I had provisioned a windows server 2012 R2 (Yes, it is 2012 R2) and while installing the SCEP client (System Center Endpoint Protection client installation files are picked from current branch 2010), it failed with the following error code.
Setup - Cannot complete the System Center Endpoint Protection installation. An error has prevented the System Center Endpoint Protection setup wizard from completing successfully. Please restart your computer and try again. Error code:0x8004FF91. [8004FF91]
I have tried various command line switches for SCEP client installation but all returned the same error code.
The server was installed with Configuration Manager client 2010 and server is fully patched.
I have also tried removing the configuration manager client, install SCEP. No matter what you do, the SCEP client always fail.
As per the error message, I had rebooted the server and re-rerun the installation but it failed with same error code again.
To troubleshoot further, i looked at the logs located in c:\programdata\microsoft\Micrsoft Security Client\support, found several files in this folder.
EppSetup.log and MSSecurityClient_Setup_18.104.22.168_epp_Install.log reveals the same information that is shown in the UI.
The following is a piece of information that can get it from the log MSSecurityClient_Setup log.
setup CA ERROR : CryptCATAdminAddCatalog failed with 1062
NIS setup CA ERROR : InstallNisDriver: InternalInstallCatalog failed with 1603
NIS setup CA INFO : InstallNisDriver completed with error result 1603
CustomAction InstallDriver returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)
CryptCATAdminAddCatalog failed with 1062 –> this leads to the crypto services on the server which is missing.
Open the cmd on the problmatic server and run sc query cryptsvc
The specified service do not exist as an installed service.
How do we get the service running? I have tried registering cryptsvc.dll which is found in C:\windows\system32\cryptsvc.dll but did not help much.
Run sfc /scannow if there are any corrupted files that can fix the issue but nothing help there.
The next trial was to login to server 2012 R2 that had SCEP client and see if the cryptographic service exist or not.
The service was found on a working server. So export the registry key for this specific service and import into the problematic server, reboot it.
The following is the registry of the service.
Export the registry, import into the server, reboot the server.
After login, check if the crypto graphic service exist or not. If available, run the SCEP client installation.
Installation of SCEP client successfully installed and verified that the agent is communicating with Configuration Manager for policies etc.
Hope this helps!