComponent /t REG_DWORD /d 1 /f

Open in new window

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Sungpill HanAuthor Commented:
Robert, thank you.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Installation

From novice to tech pro — start learning today.