Troubleshooting

To collect and send information to Tanium for troubleshooting, collect logs and other relevant information.

Collect logs

The information is saved as a ZIP file that you can download with your browser.

  1. From the Enforce home page, click Help , then the Troubleshooting tab.
  2. Click Collect.
    A Enforce-support.[timestamp].zip file downloads to the local download directory.
  3. Contact Tanium Support to determine the best option to send the ZIP file. For more information, see Contact Tanium support.

Tanium Enforce maintains logging information in the Enforce.log file in the \Program Files\Tanium\Tanium Module Server\services\Enforce directory.

Enforce sensors

The following is a sample of Enforce sensors that are available. To view all sensors, go to the main menu and click Content > Sensors.

Not all Enforce sensors report back the most recent data. Most provide information gathered during the latest validation check on the endpoint. Validation checks are performed at intervals of approximately 15 minutes.

Enforce - Anti-Malware Definition Outdated

Reports the current Windows Anti-malware definition version installed on the computer is out of date.

Enforce - Anti-Malware Definition Version

Reports the current Windows Anti-malware definition version installed on the computer.

Enforce - Anti-Malware Engine Version

Reports the current Windows Anti-malware engine version installed on the computer.

Enforce - Anti-Malware Threat Details

Reports all anti-malware threats along with detection date, process name, and file paths.

Enforce - Anti-Malware Threats Last X Days

Given a number of days in the past, this sensor reports all anti-malware threats since that date.

Enforce - Anti-Malware Threats Counts Last X Days

Given a number of days in the past, this sensor reports all anti-malware threats counts since that date.

Enforce - Total Anti-Malware Threats

Given a number of days in the past, this sensor reports to the total number of anti-malware threats detected since that date.

Enforce - Coverage Status

Returns "Optimal" if Enforce is installed and running, "Needs Attention" if Enforce is not installed or is not healthy, "Unsupported" if the operating system is not supported.

Enforce - Device Setup Classes

Lists all device setup classes.

Enforce - Diagnostic - Applied Machine Policies

Specifically for small scale diagnostics. Returns the status of machine policy settings that are applied or partially applied on endpoints

Enforce - Diagnostic - Applied Policy Settings

Specifically for small scale diagnostics. Returns a list of all policy items to be applied on endpoints, including those that will not apply because they are superseded by a duplicate setting.

Enforce - Firewall Rules [Linux]

Reports all configured firewall rules on Linux endpoints.

Enforce - Firewall Rules [Windows]

Reports all configured firewall rules.

Enforce - Host Firewall Enabled

Returns Yes if firewall is enabled. Otherwise, it returns No.

Enforce - Machine Policy Status

Given a list of Policy Id numbers, reports the enforcement status of each.

Enforce - Machine Policy Status [VBS]

Given a list of Policy Id numbers, reports the enforcement status of each. Unlike other sensors, VBS sensors provide up-to-the-minute results.

Enforce - Manage Definitions Targeting

Used for targeting Tanium Enforce Managed Definitions packages. This sensor determines if a host should require download and execution of the definitions package.

Enforce - Prerequisites

Reports the installed prerequisites needed by some Enforce policies.

Enforce - USB Storage Devices

Lists hardware IDs for all USB storage devices.

Enforce - Tools Version

Reports support and installation details. Checks if the endpoint supports the tools and has enough disk space. If a package has been deployed, reports the install location, version of tools, and if all the required tools are present.

Monitor and troubleshoot Enforce coverage status (% of total)

The following table lists contributing factors into why the Enforce coverage might be lower than expected, and corrective actions you can take.

Contributing Factor Corrective Action(s)
Incorrect targeting criteria used in computer groups Ensure computers that should be managed by Enforce are included in computer group creation.
Enforce action group is too narrow Ensure computer groups that should be managed by Enforce are included in the Enforce action group.

Monitor and troubleshoot policy enforcement status (% of total)

The following table lists contributing factors into why the Enforce policy enforcement coverage might be lower than expected, and corrective actions you can take.

Contributing Factor Corrective Action(s)
Enforce tools are not deployed Ensure computer groups that should be managed by Enforce are included in the Enforce action group.
Domain Group Policy is currently applied Reference the output from enforcement policy status and work with Active Directory team to set conflicting policy items to “Not Defined” in the domain policy.

Monitor and troubleshoot host firewall status on endpoints

The following table lists contributing factors into why the Enforce host firewall metric might be lower than expected, and corrective actions you can take.

Contributing Factor Corrective Action(s)
Host based firewall is not installed Deploy Windows firewall policy.
Host based firewall is not enabled Deploy the Windows firewall policy that enables the Windows firewall for all profiles (Domain, Public, and Private).

Monitor and troubleshoot disk encryption status on endpoints

The following table lists contributing factors into why the Enforce disk encryption metric might be lower than expected, and corrective actions you can take.

Contributing Factor Corrective Action(s)
No corporate policy mandating full disk encryption is enabled Reference Trends board displayed in Enforce that highlights lack of FDE. Work with security stakeholders to deploy disk encryption policies.
Segments of enterprise don’t have full disk encryption enabled Use drill down questions to explore commonalities between machines that are lacking FDE that should have it in place.
Operating systems don’t support native disk encryption (BitLocker, Filevault) Use Enforce policy status report to determine endpoints that have operating systems but don’t support BitLocker (Windows 10 Home, Windows 7 Pro). Work on endpoint “recap” plan with asset team.
Weak or unapproved encryption is being used Use Enforce policy status report to determine endpoints that have weak encryption enabled. Deploy decryption package and enforce a FDE policy with the correct encryption type.

