Troubleshooting Enforce

If Enforce is not performing as expected, you might need to troubleshoot issues or change settings. For more information about troubleshooting Enforce, registered Tanium customers can sign in to view Tanium Community: Tanium Enforce Troubleshooting Guide.

Upgrade to Enforce 1.11 or later

In Enforce 1.11 (and later), the steps required to configure the service account are no longer necessary due to the adoption of the System User Service, which performs these tasks automatically. Additionally, the Enforce database is migrated to RDB in this release. As a result, after upgrading, it might take time for the database migration to complete and for RBAC privileges and other updates to synchronize properly. This could lead to issues and error messages when you first query the Tanium Console. These issues should resolve on their own after a few minutes, but could take longer depending on system resources and the amount of data to migrate.

Collect logs

Enforce Logs

Log information is saved as a ZIP file that you can download with your browser.

  1. From the Enforce Overview page, click Help and then click Troubleshooting.
  2. In the Collect Information for Support Requests section, click Build.
  3. When the support bundle is finished building, click Download.
    An enforce-support-[timestamp].zip file downloads to the local download directory.
  4. Contact Tanium Support to determine the best option to send the ZIP file.

Tanium Enforce maintains logging information in the Enforce.log file in the \Program Files\Tanium\Tanium Module Server\services\Enforce directory.

Endpoint Logs

Use the following information to collect logs from your endpoints.

Log Source Description
Policy database

The Enforce configuration database.

Go to <tanium client directory>\extensions\enforce\policy.db.

Group policy export

A record of domain and local policies that are applied to the endpoint.

To generate this export, from the command line on the endpoint, enter: gpresult/h gpo-report.html.

Extensions log

A log of Active Directory administrative template (ADMX) group polices.

Go to <tanium client directory>\Logs\extensions0.txt.

During the troubleshooting process, for best results, increase the log verbosity level.

  1. From the command line on the endpoint, enter, TaniumClient.exe config set Logs.extensions.enforce.LogVerbosityLevel 99.

  2. Restart the Tanium Client.

When you finish troubleshooting, reset the log level to 11.

  1. From a command line on the endpoint, enter TaniumClient.exe config set Logs.extensions.enforce.LogVerbosityLevel 11.

  2. Restart the Tanium Client.
Enforce log

A log of Enforce actions.

Go to <tanium client directory>\Logs\enforce.txt

You can also use Client Management to directly connect to an endpoint and collect the artifacts above. For information, see Collect troubleshooting information from endpoints.

Update default log level

  1. From the Enforce Overview page, click Help and then click Troubleshooting.
  2. In the Log Level section, select the log level.

Review AppLocker event logs

To see more details about AppLocker blocks on Windows endpoints, review the AppLocker event logs in Event Viewer.

  1. Open the Control Panel on the Windows endpoint and then click System and Security > Administrative Tools.
  2. To open the Event Viewer, double-click Event Viewer.
  3. Expand Applications and Services Logs and click either Tanium Enforce - AppLocker or Tanium Enforce - AppLocker - MSI and Script.
  4. Double-click any of the events to review more details about AppLocker blocks.

All AppLocker logs are gathered into the Tanium Enforce - AppLocker event log when aggregate results is run. Each of the two log file sizes is 10 MB.

Use Enforce sensors

The following list is a sample of available Enforce sensors. To view all sensors, go to Administration > Content > Sensors.

Not all Enforce sensors report back the most recent data. Most sensors provide information that is gathered during the latest validation check on the endpoint. Validation checks are performed at intervals of approximately 15 minutes.

Enforce - Anti-Malware Definition Outdated

Reports the current Windows Anti-malware definition version installed on the computer is out of date.

Enforce - Anti-Malware Definition Version

Reports the current Windows Anti-malware definition version installed on the computer.

Enforce - Anti-Malware Engine Version

Reports the current Windows Anti-malware engine version installed on the computer.

