Microsoft OMS: Antimalware Assessment Not Reporting/Unknown Clients

Posted by Ahmed Nabil | 0 comments»
Microsoft OMS (Operations Management Suite) offers a very nice solution in its gallery which is the Antimalware assessment.  After installing the OMS agent on all your servers (On-premise or Azure) this solution will check the Antimalware/AV status, whether its lacking real time protection, not updated............etc.

For more information on this solution please check the below link

https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-malware

I noticed in my environment that i have several clients with insufficient protection




After clicking the assessment for more details, i noticed that these 13 clients have status of Not Reporting. Upon checking them one by one i noticed that most of them are 2008 and 2008 R2 servers. They have Antimalware client updated and real time protection configured. I suspected the AV client as some of them are not microsoft client but rather Symantec and/or Trend Micro however these clients were approved and added to the list queried by OMS

https://blogs.technet.microsoft.com/msoms/2017/01/19/oms-security-malware-assessment-adds-support-for-more-antimalware-vendors/

So to make the story short one of the major requirements for OMS Antimalware Assessment that these clients should have Windows Management Framework 3 or higher installed which includes Power shell V3 which is not installed by default on Server 2008R2.

So the fix was simply installing the WMF 3 update on the 2008 Servers from the below link (6.1 for 2008R2 and 6 for 2008)


https://www.microsoft.com/en-us/download/details.aspx?id=34595

After updating these clients and installing the WMF 3, i expected the issue will be resolved and they will get reporting to the OMS assessment however their status turned to be Unknown !!

A very common case for this Unknown status after checking with Microsoft team is that the WMI provider is not registered.

So the resolution is as follows:


  1. Open administrator Powershell on these Unknown computers                                                                 
  2. Ensure the "Execution Policy" allows running scripts. You can check it by running get-executionpolicy                                                                                                                                           
  3. Import the needed Power Shell module by running                                                                                                                                                                                                                       Import-module "$env:ProgramFiles\Microsoft Security Client\MpProvider\MpProvider.psd1"
                                                                                                                                                             
  4. Run the command  Get-MProtComputerStatus                                                                                          
  5. Most probably you will get invalid Namespace error                                                                               
  6. If so then you need to run the below command to register the WMI provider                                
    Register-CimProvider.exe -ProviderName ProtectionManagement -Namespace root\microsoft\ProtectionManagement -Path "C:\Program Files\Microsoft Security Client\ProtectionMgmt.dll" -Impersonation True -HostingModel LocalServiceHost -SupportWQL -ForceUpdate                                                                                                                                                                                  
  7. This will register the ProtectionManagement provider and fix the agent Unknown problem.                    
  8. If you changed the execution policy to allow running scripts, you may need to turn it back to the default restricted mode or at least remotesigned.



Hopefully this post is useful for anyone encountering the same issue.




Server Manager Refresh Failed: Call was Cancelled by the Message Filter

Posted by Ahmed Nabil | 1 comments»
Lately I noticed that the server manager of one of the Windows 2012 R2 File servers refresh is failing continuously, a normal reboot and normal checks/scans didn't fix the problem and i ended having the below screen shot.


The details of the failure was "Call was cancelled by the message filter"

I have noticed in the event viewer that the below error is repeated all the way in the server event viewer (Event ID 1000 - Faulting application Cscript.exe)


The Server Manager wasn't the only one with error but the File Server Resource Manager (FSRM) MMC returned error when i opened it and it was unable to connect to the WMI repository.

So after extensive search the most recommended solution was to recompile and refresh the MOF files on the Windows 2012R2 server. Several people reported that it didn't work with them so i am sharing below the exact steps i did to work it out.




  1. Ensure all MMC including Server Manager is closed.                                                                                        
  2. Open Elevated CMD prompt                                                                                                                      
  3. Navigate to C:\Windows\Ssytem32\wbem\AutoRecover (Its very important to run it from the AutoRecover folder and not the wbem root.                                                                                               
  4. Type for /f %s in ('dir /b *.mof *.mfl') do mofcomp %s                                                                                       
  5. It will start Parsing the MOF files (one by one) till the end as shown in the below screenshot                                                                                                                                                                                          
                                                                                                                                                 
  6. You should get the done confirmation after each MOF file is parsed. If it hanged on "Storing data in the repository" for long time with no action then you need to kill the "WMI Provider Host" from the Task Manager as shown below. As soon as the WMI provider task is ended the above command that was hanged will continue running without any problem.                                                                                                                                                                                                                                            
                                                                                                                                                 
  7. Reboot the Server


After rebooting the server the Server Manager opened and refreshed its status without any problem as well as other MMC as the File Server Resource Manager.

Hopefully this might be beneficial for users facing the same issue.