Reference: Enforcement errors

Policy update not yet received

The specified policy xml file is an outdated version on the endpoint.

This is often a temporary state that resolves after a few minutes when the endpoint finishes downloading the most recent policy version.

Policy has not been applied

The specified policy xml file is not present on the endpoint.

This might be caused by an external process removing the files. Contact your Tanium Account Manager (TAM) for assistance.

Microsoft Anti-malware is not installed

These Windows 7 machines have an Anti-malware policy deployed, but do not have SCEP installed.

Enable automatic SCEP installation in Settings -> Anti-Malware Settings by selecting Enable SCEP Installation and uploading the SCEP installer.

Microsoft Anti-malware has no definitions applied

Microsoft Anti-malware is enabled and running on these machines, but has not yet installed any anti-malware definitions.

This is often a temporary state that occurs immediately after Windows Anti-malware is enabled for the first time. If the problem persists, the machines might have an issue contacting Microsoft to get the definitions.

You can have Tanium gather and deploy Microsoft definitions by enabling the Managed Definitions option in the Protect policy.

Microsoft Anti-malware definition has not been updated within the grace period

Microsoft Anti-malware is enabled and running, but its anti-malware definitions are older than the policy's grace period (default = 1 day).

This is often a temporary state that can occur if a machine has been offline for an extended period. If the problem persists, it might be that the machines have an issue contacting Microsoft, or, if the Managed Definitions option is enabled, the Protect service might be having an issue downloading the definitions. Check Anti-Malware Definitions Status Health on the Protect Home page for more information.

Microsoft Anti-malware configuration does not match policy

Microsoft Anti-malware has different configuration settings than what is set in the policy. This can occur either from a user manually making a change or from an external program like Group Policy Object (GPO).

Protect resets to the correct state the next time the policy is enforced (default = 1 hour).

Microsoft Anti-malware is not set to automatic start mode

Microsoft Anti-malware service is not set to automatic start mode. This can occur either from a user manually making a change or from an external program like GPO.

Protect resets the start mode to the correct state the next time the policy is enforced (default = 1 hour).

Microsoft Anti-malware services are not all running

Microsoft Anti-malware related services are not running. This can occur either from a user manually making a change or from an external program like GPO.

Protect resets the service to the correct state the next time the policy is enforced (default = 1 hour).

Unsupported EMET Settings - (x)

The setting (x) is not supported by the version of EMET running on these endpoints. Either the version of EMET is too old to support this, or the supplied EMET xml has an error in the setting name.

Verify the settings you are trying to configure are valid for the version of EMET you are using.

EMET 5.5 is not installed

EMET is not installed or the installed version is older than version 5.5.

Protect installs the correct version of EMET the next time the policy is enforced (default = 1 hour).

Unexpectedly missing EMET config

Protect is missing the supplied EMET configuration. This might be due to insufficient file permissions for the Tanium Client service, or the file might have been removed by an external program.

Contact your TAM for assistance.

Unable to read settings from EMET config

Protect could not open the specified EMET configuration. This might be due to insufficient file permissions for the Tanium Client service, or the file might have been corrupted in transit.

Contact your TAM for assistance.

AppLocker is enabled. SRP might be ignored

Both AppLocker and SRP Management policies are set on these endpoints. AppLocker is the newer implementation of SRP, and Windows ignores SRP if AppLocker is enabled.

Remove either AppLocker or SRP Management policies from these endpoints.

Protect has not yet initialized Windows SRP

Protect must initialize SRP.

This is often a temporary state that occurs right after SRP is enabled for the first time. Protect correctly initializes SRP when the policy is enforced (default = 1 hour).

Endpoint requires reboot to initialize Windows SRP

After SRP is first initialized by Protect, the settings do not actually take effect until the system is rebooted.

You must reboot these machines to finish enabling SRP.

One or more expected Windows SRP rules was not correctly applied

SRP has different rules than what is set in the policy. This can occur either from a user manually making a change or from an external program like GPO.

Protect resets to the correct state the next time the policy is enforced (default = 1 hour).

Windows Firewall is not running

The Windows firewall service is not currently running. This can occur either from a user manually making a change or from an external program.

Protect resets to the correct state the next time the policy is enforced (default = 1 hour).

Windows Firewall GPO conflict

GPO is changing the Windows firewall settings on these endpoints. This causes settings to constantly change between the GPO values and the Protect policy values.

Using GPO for firewall with Protect firewall policies is not supported. Remove GPO management from these endpoints.

An expected rule is missing from Windows Firewall

Windows Firewall has different rules than what is set in the policy. This can occur either from a user manually making a change or from an external program.

Protect resets to the correct state the next time the policy is enforced (default = 1 hour).

An expected rule is not correct in Windows Firewall

Windows Firewall has different rules than what is set in the policy. This can occur either from a user manually making a change or from an external program.

Protect resets to the correct state the next time the policy is enforced (default = 1 hour).

Invalid rules are still applied

Windows Firewall has different rules than what is set in the policy. This can occur either from a user manually making a change or from an external program.

Protect resets to the correct state the next time the policy is enforced (default = 1 hour).

Firewall profile does not match policy

Windows Firewall has different rules than what is set in the policy. This can occur either from a user manually making a change or from an external program.

Protect resets to the correct state the next time the policy is enforced (default = 1 hour).

One or more invalid firewall rules found in Policy

Windows Firewall could not read some of the rules specified in the policy. This can occur if the policy is corrupted on creation or during transit to the endpoint.

If this problem persists, recreate the Protect policy.

Windows AppLocker is not enabled

Windows AppLocker service is not running. This can occur either from a user manually making a change or from an external program.

Protect resets to the correct state the next time the policy is enforced (default = 1 hour).

Windows AppLocker configuration does not match policy

Windows AppLocker has a different configuration than what is set in the policy. This can occur either from a user manually making a change or from an external program.

Protect resets to the correct state the next time the policy is enforced (default = 1 hour).

Windows AppLocker configuration enforced by Protect has not yet been applied

Windows AppLocker is enabled and configured, but is not yet using the new configuration.

There is a small window after the configuration is set by Protect, but before AppLocker actually starts to block applications, based on the new rules. This usually resolves itself after a few minutes.

Last updated: 11/8/2018 4:46 PM | Feedback