Security

 View Only
last person joined: 3 days ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

ClearPass OnGuard - Automatic remediation of Windows Defender

This thread has been viewed 13 times
  • 1.  ClearPass OnGuard - Automatic remediation of Windows Defender

    Posted Sep 09, 2022 10:05 AM
    Hi Everyone,

    I'm looking for a bit of assistance. We are in the process of testing OnGuard before putting it into our live environment of W10 PCs. Initially we are posture checking for the status of the dat file for Windows Defender and that it is within the last 3 updates. My problem is that clients don't want to remediate automatically. The message the OnGuard Agent presents is "Could not update Windows Defender. Please try manually." We block access to the WU settings to end users so don't want to have them updating manually. For more info, we use our own internal WU server so that we can control the release of Windows updates. The test device sat for over an hour as quarantined before I manually requested windows updates. As soon as it picked up the updates it became healthy and jumped onto our corporate vlan. I need to remove the need for this manual step.

    For more info, we are using Comware7 HPE switches so have to switch vlans when the posture status changes between healthy and unhealthy (can't use roles). This is working fine for us so far it seems.

    Auto remediation is selected in the posture policy.



  • 2.  RE: ClearPass OnGuard - Automatic remediation of Windows Defender

    Posted Sep 11, 2022 09:50 PM
    Hi Ed,

    Is auto-remediation enabled on the Onguard WebAuth service?


    ------------------------------
    ACNSA | ACEA | ACCP | ACMP
    ------------------------------



  • 3.  RE: ClearPass OnGuard - Automatic remediation of Windows Defender

    Posted Sep 12, 2022 03:20 AM
    Hi. Thanks for the reply. Yes it is.




  • 4.  RE: ClearPass OnGuard - Automatic remediation of Windows Defender

    EMPLOYEE
    Posted Sep 12, 2022 08:49 AM
    Just thinking, but may it be that if you configured a GPO to prevent users to run a manual update, that the function is just blocked and the OnGuard agent would not have access to it either?

    I'm not a GPO/AD expert, but could imagine that the manual update function is blocked, not just 'the button'; and another application won't be able to trigger an update either.

    You may try to revert that setting for just one machine and see if that resolves the remediation from OnGuard as well.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 5.  RE: ClearPass OnGuard - Automatic remediation of Windows Defender

    Posted Sep 12, 2022 09:31 AM
    Thanks for reply Herman! Wow, I love your videos.

    I'm testing this in a small environment at the moment and the 2x test devices are in an AD group that excludes them from the GPO that restricts access to the WU page so I should be ok testing on these devices at least. Hmm, this is one of those things that sits right between being a ClearPass and Windows issue.

    I have raised a ticket with TAC to see if they can provide any help. Just waiting for a response. In the meantime, I'm going to check with our GPO guys to ask exactly what the GPO does. Whether it blocks just the page or the function as well, in case that's what it is.

    Thanks again.