Enforce - Anti-Malware Threat Details

Reports all anti-malware threats along with detection date, process name, and file paths.

Enforce - Anti-Malware Threats Last X Days

Given a number of days in the past, this sensor reports all anti-malware threats since that date.

Enforce - Anti-Malware Threats Counts Last X Days

Given a number of days in the past, this sensor reports all anti-malware threats counts since that date.

Enforce - Total Anti-Malware Threats

Given a number of days in the past, this sensor reports to the total number of anti-malware threats detected since that date.

Enforce - Coverage Status

Returns "Optimal" if Enforce is installed and running, "Needs Attention" if Enforce is not installed or is not healthy, "Unsupported" if the operating system is not supported.

Enforce - Device Setup Classes

Lists all device setup classes.

Enforce - Diagnostic - Applied Machine Policies

Specifically for small scale diagnostics. Returns the status of machine policy settings that are applied or partially applied on endpoints

Enforce - Diagnostic - Applied Policy Settings

Specifically for small scale diagnostics. Returns a list of all policy items to be applied on endpoints, including those that do not apply because they are superseded by a duplicate setting.

Enforce - Firewall Rules [Linux]

Reports all configured firewall rules on Linux endpoints.

Enforce - Firewall Rules [Windows]

Reports all configured firewall rules.

Enforce - Host Firewall Enabled

Returns Yes if firewall is enabled. Otherwise, it returns No.

Enforce - Machine Policy Status

Given a list of Policy Id numbers, reports the enforcement status of each.

Enforce - Machine Policy Status [VBS]

Given a list of Policy Id numbers, reports the enforcement status of each. Unlike other sensors, VBS sensors provide up-to-the-minute results.

Enforce - Manage Definitions Targeting

Used for targeting Tanium Enforce Managed Definitions packages. This sensor determines if a host should require download and execution of the definitions package.

Enforce - Prerequisites

Reports the installed prerequisites needed by some Enforce policies.

Enforce - USB Storage Devices

Lists hardware IDs for all USB storage devices.

Enforce - Tools Version

Reports support and installation details. Checks if the endpoint supports the tools and has enough disk space. If a package has been deployed, reports the install location, version of tools, and if all the required tools are present.

Monitor and troubleshoot Enforce coverage status (% of total)

The following table lists contributing factors into why the Enforce coverage might be lower than expected, and corrective actions you can take.

Contributing Factor Corrective Action(s)
Incorrect targeting criteria used in computer groups Ensure computers that should be managed by Enforce are included in computer group creation.
Enforce action group is too narrow Ensure computer groups that should be managed by Enforce are included in the Enforce action group.

Monitor and troubleshoot policy enforcement status (% of total)

The following table lists contributing factors into why the Enforce policy enforcement coverage might be lower than expected, and corrective actions you can take.

Contributing Factor Corrective Action(s)
Enforce tools are not deployed Ensure computer groups that should be managed by Enforce are included in the Enforce action group.
Domain Group Policy is currently applied Reference the output from enforcement policy status and work with Active Directory team to set conflicting policy items to “Not Defined” in the domain policy.

Monitor and troubleshoot host firewall status on endpoints

The following table lists contributing factors into why the Enforce host firewall metric might be lower than expected, and corrective actions you can take.

Contributing Factor Corrective Action(s)
Host based firewall is not installed Deploy Windows firewall policy.
Host based firewall is not enabled Deploy the Windows firewall policy that enables the Windows firewall for all profiles (Domain, Public, and Private).

Monitor and troubleshoot disk encryption status on endpoints

The following table lists contributing factors into why the Enforce disk encryption metric might be lower than expected, and corrective actions you can take.

