MCAFEE Removal Tools Enduser Line and Corporate Endpoint (GUI or EPO)

Sometimes we have client machines where we can't rollout ENS or VSE even when all is fine. Because some people left over OEM supplied version of Mcafee Enduser products (User tried to Deinstall or update without Local Admin) or because a migration has gone bad because a user closed the laptop LID or lost power during migration. Or user forced off Desktop client. We very rare have such cases since 10 years and the EPO is great solution how it handles MSI Packages and Migration on Clients, Server and Terminal Server. If regular Deployment Solution would work like this?

So here are the two solutions for removing:

  1. Mcafee ENDUSER Products
  2. Mcafee ENS Corporate Version



MCPR (Removes all Enduser products or OEM Supplied version like on HP or DELL)



Sample leftover Enduser products:



MCAFEE Endpoint Product Removal Tool (ENS Corporate)

You can only download that tool if you have a VALID NAI Mcafee Support running

Here is HOW to find in under downloads. Yes you need a manual to download a file ;-(

Choose Enterprise

There is standalone version for Remote Support or a Version which you PUSH out to Problems clients with the EPO with Task Sequence. You can set OPTION in the Deployment JOB if you let it run with EPO.

Some sample Commandline we use with the EPO Push Version to remove stalled single endpoint ENS 10.X > 10.X Migrations

--accepteula --ENS --=600

--accepteula --ENS --noreboot

Server 2016, MDT 2013, W10 1809 6.3.8456.1000 SQL Compact Database

If you don't connect MDT on Server 2016 to an SQL Database it will use SQL Server Compact to store information

You see in MONITOR. You ONLY access the Info from the Compact Edition with SQL Management Studio 2008R2

And NOT the newer Version I have read somewhere. With the SQL Management Studio 2008R2 we

Can open the SDF database from C:\Program Files\Microsoft Deployment Toolkit\Monitor\MDT_Monitor.sdf


You can also access through API Web:





It's written that they keep the information in there for 3 days. So this is only a temporary solution until the client runs.


C:\Program Files\Microsoft Deployment Toolkit\Monitor\MDT_Monitor.sdf


To see or view data itself you could use:



GPO, Group Policy, Extra Registry Settings, Display names for some settings cannot be found


GPO error you see in Group Policy Console after you migrated/imported GPO from another domain or location:

Extra Registry Settings:

Display names for some settings cannot be found. You might be able to resolve this issue by updating the .ADM files used by Group Policy Management.


  1. This is a leftover of some old GPO you migrated over years and want to get rid OFF (Our solution with Powershell)


  1. (Not so good) you are missing certain ADM* files in your Central Policy Store but have the GPO already there (Copied from somewhere). Check this link to understand what we talk about: So this is what the original error says (Display names for some settings cannot be found. You might be able to resolve this issue by updating the .ADM files used by Group Policy Management.)



How to solve this for problem 1 above:

Let's assume all is fine and the GPO with the Central Policy Store and you migrated or imported GPO has some old things you would like to get of rid of and maybe someone merged them into newer GPO over the years XP > W7 > W8 > W10 15** > W10 17** > W19 18** etc. (Just some things that dropped out in a new version of W10 as example)

Simple an option that maybe dropped out (Does not exist) in W10 1809 but did before. And you want to use the same GPO as you did in 1709 for another customer.


Error in GPO-console:

Backup the GPO to DISK and shortly verify gpreport.xml and search for the string just to make sure it's in that POLICY you think it is and that all is fine before you correct it.

Here you see the error again in the GPO console:

Display names for some settings cannot be found. You might be able to resolve this issue by updating the .ADM files used by Group Policy Management.




Software\Policies\Microsoft\Windows Mail\ManualLaunchAllowed




























Here is how to exact remove that settings from the existing GPO settings running on your Admin W10 with GPO-Console (RSAT) with Powershell.

Let's start with a sample we want to get rid of:

Software\Policies\Microsoft\Windows Mail\ManualLaunchAllowed

Step 1

Check if the error is under USER or COMPUTER (SYSTEM) part of GPO.



