Freigeben über

Troubleshooting OMS Security Real Time Protection Status – Part 1

  • Artikel

In some circumstances IT administrators may face issues when monitoring real time protections status using OMS Security and Audit dashboard. In this troubleshooting scenario a Windows Sever 2012 computer with Microsoft System Center Endpoint Protection installed and Real Time Protection enabled is reported in OMS Console as the real time protection was not enabled. Although the steps that follows are using Windows Sever 2012 computer as example, this issue may also occur in Windows Server 2008 or Windows 7 SP1.

Cause

Microsoft System Center Endpoint Protection is detected, but ProtectionStatusRank equal to 270 - No Real Time Protection as shown below:

7-6-16-1

Troubleshooting steps

  • Verify if all monitoring are enabled, see example below:

7-6-16-2

  • Noticed that the "Behavior Monitor" is disabled and this is the reason for the 270

Solution

Enable all Monitors via SCEP management console as shown below:

7-6-16-3

Authors

Mark Waitser, Senior Software Engineer (OMS Security Team)

Yuri Diogenes

 

If you use Facebook, you may want to join the Microsoft OMS Facebook site. If you want to learn more about Windows PowerShell, visit the Hey, Scripting Guy Blog.

If you would like to get a free Microsoft Operations Management Suite (#MSOMS) subscription so that you can test it out, you can do so from here. You can also get a free subscription for Microsoft Azure as well by selecting this link.

Comments

  • Anonymous
    July 07, 2016
    I am seeing this issue with Azure VMs that have the Anti-Malware extension enabled but you cannot make any changes to the SCEP settings so will this issue be fixed by the Azure Team?
  • Anonymous
    July 07, 2016
    @DesI think you are referring to a different problem that we documented herehttps://blogs.msdn.microsoft.com/azuresecurity/2016/02/24/update-on-microsoft-antimalware-and-azure-resource-manager-arm-vms/
    • Anonymous
      July 07, 2016
      The comment has been removed
      • Anonymous
        July 07, 2016
        @JamesYou can enable the UI by using the procedure described in the article below:https://blogs.msdn.microsoft.com/azuresecurity/2016/03/09/enabling-microsoft-antimalware-user-interface-post-deployment/After enabling the UI, you can enable the controls.
  • Anonymous
    July 09, 2016
    Thanks
  • Anonymous
    November 04, 2016
    Two things, first I like this article, but would like to see what module you are using as it doesn't show up in the image. Second, The posted solution doesn't work in Azure, and the suggestions in the comments section are silly. Why, if realtime is enabled when I deploy the extension, am I getting this error message? Additionally, the server I got the error on had been running for weeks without error and now it's throwing this error.And my stated resolution is to push a special xml to allow me to open the GUI on the machine in Azure? That's silly, why can't I push something in PowerShell to fix this, to my knowledge if I enable Realtime, I would think all monitors would then be ticked, I assume that is what is happening on the other machines in this subscription that are not throwing this error and have the same extension pushed in the same method.
  • Anonymous
    January 16, 2017
    The comment has been removed