We are having an issue where random Windows 11 machines are suddenly removing PolicyPak Client 25.10.
We deploy the client and CSE through our image build and then use SCCM to update older clients and deploy newer versions.
I have started to notice a trend of an AppX deployment occurring 9 seconds before the uninstall occurs.
This is the event that occurs before PolicyPak gets removed:
–
The description for Event ID 2562 from source Microsoft-Windows-AppXDeploymentServer/Operational cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.
If the event originated on another computer, the display information had to be saved with the event.
The following information was included with the event:
MSIXDeployment
windows.applicationData
DeleteMachineFolder
Package PPLPMSparsePackage_1.0.0.0_neutral__05s3eg55kmnew removed machine folder C:\ProgramData\Microsoft\Windows\AppRepository\Families\ApplicationData\PPLPMSparsePackage_05s3eg55kmnew: The system cannot find the path specified.
So.. A few things: Are you cloning the machine and then joining them (clones) to PPcloud? If yes, it could be detected as a dupe and then uninstalling.
Start there with these three tips before we continue; but since this seems specific to you and not some general well-known or “How do I use PP” question, this is likely best served in support.
We are using Strict Mode in our environment. Machine get added part of our image build, we have a job at the end that will install the CSE then Client and put into container.
How would we know it gets detected as a dupe?
Thanks. So Strict Mode - Register the computer as new device when it re-joins PolicyPak. Loose Mode - Will keep the machine in its original container so when re-installed it will go back into that original container. I get that and not sure that helps us at all with the random nuke\uninstall.
When we install PolicyPak we have a powershell script that essentially says if your in US\Europe\Asia - go to this container - which works absolutely fine. The machine sits in the Parent Container and then Child Container (US\Europe\Asia).
The issue we are having and i can see from the logs on two machines - random uninstalls of the 25.10 client. The machines gets nuked but fails to re-install from the event logs. I have no idea to why its wanting to reinstall the same client that already exists - as mentioned bunch of AppX deployment logs mention PPLPM Sparse Package then uninstall commences, trys to re-configure the product i think but then fails.
So changing from strict > loose - not sure why that would even help? Once machine is uninstalled…. its no longer part of PP? unless I’m missing something here?
Essentially we should never randomly see a random uninstall\install - we are trying to control the deployment and updates ourselves.
–
Going back to the containers in our environment, we have a parent container, then three child containers. We want to manage the update of PP ourselves as we not fully confident on the auto-update right now. Its set to below for the moment… whilst we try to get everyone to 25.10..
can that cause any issue? or should we turn this to not configured?
Netwrix EPM CSE Version > 24.12.4121 Netwrix EPM Cloud Client Version > 25.2.4188.482
It would be nice if we can turn not-configured across every group including ‘ALL’ as that seems to inherit down i believe.
–
In the immutable log i do not see much to why the machine left apart from action details:
Computer Name: PGHLJEHAZLEW036.reedsmith.com
{
“Computer System Product Uuid”:" 4C4C4544-004C-3010-804D-C3C04F314234",“Computer MAC Addresses”:
[“00:A0:C6:00:00:71”,
“E8:CF:83:B4:C5:95”]
Okay. if Loose doesnt change it and you’re not seeing anythign in the immutable log about uninstallation.. then you must please use the latest cloud and latest CSE and then when it happens grab logs and contact support for analysis.
Also I didnt answer your inheritnece question; in summery if your CHILD group is GREATER than the ALL group, your CHILD group wins.
Therefore, for testing with support, ensure the latest versions are being applied to a group so we’re not chasing some older version’s bits… Hope that works.. Thanks !
Actually.. I might have given you wrong advice. better would be Advanced/ Always register….
If the machine(s) have VMware Workstation on them, we’ve found that their extra Mac addresses can rip out the installations because second instllation is being detected as duplicate. This would maybe work around it…
Out of curiosity… would you be able to tell me if these computers which magically “fell off” also had VMware Workstation or something similar on them where they would appear to have multiple physical NICs when in reality some of those NICs (with MAC addresses) are really virtual?
These are windows 11 enpoints with Global Protect. I think the issue is the same ‘mac address’ that Global Protect provides. That is used throughout the firm and apparently when one joins another machine unregisters… however i never really added that up because we would then only half the machines showing in our portal. Either way it seems to have stopped that ‘random’ uninstall.
