Endpoint Remediation Baseline

Hi,
I would like some assistance,
I have an ADR for endpoint protection configured that works about 90% on all the devices I am managing.
I would like assistance with a Configuration Baseline that tackles the rest of the Devices,
Here is my Discovery Script for the age,
Get-WmiObject
-namespace
Root\Microsoft\SecurityClient
-class
AntimalwareHealthStatus |Select
AntivirusSignatureAge
which should get the Age of how old the Definitions are like and are compliant
AntivirusSignatureAge : 0
but somehow it doesn't pick up the Integer value,
Can you assist me as it seems not to pick up the integer value.

Ok I Got it now
Created it into a Variable and then got the integer
Final Result of the Script was this that worked for my discovery
$GWIM = Get-WmiObject -namespace Root\Microsoft\SecurityClient -class AntimalwareHealthStatus | Select AntivirusSignatureAge
$GWIM.AntivirusSignatureAge

Similar Messages

  • SCEP2012 Remediation stauts unkown

    Hi
    In my scenario, we have more than 2000 servers installed with scep2012 & most of servers while checking in report it shows "Active client is at risk status" and further if I go inside of that report under Endpoint Remediation protection tab
    under it Endpoint protection status:unknown . I don't know what was the exact issue can anyone help me on this.
    Thyag

    Hi
    Also this one missed in previous thread
    Failed to get the wmi query result for error = 80010105 ExternalEventAgent 26-03-2015 01:39:28 280 (0x0118)
    Sent 0 state messages successfully and skipped 0 input entries. ExternalEventAgent 26-03-2015 01:39:28 280 (0x0118)
    Send State Message finished. ExternalEventAgent 26-03-2015 01:39:28 280 (0x0118)
    Failed to get the wmi query result for error = 800106F7 ExternalEventAgent 26-03-2015 01:39:28 280 (0x0118)
    Sent 0 state messages successfully and skipped 0 input entries. ExternalEventAgent 26-03-2015 01:39:28 280 (0x0118)
    Send State Message finished. ExternalEventAgent 26-03-2015 01:39:28 280 (0x0118)
    Sent 0 state messages successfully and skipped 0 input entries. ExternalEventAgent 26-03-2015 01:39:29 280 (0x0118)
    Send State Message finished. ExternalEventAgent 26-03-2015 01:39:29 280 (0x0118)
    CExternalEventEndpoint::HandleMessage. ExternalEventAgent 26-03-2015 04:45:00 300 (0x012C)
    Start to execute action for hint TestAndEnableEndpointNotification ExternalEventAgent 26-03-2015 04:45:00 300 (0x012C)
    Start to test and renew notification for group: EndpointProtection ExternalEventAgent 26-03-2015 04:45:00 300 (0x012C)
    Thyag

  • Remediation Script does not work for Compliance Settings Configuration Item / Baseline

    Hello Everyone,
    I've created a script to check NetBios over TCP/IP state on the NICs and if it is Enabled (Non-compliant) it should run the remediation script to Disable it (Compliant). The script identifies correctly if it is compliant or not but it's not compliant the
    remediation script doesn't kick in.
    Discovery script:
    $adapter=(gwmi win32_networkadapterconfiguration | where {$_.ipenabled -eq "1"})
    Foreach ($nic in $adapter) {
    write-host NetBIOS Options is now -> $nic.TcpIPNetBiosOptions
    Remediation Script:
    $adapter=(gwmi win32_networkadapterconfiguration | where {$_.ipenabled -eq "1"})
    Foreach ($nic in $adapter) {
    $adapter.settcpipnetbios(1)
    Any clue why this is happening and how can it be fixed?
    Thank you all in advance.

    Hi,
    Please add an a line to create an event in the Application log of the computer to check if remediation had been performed.
    SCCM 2012 Compliance – Auto Remediation
    Note: Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft
    does not guarantee the accuracy of this third-party contact information.Best Regards,
    Joyce
    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

  • ISE Posture Condition for Windows Service Pack and Remediation

    Hi,
    We having ISE ver 1.1.1 and currently on PoC. I have the following points to be clarified for Posture and Remediation.
    1) How to configure a condition to check Windows Service pack (may be more than 1 Windows favor such as XP, Win 7 and Win 8) and how to remediate in case client is not complying with Windows requirement.
    2) I configure AV condition and looks its working fine, however I still couldnt find the place to how to remediate in case client is not having proper verion and AV definition on his PC.
    3) We have a Authorization profile configured with dACL"Posture Remediation" where we allowing AV server update url and also matching ACL configured on switch "Posture Redirect", wants to know the exact purpose on these two ACLs.
    4) where can we see the logs of none-complaints logs and find out the reason for non-complaints
    appreciate if someone can please give us a proper document to achive the above task or send me any working senario configuration steps.
    thanks in advance.

