SCEP antimalware policy doesn't work.

Hi everybody,
I have very unusual request: I NEED HELP ;) I worked unsuccessfully with this problem for two weeks already.
My goal is: functioning SCCM 2012 SP1 (yesterday installed CU1).

OS Platform: Windows Server 2008 R2 Enterprise SP1
Client OS: Windows7 Enterprise
SCCM client version: 5.00.7804.1000, yesterday upgraded to 5.00.7804.1202 with CU1
SCEP (Antimalware Client) Version: 4.2.223.0

History. What I did:
 - Installed SCCM 2012 (single site, three servers);
 - Configured it;
 - Upgraded to SP1 (SCCM client also changed theirs versions to 5.00.7804.1000 ) ;

Two important / problematic things for me is:
 - SCEP: antimalware policy doesn't work
 - SCCM client: WMI subsystem periodically broke.

I don't think that these two problems are related to each other so I separate them to two different threads. Here I'll describe SCEP problem.

---------------------
SCEP.
It was successfully installed (through SCCM policy) and it is working - scanning client, reporting to  server. Problem is that SCEP "Default Client Antimalware Policy" doesn't affect SCEP client.

What I found:

 - I changed "Default Client Antimalware Policy" (e.g. changed scanning time to: full scan on Friday 1PM and "Microsoft Active Protection Service" - to "Basic membership")

 - I see that C:\Windows\CCM\EPAMPolicy.xml is regenerated. I compared it to previous version and I see that settings from Antimalware policy came here. IT WORKS.

 - Registry: HKLM\SOFTWARE\Microsoft\CCM\EPAgent\LastApplietPolicy: all values are set to "2". In this case I have only default antimalware policy, but if I setup additional custom antimalware policy, I see it here also. So, IT WORKS.

 - Client log file "EndpointProtectionAgent.log". I see command "c:\Program Files\Microsoft Security Client\\ConfigSecurityPolicy.exe" "C:\Windows\CCM\EPAMPolicy.xml" and later there is status "applied … successfully". I even tried to launch this command manually (both - with double slash and without it). IT WORKS. I inserted excerpt from this log file in the bottom.

 - I look at SCEP client interface. Settings are not changed. Before reboot, after reboot. In one minute, in one hour, in one day..  IT DOESN'T WORK

What do I miss??

What I did additionally:
 - I found that after upgrade to SP1 Antimalware policies should be recreated. I recreated them.
 - I changed  "custom device settings" in SCCM: "Manage Endpoint protection client on client computers" to No, uninstalled SCEP clients manually, and changed this setting to "YES" and waited for SCEP reinstallation
 - I installed all Windows citical and security updates, all Office critical and security updates;
 - I installed:
 - -SCCM server: KB2828233
 - - SCCM server: SCCM SP1 cumulative update (KB2817245) (including database upgrade, SCCM clients upgrade); It was yesterday, but it doesn't seem to me that it helps.

What Is a little bit strange for me - that EndpointProtectionAgent.Log writes:
State 1 and ErrorCode 0 and ErrorMsg  and PolicyName Antimalware Policy and GroupResolveResultHash 5A5FA4F7C17A202B0805794FA754FA7F37B8AA84 is NOT changed
 
I would mind that if AntimalvarePolicy is changed also hash should be changed.. But I'm not sure..

----------------

Additional info:
Excerpt from EndpointProtectionAgent.Log exactly after changing Antimalware policy (setting Microsoft Active Protection Service" = "Basic membership" was changed)

<![LOG[Endpoint is triggered by WMI notification.]LOG]!><time="12:42:39.804-180" date="05-27-2013" component="EndpointProtectionAgent" context="" type="1" thread="2592" file="fepsettingendpoint.cpp:154">
<![LOG[File C:\Windows\ccmsetup\SCEPInstall.exe version is 4.2.223.0.]LOG]!><time="12:42:39.974-180" date="05-27-2013" component="EndpointProtectionAgent" context="" type="1" thread="2592" file="epagentutil.cpp:519">
<![LOG[EP version 4.2.223.1 is already installed.]LOG]!><time="12:42:39.974-180" date="05-27-2013" component="EndpointProtectionAgent" context="" type="1" thread="2592" file="epagentutil.cpp:232">
<![LOG[EP 4.2.223.1 is installed, version is higher than expected installer version 4.2.223.0.]LOG]!><time="12:42:39.974-180" date="05-27-2013" component="EndpointProtectionAgent" context="" type="1" thread="2592" file="epagentutil.cpp:265">
<![LOG[Handle EP AM policy.]LOG]!><time="12:42:39.974-180" date="05-27-2013" component="EndpointProtectionAgent" context="" type="1" thread="2592" file="fepsettingendpoint.cpp:183">
<![LOG[Apply AM Policy.]LOG]!><time="12:42:39.974-180" date="05-27-2013" component="EndpointProtectionAgent" context="" type="1" thread="2592" file="epagentimpl.cpp:1192">
<![LOG[Create Process Command line: "c:\Program Files\Microsoft Security Client\\ConfigSecurityPolicy.exe" "C:\Windows\CCM\EPAMPolicy.xml".]LOG]!><time="12:42:40.036-180" date="05-27-2013" component="EndpointProtectionAgent" context="" type="1" thread="2592" file="epagentutil.cpp:607">
<![LOG[Applied the C:\Windows\CCM\EPAMPolicy.xml with ConfigSecurityPolicy.exe successfully.]LOG]!><time="12:42:43.672-180" date="05-27-2013" component="EndpointProtectionAgent" context="" type="1" thread="2592" file="epagentimpl.cpp:659">
<![LOG[Save new policy state 1 to registry SOFTWARE\Microsoft\CCM\EPAgent\PolicyApplicationState]LOG]!><time="12:42:43.690-180" date="05-27-2013" component="EndpointProtectionAgent" context="" type="1" thread="2592" file="epagentimpl.cpp:267">
<![LOG[State 1 and ErrorCode 0 and ErrorMsg  and PolicyName Antimalware Policy and GroupResolveResultHash 5A5FA4F7C17A202B0805794FA754FA7F37B8AA84 is NOT changed.]LOG]!><time="12:42:43.690-180" date="05-27-2013" component="EndpointProtectionAgent" context="" type="1" thread="2592" file="epagentimpl.cpp:339">
<![LOG[Skip sending state message due to same state message already exists.]LOG]!><time="12:42:43.788-180" date="05-27-2013" component="EndpointProtectionAgent" context="" type="1" thread="2592" file="epagentutil.cpp:1239">
<![LOG[Firewall provider is installed.]LOG]!><time="12:42:43.818-180" date="05-27-2013" component="EndpointProtectionAgent" context="" type="1" thread="2592" file="epagentutil.cpp:779">
<![LOG[Installed firewall provider meet the requirements.]LOG]!><time="12:42:43.818-180" date="05-27-2013" component="EndpointProtectionAgent" context="" type="1" thread="2592" file="epagentutil.cpp:800">