Monitor and troubleshoot antivirus status on endpoints

The following table lists contributing factors into why the Enforce antivirus metric might be lower than expected, and corrective actions you can take.

Contributing Factor Corrective Action(s)
Third party antivirus product is not installed Deploy anti-malware policy.
Real-time scanning is not enabled Deploy anti-malware policy that enables real-time scanning.
Definition files are not up-to-date Ensure Tanium is downloading Defender definition files from Microsoft.

Remove Enforce tools from endpoints

You can deploy an action to remove Enforce tools from an endpoint or computer group. Separate actions are available for Windows and non-Windows endpoints.

  1. In Interact, target the computers from which you want to remove the tools. For example, ask a question that targets a specific operating system:
    Get Endpoint Configuration - Tools Status from all machines with Is <OS> equals True , for example: 
    Get Endpoint Configuration - Tools Status from all machines with Is Windows equals True
  2. In the results, select the row for Enforce, drill down as necessary, and select the targets from which you want to remove Enforce tools. For more information, see Tanium Interact User Guide: Managing question results.
  3. Click Deploy Action.
  4. On the Deploy Action page, enter Endpoint Configuration - Uninstall in the Enter package name here box, and select Endpoint Configuration - Uninstall Tool [Windows] or Endpoint Configuration - Uninstall Tool [Non-Windows], depending on the endpoints you are targeting.
  5. For Tool Name, select Enforce.

  6. (Optional) By default, after the tools are removed they cannot be reinstalled. To allow tools to be automatically reinstalled, clear the selection for Block reinstallation. Re-installation occurs almost immediately.

    If reinstallation is blocked on an endpoint, you must deploy the Endpoint Configuration - Unblock Tool [Windows] or Endpoint Configuration - Unblock Tool [Non-Windows] package (depending on the targeted endpoints) before the tools can be reinstalled.

  7. (Optional) To remove all Enforce databases and logs from the endpoints, clear the selection for Soft uninstall.

  8. (Optional) To also remove any tools that were dependencies of the Enforce tools that are not dependencies for tools from other modules, select Remove unreferenced dependencies.

  9. Click Show preview to continue.
  10. A results grid displays at the bottom of the page showing you the targeted endpoints for your action. If you are satisfied with the results, click Deploy Action.

If you have enabled Endpoint Configuration, tool removal must be approved in Endpoint Configuration before tools are removed from endpoints.

Uninstall Enforce

In some instances, if you decide to uninstall Enforce, you might need to disable associated firewall policies and SRP rules to ensure they are cleanly removed from endpoints. If so, you need to deploy actions including the following two packages that were created when Enforce was installed:

  • Disable Tanium Enforce Software Restriction Policies
  • Remove Enforce Firewall Rules

To complete a clean uninstallation and removal of Enforce policies, you must uninstall Enforce before you disable the associated firewall policies and SRP rules.

  1. From the Main menu, click Tanium Solutions.
  2. Under Enforce, click Uninstall.
  3. Review the content that will be removed and click Uninstall.
  4. Depending on your configuration, enter your password or click Yes to start the uninstall process.
  5. Return to the Tanium Solutions page and verify that the Import button is available for Enforce.

Disable and remove Enforce policies

You might be required to disable Enforce policies after you uninstall Enforce. This can occur if some endpoints are offline when you uninstall Enforce. For more detailed information on packages and deploying actions, see Tanium Platform User Guide: Managing Scheduled Actions and Tanium Platform User Guide: Managing and creating Packages.

To disable and remove Enforce policies, you must first find all of the endpoints that are online and then deploy the removal packages.

  1. From the Main menu, click Interact.
  2. Ask a question to target the endpoints from which you want to enforce policies. For example, Get Enforce - Tools Version from all machines.
  3. Select the row for the endpoints from which you want to remove the Enforce policies.
  4. Click Deploy Action.
  5. On the Deploy Action page, enter Enforce in the Enter package name here field.
  6. Select the Disable Tanium Enforce Software Restriction Policies Package.
  7. Click Show preview to continue at the bottom of the Deploy Action page.
  8. Click Deploy Action and enter your credentials. The Action Summary page appears.
  9. Repeat these steps, but select and deploy the Remove Enforce Firewall Rules package.

The Disable Tanium Enforce Software Restriction Policies package removes all SRP rules created by Enforce. It does not disable SRP on the endpoint. Likewise, the Remove Enforce Firewall Rules package removes all firewall rules created by Enforce. It does not disable the firewall on the endpoint.

Resolve Active Directory policy conflicts

Enforce applies policy settings using Local Group Policy (LGPO). If an endpoint is joined to a domain and is receiving a domain policy that contains the same policy setting Enforce is trying to apply, the Domain Group Policy (DGPO) will take precedence. To resolve this, the DGPO policy setting must be set to Not configured in order for Enforce to manage it.

Domain joined machines will attempt to reach out to a domain controller to resolve conflicts between DGPO and LGPO settings when Enforce applies policies on the endpoint (at the initial enforcement time then every 60 minutes). If a domain joined machines cannot reach a domain controller, the endpoint cannot determine if LGPO settings are in conflict with DGPO settings. In this case, LGPO settings will not be applied and consequently Enforce cannot apply policies of this type.

Conflicting DGPO and LGPO settings are reported as either Not Applied (only one policy setting exists in the policy and it conflicts with DGPO) or Partially Applied (more than one policy setting exists in the policy and at least one is in conflict with DGPO). Enforce does not apply policy items that are in conflict with DGPO. The group policy engine on the endpoint resolves that internally. The enforcement status drill down will report in the Reason column that the setting was verified with no items applied.

Contact Tanium support

To contact Tanium Support for help, sign in to https://support.tanium.com.