    1. Windows Server Update Services (WSUS)  remediation remediates Windows clients from a locally managed WSUS server, or  Microsoft-managed WSUS server with the latest Windows service packs, hotfixes,  and patches (WSUS updates) for compliance. You can create a WSUS remediation  where a NAC Agent integrates with the local WSUS Agent to check whether the  endpoint is up-to-date for WSUS updates. You can also duplicate, edit or delete  WSUS remediations from the remediations list.
    You can configure Windows clients to  receive the latest WSUS updates from a Microsoft-managed WSUS server, or locally  administered WSUS server for compliance.
    The Windows server update services (WSUS)  remediations list page displays all the WSUS remediations along with their  names, description, and as well as their modes of  remediation
    check the following link for  configuration
    http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_pos_pol.html#wp1554782
    http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_pos_pol.html#wp1554884
    2.for AV/AS Remidiaton  configuration check  this link http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_pos_pol.html#wp1657420

  • Automatic Antivirus Remediation in Posture

    Hi All,
    I have configured ISE (1.2) to check Antivirus Installation on endpoints and it is working flawlessly.
    Now, the client wants,
    1) If Antivirus is not updated on endpoint for more than 5 days; it should be considered as "non-compliant" and as a remediation action; updates should be downloaded automatically.
    --> I configured AV Remediation action.
    Now, the problem is when endpoint gets categorized as non-compliant, ideally AV updates should get downloaded on endpoint as a remediation action. But AV updates are not getting downloaded.
    Please help me in solving this problem..
    Thanks in advance,
    Aditya

    Adding an Antivirus Remediation
    You can create an antivirus remediation, which updates clients with up-to-date file definitions for compliance after remediation.
    The AV Remediations page displays all the antivirus remediations along with their name and description and their modes of remediation.
    Step 1 Choose Policy > Policy Elements > Results > Posture.
    Step 2 Click Remediation Actions.
    Step 3 Click AV Remediation.
    Step 4 Click Add.
    Step 5 Modify the values in the New AV Remediation page.
    Step 6 Click Submit.
    http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_pos_pol.html#pgfId-1924006
    Antivirus Remediation
    The following table describes the fields in the AV Remediation page. The navigation path is Policy > Policy Elements > Results > Posture > Remediation Actions > AV Remediation.
    http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_ui_reference_policy.html#23739
    Table C-23 Antivirus Remediation
    Fields
    Usage Guidelines
    Name
    Enter a name for the antivirus remediation.
    Description
    Enter a description for the antivirus remediation.
    Remediation Type
    Choose one of the following:
    Automatic —When selected, you should enter values for the Interval and Retry Count.
    Manual —When selected, Retry Count and Interval fields are not editable.
    Interval (in seconds)
    Enter the time interval in seconds that clients can try to remediate after previous attempts.
    Retry Count
    Enter the number of attempts that clients can try to update an antivirus definition.
    Operating System
    Choose one of the following:
    Windows
    Macintosh —when selected Remediation Type, Interval, and Retry Count fields are not editable
    AV Vendor Name
    Choose the antivirus vendor.

  • Require password settings on mobile devices remediation failed

    Hello,
    I'm having an issue with 2012R2 Cfg Mgr and Intune.
    I have a managed Android 4.1 device.
    I'm trying to enforce "Require password setting on mobile devices" with a baseline config.
    Config Manager is reporting on my device "Remediation failed" 0x87D1FDE8.
    Is there anything I've done incorrectly? Perhaps not supported?
    Cheers.

