Troubleshooting Enforce

To collect and send information to Tanium for troubleshooting, collect logs and other relevant information.

Collect logs

The information is saved as a ZIP file that you can download with your browser.

  1. From the Enforce home page, click Help , then the Troubleshooting tab.
  2. Click Collect.
    A Enforce-support.[timestamp].zip file downloads to the local download directory.
  3. Attach the ZIP file to your Tanium Support case form or send it to your TAM.

Tanium Enforce maintains logging information in the Enforce.log file in the \Program Files\Tanium\Tanium Module Server\services\Enforce directory.

Change endpoint status report settings

Click Settings and go to General to change the following settings that govern how you can use Enforce to interact with endpoints:

Question Completion Percentage

This setting specifies what percentage of endpoints must respond to the question before the question is considered complete. If questions take a long time to complete in your Tanium environment, you might want to lower the percentage in this setting. By default, Question Completion Percentage is set to 85%.

Reissue Action Interval

This setting specifies how often Enforce enforcement actions are reissued. By default, enforcement actions are reissued every hour. The minimum allowed value for this field is 10 minutes.

Distribute Over Time

This setting controls whether endpoints apply enforcements the moment they receive the action (Immediate) or at unique moments within the saved action interval (Diffused). Diffusing enforcements over time can help prevent a surge in network traffic in exchange for a slower time to compliance. The default setting for Distribute Over Time is 0 where all enforcements are deployed at once.

Enforce sensors

The following Enforce sensors are available:

Not all Enforce sensors report back the most recent data. Most provide information gathered during the latest validation check on the endpoint. Validation checks are performed at intervals of approximately 15 minutes.

Enforce - Anti-Malware Definition Outdated

Reports the current Windows Anti-malware definition version installed on the computer is out of date.

Enforce - Anti-Malware Definition Version

Reports the current Windows Anti-malware definition version installed on the computer.

Enforce - Anti-Malware Engine Version

Reports the current Windows Anti-malware engine version installed on the computer.

Enforce - Anti-Malware Threat Details

Reports all anti-malware threats along with detection date, process name, and file paths.

Enforce - Anti-Malware Threats Last X Days

Given a number of days in the past, this sensor reports all anti-malware threats since that date.

Enforce - Total Anti-Malware Threats

Given a number of days in the past, this sensor reports to the total number of anti-malware threats detected since that date.

Enforce - Coverage Status

Returns "Optimal" if Enforce is installed and running, "Needs Attention" if Enforce is not installed or is not healthy, "Unsupported" if the operating system is not supported.

Enforce - Device Setup Classes

Lists all device setup classes.

Enforce - Diagnostic - Applied Machine Policies

Specifically for small scale diagnostics. Returns the status of machine policy settings that are applied or partially applied on endpoints

Enforce - Diagnostic - Applied Policy Settings

Specifically for small scale diagnostics. Returns a list of all policy items to be applied on endpoints, including those that will not apply because they are superseded by a duplicate setting.

Enforce - Firewall Rules [Linux]

Reports all configured firewall rules on Linux endpoints.

Enforce - Firewall Rules [Windows]

Reports all configured firewall rules.

Enforce - Host Firewall Enabled

Returns Yes if firewall is enabled. Otherwise, it returns No.

Enforce - Machine Policy Status

Given a list of Policy Id numbers, reports the enforcement status of each.

Enforce - Machine Policy Status [VBS]

Given a list of Policy Id numbers, reports the enforcement status of each. Unlike other sensors, VBS sensors provide up-to-the-minute results.

Enforce - Manage Definitions Targeting

Used for targeting Tanium Enforce Managed Definitions packages. zyhis sensor determines if a host should require download and execution of the definitions package.

Enforce - Prerequisites

Reports the installed prerequisites needed by some Enforce policies.

Enforce - USB Storage Devices

Lists hardware IDs for all USB storage devices.

Enforce - Tools Version

Reports support and installation details. Checks if the endpoint supports the tools and has enough disk space. If a package has been deployed, reports the install location, version of tools, and if all the required tools are present.

