Jump to content

ESET Agent Reporting on Windows 10 21H2


Go to solution Solved by MartinK,

Recommended Posts

As you guys are aware 21H2 is becoming a thing. 
I found I had a machine with 21H2 version 19044.1503 - It's one of a kind (probably no other machine received 21H2, but I"m already starting to receive a notification of another one. 

My issue is - these machines don't report the OS information back

attached screenshot:
image.png.0e3298e55484fdd9030dd493587f30b9.png

the bottom machine is also Windows Based.

Here are a few more info examples when expanding that object:
image.png.c7021e8ca7971fecbf095ec9acde9bb3.png

image.png.a797c53ef9e9aeac5e88131f2518b0ea.png

image.png.ce993f6668d40c2eb31cae93b7a1c091.png

 

Any ideas what to look for? 
It's reporting correctly, but again, no dynamic policies are deployes to the machine it has to be specified manually. (dynamic policies = polices set on dynamic groups, e.g. windows, mac, etc... ) 

Link to comment
Share on other sites

  • ESET Staff
  • Solution

Could you please provide trace logs from AGENT for analysis? From provided screenshots it seems that problem might be with WMI on this device as WMI interface is used to fetch OS and HW related data, which seems to be exactly part that is missing in our case. If this is the case, there would be an error indicated during statrup of AGENT's service and regularly when attempt to refresh data will be performed.

Link to comment
Share on other sites

Thanks @MartinK
Your hint really lead on the resolution. 
Issue was with WMI not registering correctly. 

 

I checked the wmi management console (click on properties) and found it fails to output a successful query. 

Reset the repo (changed it to old) as well as reset repository. 
reinstalled the agent, and it fixed it. 

 

Thanks again

Link to comment
Share on other sites

Basically follow this guide (including the bottom part of how to rebuild the repo) 
https://kb.acronis.com/content/62731

Here is a quote of the info from there:
 

Quote

1. Disable and stop the WMI service.

     sc config winmgmt start= disabled

(note the blank space before disabled)

     net stop winmgmt

(this will also ask to stop Acronis services)

 2. Run the following commands

     Winmgmt /salvagerepository %windir%\System32\wbem      

     Winmgmt /resetrepository %windir%\System32\wbem

3. Re-enable the WMI service and reboot the machine

     sc config winmgmt start= auto

 If the problem remains after consistency check, rebuild the WMI repository:

 1. Disable and stop the WMI service.

     sc config winmgmt start= disabled 

     net stop winmgmt

2. Rename the repository folder located at %windir%\System32\wbem\repository to repository.old.

3. Re-enable the WMI service.

     sc config winmgmt start= auto

 4. To recreate the repository, you need to run a WMI-using application. The simplest way to do this is to launch the WMI MMC snapin again (Start -> Run -> wmimgmt.msc), right click WMI Control (Local) and click Properties. There will be a delay of some seconds while a new repository is created. 

 

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...