    I've got password policy to apply just fine on android, verify that you actually waited long enough for the device to process policy - see
    this guide explaining the steps i took. Initially you might see the Remediation Failed message but wait at least a day to see how that pans out, alternatively change your CB deployment to just monitor instead of remediate and troubleshoot it that way
    Step by Step Configuration Manager Guides >
    2012 Guides |
    2007 Guides | I'm on Twitter > ncbrady

  • ADR Rules Hits 60% updates for Endpoint Protection

    Hi,
    I have an ADR rule that is working correctly, the only thing its not hitting is all the servers for the Updates of the AV, I have about a 60% success rate.
    I have checked my policies and everything is the same, I have some servers in the same collection not updating the AV an the have the exact same policies and in the same site controlled by the same management point and Distribution Point same Domain.
    Can you assist me in telling me where to check what is the blockage of the updates, My ADR rules are running fine no errors in the ruleengine.log, I seem to constantly fix this issue and cant find the issue,
    any assistance will do.

    I am still having issues with this,
    Did not seen anything in the logs all say its downloaded and installed the new updates, but it doesn't reflect on the Endpoint Console on the host even after reboots, I am now using a Remediation script to keep them updated.
    As it looks like the normal ADR is failing me, but gives me time to still investigate now with the Remediation.

  • NAC Agent 4.9 issue while remediation with in ISE

    We are installed NAC agent 4.9 where we have configured posture policy for Symantec Endpoint Protection version 11x  in ISE 1.1.1. Where when enduser fallen down to remediation and try to remediate to collect the latest anti virus definitions from Local Antivirus, when clicking on the update button we get a message stating
    "The Remediation you are attempting is reporting an access denied error.  This is usually due to a privileg issue.  Please contact your system
    administrator"
    It continuosly asking that prompt and giving that priviligae message.
    Are we need to have administrator rights for remediation ? and  this prompt is appearing again and again till the remediation timer and then it fallen down to Non-compliant (Restricted ) profile.
    Please find attached screen shots for the same

    I figured out a solution that works you must disable Online Certificate Status Protocol (OCSP) on the affected system. To do this :
        Open Keychain Access. Keychain Access can be found by selecting Go in the Finder and choosing the Utilities option. Keychain access should be listed in the folder that appears. Double-click the Keychain Access icon to open it.
        Select Keychain Access -> Preferences from the menu at the top of the screen
        Choose the Certificates tab
        Change the OCSP option from Best Effort to Off
        Close the Preferences dialog and quit Keychain Access
        You should be able to NAC now

  • Automatic AV Remediation

    We're working with Cisco ISE 1.3.0.876 and NAC Agent with posture policies and we need a remediation that automatically send to the Symantec Endpoint Protection server that's locally. How can we do that?

    We're running the version 12.1.4. Can I do a file remediation to the antivirus files? Why Cisco ISE only permits 50MB to upload files?

  • Remediation status is not updated

    Hi,
    I have a SCCM 2012 R2 CU3 installation where I use Endpoint Protection on the clients.
    My problem is that when I run the report "Infected Computers" I see a list of the computers that are/were infected but the report shows the value "None" in the "Remediation status" field for a lot of the computers even though
    that the computers have been cleaned successfully.
    If I look at the computer object in the SCCM console there is also listed None as the Remediation status.
    How come that the status is not correct? How is the remediation status reported/calculated?
    I can see that the report gets it information from the "ComputerStatus" field of the "v_GS_AntimalwareInfectionStatus" view.
    Any help would be appreciated.
    v_GS_AntimalwareInfectionStatus"
    Thomas Forsmark Soerensen

    Hi,
    Could you please upload a screenshot of your issue?
    What's the Infection Status in the "Infected Computers" report?
    You could also try to run the other endpoing protection reports to see if you can get more information.
    Please make sure that you have choosed the correct collection in the console when check Malware Remediation Status.
    Best Regards,
    Joyce
    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

  • Non-Persistent VDI's stuck in Remediation Status pending in SCEP

    Currently have 2 VDI's stuck in a remediation state - pending. The action required states Endpoint Protection Pending Reboot.
    Since these are non-persistent devices the virus has been removed after a restart as they are back to a clean image however SCCM/SCEP does not seem to recognise the restart state. 
    How can I clear this so that the clients report back as re mediated? Note I have run a full scan and restarted the devices.
    Cheers
    Paul | sccmentor.wordpress.com

    Hi,
    Please examine ExternalEventAgent.log on the client to see whether the state messages have been forwarded successfully.
    And check EPCtrlMgr.log on the site system server that records details about the synchronization of malware threat information from the Endpoint Protection role server into the Configuration Manager database.
    Best Regards,
    Joyce Li
    We
    are trying to better understand customer views on social support experience, so your participation in this
    interview project would be greatly appreciated if you have time.
    Thanks for helping make community forums a great place.

