CI-CB not applied for remediation

Duchemin, Dominique 2,006 Reputation points
2022-09-22T23:09:41.12+00:00

Hello,

I have a CI as:

Discovery Script


Set-ExecutionPolicy bypass
$FeatureName = "Windows-Defender"
If (Get-WindowsOptionalFeature -Online | Where {$.State `
-eq "Enabled" -and $
.FeatureName -eq $FeatureName}) {
$Compliance = "Compliant"
}
Else {
$Compliance = "NonCompliant"
}
Return $Compliance


Remediation Script:


<#
.DESCRIPTION
Installation/Enabling Windows Defender Feature (Windows Server 2016) / Windows Defender Antivirus (Windows Server 2019)

>

Feature to correct "Windows-Defender"

Set variables to indicate value and key to set

$FeatureName = "Windows-Defender"
Enable-WindowsOptionalFeature -Online -FeatureName $FeatureName


The corresponding CB which was deployed to a collection...
If I check a client I see the CB listed... If I do an "evaluate:

Computer Name: VIPBMXX03
Evaluation Time: 9/21/2022 8:03:04 PM

Baseline Name: ISS - Servers - CB - Windows Defender Feature
Revision: 1
Compliance State: Compliant
Non-Compliance Severity: None
Description: ISS - Servers - CB - Windows Defender Feature for Windows Server 2016 & Windows Server 2019
Summary:
Name Revision Type Baseline
Policy Compliance
State Non-Compliance
Severity Discovery
Failures Non-Compliant
Rules Remediated
Rules Conflicting
Rules
ISS - Servers - CB - Windows Defender Feature
1 Baseline Compliant None 0 0 0 0
ISS - Servers - CI - Windows Defender Feature
7 Operating System
Configuration Item Required Compliant None 0 0 0 0
Details:
Name: ISS - Servers - CB - Windows Defender Feature
Type: Baseline
Revision: 1
Compliance State: Compliant
Non-Compliance Severity: None
Description: ISS - Servers - CB - Windows Defender Feature for Windows Server 2016 & Windows Server 2019
Name: ISS - Servers - CI - Windows Defender Feature
Type: Operating System Configuration Item
Revision: 7
Compliance State: Compliant
Non-Compliance Severity: None
Description: Enable Windows Defender Feature for Windows Server 2016 & WIndows Server 2019

The Remediation which is to enable the "Windows Defender" feature does not happen...
243976-2022-09-22-16-15-06-vitbmxx03-windows-defender-fea.png

Thanks,
Dom

Microsoft Configuration Manager
0 comments No comments
{count} votes

10 answers

Sort by: Most helpful
  1. AllenLiu-MSFT 41,131 Reputation points Microsoft Vendor
    2022-09-23T06:55:02.227+00:00

    Hi, @Duchemin, Dominique

    Thank you for posting in Microsoft Q&A forum.

    How do you configure the compliance rule?
    244095-1.png


    If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    1 person found this answer helpful.
    0 comments No comments

  2. AllenLiu-MSFT 41,131 Reputation points Microsoft Vendor
    2022-09-26T09:12:28.103+00:00

    Hi, @Duchemin, Dominique

    I think you do not configure the compliance rule correctly, you need to change the value to Compliant.

    If you set it as NonCompliant, if the discovery return "NonCompliant", the report think the result is your expectation, it will not run the remediation and it will report "Compliance".

    Only when we set it as "Compliance", if the discovery return "NonCompliant", it doesn't meet our expectation, then it will run the remediation.

    1 person found this answer helpful.
    0 comments No comments

  3. Duchemin, Dominique 2,006 Reputation points
    2022-09-23T15:50:25.953+00:00

    Hello,

    This is the Compliance Tab:
    244391-2022-09-23-8-48-04-windows-defender-compliance-rul.png

    Thanks,
    Dom

    0 comments No comments

  4. Duchemin, Dominique 2,006 Reputation points
    2022-09-23T16:35:16.68+00:00

    Hello,

    If I run it manually on the Client:
    PS C:\Windows\system32> Set-ExecutionPolicy bypass

    Execution Policy Change
    The execution policy helps protect you from scripts that you do not trust. Changing the execution policy might expose
    you to the security risks described in the about_Execution_Policies help topic at
    https:/go.microsoft.com/fwlink/?LinkID=135170. Do you want to change the execution policy?
    [Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "N"): y
    PS C:\Windows\system32> $FeatureName = "Windows-Defender"
    PS C:\Windows\system32> If (Get-WindowsOptionalFeature -Online | Where {$.State -eq "Enabled" -and $.FeatureName -eq $FeatureName}) {$Compliance = "Compliant"} Else {$Compliance = "NonCompliant"} Return $Compliance
    NonCompliant

    but if I do the Evaluate of the same script:
    Name: ISS - Servers - CB - Windows Defender Feature
    Type: Baseline
    Revision: 1
    Compliance State: Compliant
    Non-Compliance Severity: None
    Description: ISS - Servers - CB - Windows Defender Feature for Windows Server 2016 & Windows Server 2019
    Name: ISS - Servers - CI - Windows Defender Feature
    Type: Operating System Configuration Item
    Revision: 8
    Compliance State: Compliant
    Non-Compliance Severity: None
    Description: Enable Windows Defender Feature for Windows Server 2016 & WIndows Server 2019

    It is compliant!!!

    I tried removing the CI and re-adding it ...

    Name: ISS - Servers - CB - Windows Defender Feature
    Type: Baseline
    Revision: 3
    Compliance State: Compliant

    Non-Compliance Severity: None
    Description: ISS - Servers - CB - Windows Defender Feature for Windows Server 2016 & Windows Server 2019
    Name: ISS - Servers - CI - Windows Defender Feature
    Type: Operating System Configuration Item
    Revision: 8
    Compliance State: Compliant

    Non-Compliance Severity: None
    Description: Enable Windows Defender Feature for Windows Server 2016 & Windows Server 2019

    it still shows as compliant!!!

    Any idea?

    Thanks,
    Dom

    0 comments No comments

  5. Duchemin, Dominique 2,006 Reputation points
    2022-09-23T19:27:22.713+00:00

    Hello,

    I reverse the Compliance Rule:

    244319-2022-09-23-12-25-34-windows-defender-compliance-ru.png

    Waiting for the remediation to be completed !
    It works manually

    PS C:\Windows\system32> <#

    > .DESCRIPTION
    > Installation/Enabling Windows Defender Feature (Windows Server 2016) / Windows Defender Antivirus (Windows Server 2019)
    > #>

    PS C:\Windows\system32>
    PS C:\Windows\system32> #Feature to correct "Windows-Defender"
    PS C:\Windows\system32>
    PS C:\Windows\system32> # Set variables to indicate value and key to set
    PS C:\Windows\system32> $FeatureName = "Windows-Defender"
    PS C:\Windows\system32> Enable-WindowsOptionalFeature -Online -FeatureName $FeatureName
    Do you want to restart the computer to complete this operation now?
    [Y] Yes [N] No [?] Help (default is "Y"): N

    Path :
    Online : True
    RestartNeeded : True

    244394-2022-09-23-12-47-21-windows-defender-remediation.png

    Thanks,
    Dom

    0 comments No comments