Contributing Factor Corrective Action(s)
No corporate policy mandating full disk encryption is enabled Reference Trends board displayed in Enforce that highlights lack of FDE. Work with security stakeholders to deploy disk encryption policies.
Segments of enterprise don’t have full disk encryption enabled Use drill down questions to explore commonalities between machines that are lacking FDE that should have it in place.
Operating systems don’t support native disk encryption (BitLocker, Filevault) Use Enforce policy status report to determine endpoints that have operating systems but don’t support BitLocker (Windows 10 Home, Windows 7 Pro). Work on endpoint “recap” plan with asset team.
Weak or unapproved encryption is being used Use Enforce policy status report to determine endpoints that have weak encryption enabled. Deploy decryption package and enforce a FDE policy with the correct encryption type.

Monitor and troubleshoot antivirus status on endpoints

The following table lists contributing factors into why the Enforce antivirus metric might be lower than expected, and corrective actions you can take.

Contributing Factor Corrective Action(s)
Third party antivirus product is not installed Deploy anti-malware policy.
Real-time scanning is not enabled Deploy anti-malware policy that enables real-time scanning.
Definition files are not up-to-date Ensure Tanium is downloading Defender definition files from Microsoft.

Resolve Active Directory policy conflicts

Enforce applies policy settings using Local Group Policy (LGPO). If an endpoint is joined to a domain and is receiving a domain policy that contains the same policy setting Enforce is trying to apply, the Domain Group Policy (DGPO) takes precedence. To resolve this, the DGPO policy setting must be set to Not configured for Enforce to manage it.

Domain joined machines attempt to reach out to a domain controller to resolve conflicts between DGPO and LGPO settings when Enforce applies policies on the endpoint (at the initial enforcement time then every 60 minutes). If a domain joined machine cannot reach a domain controller, the endpoint cannot determine if LGPO settings are in conflict with DGPO settings. In this case, LGPO settings are not applied and consequently Enforce cannot apply policies of this type.

Conflicting DGPO and LGPO settings are reported as either Not Applied (only one policy setting exists in the policy and it conflicts with DGPO) or Partially Applied (more than one policy setting exists in the policy and at least one is in conflict with DGPO). Enforce does not apply policy items that are in conflict with DGPO. The group policy engine on the endpoint resolves that internally. The enforcement status drill down reports in the Reason column that the setting was verified with no items applied.

Review policy settings when Windows Defender tamper protection is enabled

When you enable tamper protection in Windows Defender, the following policy settings are locked with their default values and cannot be edited through group policy. These settings may cause log errors if configured as part of an anti-virus policy or machine administrative template policy. For the latest information about settings that are disabled by Windows Defender tamper protection, see Microsoft Documentation: Protect security settings with tamper protection.

Setting Name Value
Join Microsoft MAPS HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\SpynetReporting
Configure the 'Block at First Sight' feature HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\DisableBlockAtFirstSeen
Scan all downloaded files and attachments HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection
Turn off Microsoft Defender Antivirus HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware
Turn off real-time protection HKLM\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring
Monitor file and program activity on your computer HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time\Protection\DisableOnAccessProtection
Turn on behavior monitoring HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time\Protection\DisableBehaviorMonitoring
Turn on process scanning whenever real-time protection is enabled HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable

Identify and resolve issues with client extensions

Use the following steps to troubleshoot issues with the client extensions that Enforce installs and uses. During troubleshooting, consider environmental factors such as security exclusions, file locks, CPU usage, RAM usage, and disk failures.

To review the client extensions that Enforce installs and uses, see Client extensions.

  1. To review the health of client extensions or to start an investigation into an existing error, ask a question using the Client Extensions - Status or Enforce - Tools Version sensor.

    The results of these questions help to identify endpoints with errors and provide a starting point to deploy actions that might help correct the issue. Filter the results and drill down as necessary to investigate results that indicate errors.

    Consider whether endpoints with errors share common characteristics, such as operating system, domain or organization unit, or the antivirus software that is installed.

  2. Target one or more endpoints with errors, and uninstall tools that report errors without blocking reinstallation: see Remove Enforce tools from endpoints and Endpoint Configuration User Guide: Uninstall a tool installed by Endpoint Configuration.