  • Error for baseline read of CAS record store

    From time to time I get the following SOAPFaultException when trying to do a baseline read of a CAS recordstore. The component manager shows the recordstore is running. Partial updates are able to do delta reads. However baseline processes can not do a baseline read. So far the only way around this is to delete the recordstore, re-create it, and then perform a full crawl to populate it. Any ideas on what may be causing this, or a more graceful way to handle?
    FATAL javax.xml.ws.soap.SOAPFaultException: Fault occurred while processing. (BaseCmd)
    com.endeca.itl.cmd.TaskExecutionException: javax.xml.ws.soap.SOAPFaultException: Fault occurred while processing.
            at com.endeca.itl.recordstore.cmd.task.TransactionalTask.processAutoCommit(TransactionalTask.java:49)
            at com.endeca.itl.recordstore.cmd.task.TransactionalTask.process(TransactionalTask.java:21)
            at com.endeca.itl.cmd.BaseCmd.run(BaseCmd.java:417)
            at com.endeca.itl.recordstore.cmd.RecordStoreCmd.main(RecordStoreCmd.java:111)
    Caused by: javax.xml.ws.soap.SOAPFaultException: Fault occurred while processing.
            at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:156)
            at $Proxy59.startBaselineRead(Unknown Source)
            at com.endeca.itl.recordstore.RecordStoreReader.createBaselineReader(RecordStoreReader.java:55)
            at com.endeca.itl.recordstore.cmd.task.ReadBaselineTask.processTask(ReadBaselineTask.java:31)
            at com.endeca.itl.recordstore.cmd.task.TransactionalTask.processAutoCommit(TransactionalTask.java:36)
            ... 3 more
    Caused by: org.apache.cxf.binding.soap.SoapFault: Fault occurred while processing.
            at org.apache.cxf.binding.soap.interceptor.Soap11FaultInInterceptor.unmarshalFault(Soap11FaultInInterceptor.java:75)
            at org.apache.cxf.binding.soap.interceptor.Soap11FaultInInterceptor.handleMessage(Soap11FaultInInterceptor.java:46)
            at org.apache.cxf.binding.soap.interceptor.Soap11FaultInInterceptor.handleMessage(Soap11FaultInInterceptor.java:35)
            at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:262)
            at org.apache.cxf.interceptor.AbstractFaultChainInitiatorObserver.onMessage(AbstractFaultChainInitiatorObserver.java:113)
            at org.apache.cxf.binding.soap.interceptor.CheckFaultInterceptor.handleMessage(CheckFaultInterceptor.java:69)
            at org.apache.cxf.binding.soap.interceptor.CheckFaultInterceptor.handleMessage(CheckFaultInterceptor.java:34)
            at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:262)
            at org.apache.cxf.endpoint.ClientImpl.onMessage(ClientImpl.java:798)
            at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponseInternal(HTTPConduit.java:1667)
            at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponse(HTTPConduit.java:1520)
            at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1428)
            at org.apache.cxf.io.AbstractWrappedOutputStream.close(AbstractWrappedOutputStream.java:72)
            at org.apache.cxf.io.AbstractThresholdOutputStream.close(AbstractThresholdOutputStream.java:102)
            at org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56)
            at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:658)
            at org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:62)
            at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:262)
            at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:532)
            at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:464)
            at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:367)
            at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:320)
            at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:89)
            at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:134)
            ... 7 more

    Bug 13458343 is fixed in version 11.2.1.
    Please try it ... change the version 11.1 for 11.2 and post your results

  • Nac Agent do not execute remediation

    Hi to all,
    in a lab enviroment i have configured a CAM/CAS solution on 3310 server and I have installed 2 pc (one windows Vista and one XP) with nac client 4.6.2.133 version.
    My problem is auto-remediation and manual-remediation, client get me a temporaney access but do not start a live update programa (i use symantec endpoint protection 11).
    I have admin right on both pc.
    Why I can solve the problem?
    Thanks for help

