CI-CB not applied for remediation

Question

Hello,

I have a CI as:

Discovery Script

---

Set-ExecutionPolicy bypass
$FeatureName = "Windows-Defender"
If (Get-WindowsOptionalFeature -Online | Where {$.State `
-eq "Enabled" -and $.FeatureName -eq $FeatureName}) {
$Compliance = "Compliant"
}
Else {
$Compliance = "NonCompliant"
}
Return $Compliance

---

Remediation Script:

---

<#
.DESCRIPTION
Installation/Enabling Windows Defender Feature (Windows Server 2016) / Windows Defender Antivirus (Windows Server 2019)

>

Feature to correct "Windows-Defender"

Set variables to indicate value and key to set

$FeatureName = "Windows-Defender"
Enable-WindowsOptionalFeature -Online -FeatureName $FeatureName

---

The corresponding CB which was deployed to a collection...
If I check a client I see the CB listed... If I do an "evaluate:

Computer Name: VIPBMXX03
Evaluation Time: 9/21/2022 8:03:04 PM

Baseline Name: ISS - Servers - CB - Windows Defender Feature
Revision: 1
Compliance State: Compliant
Non-Compliance Severity: None
Description: ISS - Servers - CB - Windows Defender Feature for Windows Server 2016 & Windows Server 2019
Summary:
Name Revision Type Baseline
Policy Compliance
State Non-Compliance
Severity Discovery
Failures Non-Compliant
Rules Remediated
Rules Conflicting
Rules
ISS - Servers - CB - Windows Defender Feature
1 Baseline Compliant None 0 0 0 0
ISS - Servers - CI - Windows Defender Feature
7 Operating System
Configuration Item Required Compliant None 0 0 0 0
Details:
Name: ISS - Servers - CB - Windows Defender Feature
Type: Baseline
Revision: 1
Compliance State: Compliant
Non-Compliance Severity: None
Description: ISS - Servers - CB - Windows Defender Feature for Windows Server 2016 & Windows Server 2019
Name: ISS - Servers - CI - Windows Defender Feature
Type: Operating System Configuration Item
Revision: 7
Compliance State: Compliant
Non-Compliance Severity: None
Description: Enable Windows Defender Feature for Windows Server 2016 & WIndows Server 2019

The Remediation which is to enable the "Windows Defender" feature does not happen...

Thanks,
Dom

Answer 1

Hi, @Duchemin, Dominique

Thank you for posting in Microsoft Q&A forum.

How do you configure the compliance rule?

---

If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 2

Hi, @Duchemin, Dominique

I think you do not configure the compliance rule correctly, you need to change the value to Compliant.

If you set it as NonCompliant, if the discovery return "NonCompliant", the report think the result is your expectation, it will not run the remediation and it will report "Compliance".

Only when we set it as "Compliance", if the discovery return "NonCompliant", it doesn't meet our expectation, then it will run the remediation.

Answer 3

Hello,

This is the Compliance Tab:

Thanks,
Dom

Answer 4

Hello,

If I run it manually on the Client:
PS C:\Windows\system32> Set-ExecutionPolicy bypass

Execution Policy Change
The execution policy helps protect you from scripts that you do not trust. Changing the execution policy might expose
you to the security risks described in the about_Execution_Policies help topic at
https:/go.microsoft.com/fwlink/?LinkID=135170. Do you want to change the execution policy?
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "N"): y
PS C:\Windows\system32> $FeatureName = "Windows-Defender"
PS C:\Windows\system32> If (Get-WindowsOptionalFeature -Online | Where {$.State -eq "Enabled" -and $.FeatureName -eq $FeatureName}) {$Compliance = "Compliant"} Else {$Compliance = "NonCompliant"} Return $Compliance
NonCompliant

but if I do the Evaluate of the same script:
Name: ISS - Servers - CB - Windows Defender Feature
Type: Baseline
Revision: 1
Compliance State: Compliant
Non-Compliance Severity: None
Description: ISS - Servers - CB - Windows Defender Feature for Windows Server 2016 & Windows Server 2019
Name: ISS - Servers - CI - Windows Defender Feature
Type: Operating System Configuration Item
Revision: 8
Compliance State: Compliant
Non-Compliance Severity: None
Description: Enable Windows Defender Feature for Windows Server 2016 & WIndows Server 2019

It is compliant!!!

I tried removing the CI and re-adding it ...

Name: ISS - Servers - CB - Windows Defender Feature
Type: Baseline
Revision: 3
Compliance State: Compliant
Non-Compliance Severity: None
Description: ISS - Servers - CB - Windows Defender Feature for Windows Server 2016 & Windows Server 2019
Name: ISS - Servers - CI - Windows Defender Feature
Type: Operating System Configuration Item
Revision: 8
Compliance State: Compliant
Non-Compliance Severity: None
Description: Enable Windows Defender Feature for Windows Server 2016 & Windows Server 2019

it still shows as compliant!!!

Any idea?

Thanks,
Dom

Answer 5

Hello,

I reverse the Compliance Rule:

Waiting for the remediation to be completed !
It works manually

PS C:\Windows\system32> <#

> .DESCRIPTION
> Installation/Enabling Windows Defender Feature (Windows Server 2016) / Windows Defender Antivirus (Windows Server 2019)
> #>

PS C:\Windows\system32>
PS C:\Windows\system32> #Feature to correct "Windows-Defender"
PS C:\Windows\system32>
PS C:\Windows\system32> # Set variables to indicate value and key to set
PS C:\Windows\system32> $FeatureName = "Windows-Defender"
PS C:\Windows\system32> Enable-WindowsOptionalFeature -Online -FeatureName $FeatureName
Do you want to restart the computer to complete this operation now?
[Y] Yes [N] No [?] Help (default is "Y"): N

Path :
Online : True
RestartNeeded : True

Thanks,
Dom