Monitor and troubleshoot Enforce coverage status (% of total)

The following table lists contributing factors into why the Enforce coverage might be lower than expected, and corrective actions you can take.

Contributing Factor Corrective Action(s)
Incorrect targeting criteria used in computer groups Ensure computers that should be managed by Enforce are included in computer group creation.
Enforce action group is too narrow Ensure computer groups that should be managed by Enforce are included in the Enforce action group.

Monitor and troubleshoot policy enforcement status (% of total)

The following table lists contributing factors into why the Enforce policy enforcement coverage might be lower than expected, and corrective actions you can take.

Contributing Factor Corrective Action(s)
Enforce tools are not deployed Ensure computer groups that should be managed by Enforce are included in the Enforce action group.
Domain Group Policy is currently applied Reference the output from enforcement policy status and work with Active Directory team to set conflicting policy items to “Not Defined” in the domain policy.

Monitor and troubleshoot host firewall status on endpoints

The following table lists contributing factors into why the Enforce host firewall metric might be lower than expected, and corrective actions you can take.

Contributing Factor Corrective Action(s)
Host based firewall is not installed Deploy Windows firewall policy.
Host based firewall is not enabled Deploy the Windows firewall policy that enables the Windows firewall for all profiles (Domain, Public, and Private).

Monitor and troubleshoot anti-virus status on endpoints

The following table lists contributing factors into why the Enforce anti-virus metric might be lower than expected, and corrective actions you can take.

Contributing Factor Corrective Action(s)
Third party anti-virus product is not installed Deploy anti-malware policy.
Real-time scanning is not enabled Deploy anti-malware policy that enables real-time scanning.
Definition files are not up-to-date Ensure Tanium is downloading Defender definition files from Microsoft.

Uninstall Enforce

In some instances, if you decide to uninstall Enforce, you might need to disable associated firewall policies and SRP rules to ensure they are cleanly removed from endpoints. If so, you need to deploy actions including the following two packages that were created when Enforce was installed:

  • Disable Tanium Enforce Software Restriction Policies
  • Remove Enforce Firewall Rules

To complete a clean uninstall and removal of Enforce policies, you must uninstall Enforce before you disable the associated firewall policies and SRP rules.

  1. From the Main menu, click Tanium Solutions.
  2. Under Enforce, click Uninstall.
  3. Review the content that will be removed and click Uninstall.
  4. Depending on your configuration, enter your password or click Yes to start the uninstall process.
  5. Return to the Tanium Solutions page and verify that the Import button is available for Enforce.

Disable and remove Enforce policies

You might be required to disable Enforce policies after you uninstall Enforce. This can occur if some endpoints are offline when you uninstall Enforce. For more detailed information on packages and deploying actions, see Tanium Platform User Guide: Managing Scheduled Actions and Tanium Platform User Guide: Managing and creating Packages.

To disable and remove Enforce policies, you must first find all of the endpoints that are online and then deploy the removal packages.

  1. From the Main menu, click Interact.
  2. Ask a question to target the endpoints from which you want to Protect policies. For example, Get Enforce - Tools Version from all machines.
  3. Select the row for the endpoints from which you want to remove the Enforce policies.
  4. Click Deploy Action.
  5. On the Deploy Action page, enter Enforce in the Enter package name here field.
  6. Select the Disable Tanium Enforce Software Restriction Policies Package.
  7. Click Show preview to continue at the bottom of the Deploy Action page.
  8. Click Deploy Action and enter your credentials. The Action Summary page appears.
  9. Repeat these steps, but select and deploy the Remove Enforce Firewall Rules package.

The Disable Tanium Enforce Software Restriction Policies package removes all SRP rules created by Enforce. It does not disable SRP on the endpoint. Likewise, the Remove Enforce Firewall Rules package removes all firewall rules created by Enforce. It does not disable the firewall on the endpoint.

Contact Tanium Support

To contact Tanium Support for help, send an email to [email protected].