    There is not automatic remediation for all products. You must launch the endpoint protection, click live-update, then re-scan on the NAC agent and you will pass.
    Quote from Cisco Doc (http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/45/cam/m_agent.html):
    "•Not all product versions of a particular vendor may support the Clean Access Agent launching the automatic update of the product. In this case, you can provide instructions (via the Description field of the AV or AS Definition Update requirement) to have users update their AV or AS definition files from the interface of their installed AV or AS product."
    If you have verified that your requirement-rule is specifically for Symantec Endpoint Protection 11, and the rule has automatic remediation configured, then it may fall into this scenario. You may also have it configured where the endpoint protection is not accessible to the end-user and requires admin rights to launch. Please put the client in debug and send the results to TAC for analysis, as it would be the best bet for you to get a clear answer.
    Hope that helps, rate if it does.
    Cheers,
    Tim

  • Nac remediation failed

    Hi All,
    Anyone encountered this issue. Recently upgraded to 4.9. Using L2 OOB wireless. Symantec endpoint protection ver 11, virus definition is out of date, when user clicked repair, takes a long time to remediate and then gave a failed error. "The remediation you are attempting had a failure. If the problem persist contact the system admin"
    Traffic control is allowing update in temporary role, and there's no blocking from quarantine vlan to symantec server. Also we notice that the definition gets updated after a while.
    Thanks.
    Regards
    Joachim

    Hi Joachim,
    In my enviroment, we have workstations with SEP ver 11 too and i would like to know  where your users are searching for updates during the remediation process.
    We have Symantec Endpoint Protection Manager acting as antivirus server  and when the NAC Agent calls the Symantec LiveUpdate to perform the repair, users will get updates on the Internet and not on
    Antivirus Server.
    Could you give me more information about your environment?
    regards,
    Daniel Stefani

  • ISE posture requirement to check if endpoint's USP port is disabled

    Hi,
    I wonder if it is possible to set the disabled USP Port in the endpoints as a requirement in ISE Posture ?
    Appreciate your input.
    Mike

    If your question pertains to the capability of the ISE disabling the USB port on a PC, then the answer is no.
    Using the NAC agent, however, you can check various programs and may be able to check the condition of USB.
    You would have to create a New Posture Condition and Remediations.
    The condition that I will use in this example is a Registry Key.
    If the key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor\Start" has a value of 3, the USB is enabled.  A value of 4 is disabled.
    So set a Posture Condition:
    Click Policy > Policy Elements > Conditions
    Choose Posture from the left menu:
    Then choose Registry Condition from the left menu.
    Click +Add to add a new Posture Condition:
    Then you have to create Remediation Actions.  Click the Results button at the top of the left Menu:
    Choose Remediation Actions and choose the Remediation you want to use.  I chose Link Remediation.
    +Add to add a new Link Remediation:
    Then choose Requirements from the left menu and create a new Remediation Result:
    Of course, you can choose different remediations as necessary for your environment.
    Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.
    Charles Moreton

Maybe you are looking for

  • Yoga 2 Pro HDMI - no audio on tv

    Yoga 2 Pro  Win 8.1 Mini HDMI to HDMI adapter - to an HDMI cable - to the tv. Video: displays fine Audio: only on the Yoga Right-click the speaker icon...Playback devices...two items listed: 1. Speakers (Conexant SmartAudio HD) - Marked as default 2.

  • Question re: Java System vs. ABAP + Java System

    Hello everyone, I posted this message in the EP Implementation forum without realizing there is a dedicated WAS General forum; I apologize to those of you who might have read this already. My question is; Under what scenario would I want to install m

  • Logic of the  Customer Exit Variable

    Hi Experts, Could you please explain me the logic (Functionality) of the below  Customer Exit Variable ..... WHEN 'AKFR05'. "M-5 monthly forecast version         CALL FUNCTION 'END_TIME_DETERMINE'           EXPORTING             duration         = -5

  • Critical Error in ESS Addresses iView

    Getting the following error message when running the Address iView for employees Read of object with ID portal_content/com.sap.pct/srvconfig/com.sap.pct.erp.srvconfig.ess.employee_self_service/com.sap.pct.erp.srvconfig.uk/com.sap.pct.erp.srvconfig.ad

  • Insert Image into PDF

    I have added a button to a PDF document whcih links to file to display jpeg..which works great.  But I would like to hoover over the button and have the jpeg image appear in the PDF document like a Pop up.  I am working with "Acrobat 9 Standard"