    When you perform a hard uninstallation of some tools, the uninstallation also removes data that is associated with the tool from the endpoint. This data might include important historical or environmental data. If data that you want to keep is associated with the tool, make sure you perform only a soft uninstallation of the tool.

    Wait for automatic reinstallation of the tool. If the reinstallation does not resolve the issue, continue to the next step.

  3. Ask a question using the Endpoint Configuration - Tools Status Details sensor, and include filters to limit the results to the tool that you are investigating. For example:

    Get Endpoint Configuration - Tools Status Details having Endpoint Configuration - Tools Status Details:Tool Name contains Enforce from all machines with Endpoint Configuration - Tools Status:Tool Name contains Enforce

    Review the columns in the results for specific information about errors. The following table provides guidance for some common error conditions:

    Error ConditionPossible Resolution
    No error appears, but an available new version has not been installed

    Review the Targeted Version column to make sure that the endpoint has received the latest manifest. If the targeted version does not yet show the updated version, the Endpoint Configuration manifest has not updated on the endpoint, usually for one of the following reasons:

    Installation Blocker:Unmet Dependencies: [Tool name]If no Failure Message or Failure Step appears, the endpoint might be waiting for the dependencies to install. Wait to see if the condition resolves on its own. If this condition remains for an extended period, ask the question again and review any error information in other columns, especially the Failing Dependency column.
    Failing Dependency:[Tool name]

    Ask the question: Endpoint Configuration - Tools Status Details having Endpoint Configuration - Tools Status Details:Tool Name contains [Tool name] from all machines with Endpoint Configuration - Tools Status:Tool Name contains [Tool name]

    Investigate further errors with the tool.

    If the dependency has not been installed on an endpoint, ask the question: Get Endpoint Configuration - Tools Retry Status from all machines with Computer Name equals Computer_Name to review the retry status for the tool installation. For more information, see Endpoint Configuration User Guide: Review tool installations that are scheduled for a retry.

    Manually Blocked:blockedThe tool was previously blocked, either manually or during a previous uninstallation. Unblock the tool: see Endpoint Configuration User Guide: Block or unblock tools from installing on an endpoint.
  4. Review the Extensions logs on the endpoint. Take note of entries that include fail or error: see Review the Extensions log for an endpoint.

For additional help, collect all logs for Tanium Enforce, and contact Tanium Support.

Review the Extensions log for an endpoint

Use Client Management to directly connect to an endpoint and view and download extension logs.

  1. From the Main menu, go to Administration > Shared Services > Client Management.

  2. From the Client Management menu, click Client Health.

  3. In the Direct Connect search box, enter all or part of an IP address or a computer name.

    Matching results are displayed after the search completes.

  4. From the search results, click the computer name to connect to the endpoint.
  5. Click the Logs tab, and select an extensions[#].log file.

  6. (Optional) To download the log, click Download.

For additional help, collect all logs for Tanium Enforce, and contact Tanium Support.

Remove Enforce tools from endpoints

You can deploy an action to remove Enforce tools from an endpoint or computer group. Separate actions are available for Windows and non-Windows endpoints.

Before you remove Enforce tools, be sure to remove enforcements for any policies that you no longer want to enforce on the endpoint. For information, see Remove an enforcement.

  1. In Interact, target the endpoints from which you want to remove the tools. For example, ask a question that targets a specific operating system:
    Get Endpoint Configuration - Tools Status from all machines with Is Windows equals true
  2. In the results, select the row for Enforce, drill down as necessary, and select the targets from which you want to remove Enforce tools. For more information, see Tanium Interact User Guide: Drill Down.
  3. Click Deploy Action.
  4. For the Deployment Package, select Endpoint Configuration - Uninstall Tool [Windows] or Endpoint Configuration - Uninstall Tool [Non-Windows], depending on the endpoints you are targeting.
  5. For Tool Name, select Enforce.

