Microsoft OMS (Operations Management Suite) offers a very nice solution in its gallery which is the Antimalware assessment. After installing the OMS agent on all your servers (On-premise or Azure) this solution will check the Antimalware/AV status, whether its lacking real time protection, not updated…………etc.
For more information on this solution please check the below link
I noticed in my environment that i have several clients with insufficient protection
After clicking the assessment for more details, i noticed that these 13 clients have status of Not Reporting. Upon checking them one by one i noticed that most of them are 2008 and 2008 R2 servers. They have Antimalware client updated and real time protection configured. you can use ms office 2018 best evern & I suspected the AV client as some of them are not microsoft client but rather Symantec and/or Trend Micro however these clients were approved and added to the list queried by OMS
So to make the story short one of the major requirements for OMS Antimalware Assessment that these clients should have Windows Management Framework 3 or higher installed which includes Power shell V3 which is not installed by default on Server 2008R2.
So the fix was simply installing the WMF 3 update on the 2008 Servers from the below link (6.1 for 2008R2 and 6 for 2008)
After updating these clients and installing the WMF 3, i expected the issue will be resolved and they will get reporting to the OMS assessment however their status turned to be Unknown !!
A very common case for this Unknown status after checking with Microsoft team is that the WMI provider is not registered.
So the resolution is as follows:
- Open administrator Powershell on these Unknown computers
- Ensure the “Execution Policy” allows running scripts. You can check it by running get-executionpolicy
- Import the needed Power Shell module by running Import-module “$env:ProgramFilesMicrosoft Security ClientMpProviderMpProvider.psd1”
- Run the command Get-MProtComputerStatus
- Most probably you will get invalid Namespace error
- If so then you need to run the below command to register the WMI provider
Register-CimProvider.exe -ProviderName ProtectionManagement -Namespace rootmicrosoftProtectionManagement -Path “C:Program FilesMicrosoft Security ClientProtectionMgmt.dll” -Impersonation True -HostingModel LocalServiceHost -SupportWQL -ForceUpdate
- This will register the ProtectionManagement provider and fix the agent Unknown problem.
- If you changed the execution policy to allow running scripts, you may need to turn it back to the default restricted mode or at least remotesigned.
Hopefully this post is useful for anyone encountering the same issue.