Add to the Registry String depending where it is:

Sample: Software\Policies\Microsoft\Windows Mail\ManualLaunchAllowed

After: HKCU\ Software\Policies\Microsoft\Windows Mail\ManualLaunchAllowed (If it's a USER Policy)

After: HKLM\ Software\Policies\Microsoft\Windows Mail\ManualLaunchAllowed (If it's a COMPUTER Policy)

Step 2

Cut of the last value name and separate

HKLM\ Software\Policies\Microsoft\Windows Mail\ManualLaunchAllowed

"HKLM\ Software\Policies\Microsoft\Windows Mail"        ManualLaunchAllowed


Sample Powershell would be:

Remove-GPRegistryValue -Name "W10_C_Computer"

-key "HKLM\Software\Policies\Microsoft\Windows Mail"

-ValueName ManualLaunchAllowed


After we have all the info and correct string let's do this sharp:


Powershell Import-Module -Name grouppolicy to load API for GPO

Import-Module -Name grouppolicy

Remove-GPRegistryValue -Name "W10_C_Computer" -key "HKLM\Software\Policies\Microsoft\Windows Mail" -ValueName ManualLaunchAllowed

Remove-GPRegistryValue -Name "W10_C_Computer" -key "HKLM\Software\Policies\Microsoft\Windows\Backup\Client" -ValueName DisableBackupLauncher

Remove-GPRegistryValue -Name "W10_C_Computer" -key "HKLM\Software\Policies\Microsoft\Windows\Backup\Client" -ValueName DisableBackupToDisk

Remove-GPRegistryValue -Name "W10_C_Computer" -key "HKLM\Software\Policies\Microsoft\Windows\Backup\Client" -ValueName DisableBackupToNetwork

Remove-GPRegistryValue -Name "W10_C_Computer" -key "HKLM\Software\Policies\Microsoft\Windows\Backup\Client" -ValueName DisableBackupToOptical

Remove-GPRegistryValue -Name "W10_C_Computer" -key "HKLM\Software\Policies\Microsoft\Windows\Backup\Client" -ValueName DisableBackupUI

Remove-GPRegistryValue -Name "W10_C_Computer" -key "HKLM\Software\Policies\Microsoft\Windows\Backup\Client" -ValueName DisableRestoreUI

Remove-GPRegistryValue -Name "W10_C_Computer" -key "HKLM\Software\Policies\Microsoft\Windows\Backup\Client" -ValueName DisableSystemBackupUI

Remove-GPRegistryValue -Name "W10_C_Computer" -key "HKLM\Software\Policies\Microsoft\Windows\PreviewBuilds" -ValueName EnableConfigFlighting

Remove-GPRegistryValue -Name "W10_C_Computer" -key "HKLM\Software\Policies\Microsoft\Windows\PreviewBuilds" -ValueName EnableExperimentation

Remove-GPRegistryValue -Name "W10_C_Computer" -key "HKLM\Software\Policies\Microsoft\Windows\SideShow" -ValueName Disabled

Remove-GPRegistryValue -Name "W10_C_Computer" -key "HKLM\Software\Policies\Microsoft\WindowsMediaCenter" -ValueName MediaCenter




KB 4489881 Breaks WDS MDT on Server 2016 PXE boot

To date there are two Social MSDN Threads where people and very und-happy and Microsoft DOES not think it's important

to mention the Problem on their KB Article under Problems. This has just come into our timeline range where

we rollout and MDT/WDS Server for medium sized customer who has no Enterprise Agreement and thus no SCCM.

Manage over 15 WSUS servers for SBS to Enterprise but has no info in that direction. (Not mentioned on MS/TechNet or Ask Woody which we mostly consult for good info)


Problem during PXE Boot:

Windows failed to start a recent hardware or software change might be the cause.

"Status 0xc0000001"


Here is how to fix it:

Uncheck under TFTP the option Enable Variable Window Extension

Reboot the WDS/MDT Server or restart the WDS Service.

Vcenter, VMware ESX 6.5 unable to upload file to Datastore with IE, EDGE or Firefox

Solution for Internet Explorer/Edge and Firefox.

You are unable to upload (Submit) an ISO File to an VMware ESX VSphere (VCENTER) 6.5 Server and you are

new to the web based version of the VMware. OR you can upload and it starts and you get the error

The operation failed for an undetermined reason.


  1. The Option on the right side DOES NOT appear because you use a SELF Signed Certificate or the Server can't reach the Internet (WAN)
  2. You can upload and it fails with The operation failed for an undetermined reason


Here is how to fix that quick and official with details and remove the RED Browser bar.

Solution will look like this:


Install the Root Certificate from the VMWARE Server:

Go to the begging / Start / Root of the Vcenter Server like

You will see this default screen, Download the Cert "CA-Root-Certificate" to Disk from the webserver.

Unpack the Cert ZIP (If not ZIP rename to ZIP)

Right click on the first TEO (Not the Certificate Revocation List IF the Server has Internet Access!)

Do this for the first two Security Certificate Files

Close the Browser and reopen the access page to Vcenter

If you use Firefox import the two certs