  6. (Optional) By default, after the tools are removed they cannot be reinstalled. To allow tools to be automatically reinstalled, clear the selection for Block reinstallation. Re-installation occurs almost immediately.

    If reinstallation is blocked, you must unblock it manually:

    • To allow Enforce to reinstall tools, deploy the Endpoint Configuration - Unblock Tool [Windows] or Endpoint Configuration - Unblock Tool [Non-Windows] package (depending on the targeted endpoints).

    • If you reinstall tools manually, select Unblock Tool when you deploy the Endpoint Configuration - Reinstall Tool [Windows] or Endpoint Configuration - Reinstall Tool [Non-Windows] package.

  7. (Optional) To remove all Enforce databases and logs from the endpoints, clear the selection for Soft uninstall.

    When you perform a hard uninstallation of some tools, the uninstallation also removes data that is associated with the tool from the endpoint. This data might include important historical or environmental data. If data that you want to keep is associated with the tool, make sure you perform only a soft uninstallation of the tool.

  8. (Optional) To also remove any tools that were dependencies of the Enforce tools that are not dependencies for tools from other solutions, select Remove unreferenced dependencies.

  9. (Optional) In the Deployment Schedule section, configure a schedule for the action.

    If some target endpoints might be offline when you initially deploy the action, select Recurring Deployment and set a reissue interval.

  10. Click Show preview to continue.
  11. A results grid appears at the bottom of the page showing you the targeted endpoints for your action. If you are satisfied with the results, click Deploy Action.

If you have enabled Endpoint Configuration approval, tool removal must be approved in Endpoint Configuration before tools are removed from endpoints.

Uninstall Enforce

In some instances, if you decide to uninstall Enforce, you might need to disable associated firewall policies and SRP rules to ensure they are cleanly removed from endpoints. If so, you need to deploy actions including the following two packages that were created when Enforce was installed:

  • Disable Tanium Enforce Software Restriction Policies
  • Remove Enforce Firewall Rules

To complete a clean uninstallation and removal of Enforce policies, you must uninstall Enforce before you disable the associated firewall policies and SRP rules.

  1. From the Main menu, click Solutions.
  2. In the Modules section, select Enforce and then click Uninstall.
  3. Depending on your configuration, enter your password or click Yes to start the uninstallation process.
  4. Return to the Solutions page and verify that Enforce is no longer installed.

Disable and remove Enforce policies

You might be required to disable Enforce policies after you uninstall Enforce. This can occur if some endpoints are offline when you uninstall Enforce. For more detailed information on packages and deploying actions, see Tanium Console User Guide: Managing scheduled actions and action history and Tanium Console User Guide: Managing packages.

To disable and remove Enforce policies, you must first find all of the endpoints that are online and then deploy the removal packages.

  1. From the Main menu, click Interact.
  2. Ask a question to target the endpoints from which you want to enforce policies. For example, Get Enforce - Tools Version from all machines.
  3. Select the row for the endpoints from which you want to remove the Enforce policies.
  4. Click Deploy Action.
  5. On the Deploy Action page, enter Enforce in the Enter package name here field.
  6. Select the Disable Tanium Enforce Software Restriction Policies Package.
  7. Click Show preview to continue at the bottom of the Deploy Action page.
  8. Click Deploy Action and enter your credentials. The Action Summary page appears.
  9. Repeat these steps, but select and deploy the Remove Enforce Firewall Rules package.

The Disable Tanium Enforce Software Restriction Policies package removes all SRP rules created by Enforce. It does not disable SRP on the endpoint. Likewise, the Remove Enforce Firewall Rules package removes all firewall rules created by Enforce. It does not disable the firewall on the endpoint.

License expiration impact

If your Enforce license expires, Enforce continues to enforce policies, however, the Tanium Console does not inform you if an enforcement is successful. Update the license to restore full functionality.

Contact Tanium Support

To contact Tanium Support for help, sign in to https://support.tanium.com.