Looking at the alert it showed that the Microsoft-Windows-AppLocker/EXE and DLL event log couldn't be accessed on my Hyper-V hosts.
When I checked manually, it wasn't surprising that the event log couldn't be accessed, because it didn't exist...
I use Server Core in my environment and doing a bit of initial digging it looks like AppLocker isn't supported on Server Core due to it having a requirement on the Application Identity Service.
This alert is generated in SCOM when you have it integrated with Microsoft Operations Management Suite (or the Operational Insights part) and are using the Security and Audit Solution.
http://www.microsoft.com/en-us/server-cloud/operations-management-suite/overview.aspx
For now, this is a quick thing to override.- In SCOM navigate to Authoring | Management Pack Objects | Rules
- Click the Scope button and search for Microsoft System Center Advisor
- Select the Microsoft System Center AdvisorWindows Server target
- Use the Look for: filter to narrow down the rule to just AppLocker
- Right click the Collect AppLocker Events and choose Overrides | Override the Rule | For a group...
- Filter or scroll through the object list and find a group containing your Windows Server Core OS devices, I'm using the Windows Server 2012 R2 Core Computer Group
Now as default the override will show that it's already set at default, so why are we overriding it?
That's because this rule has an override that enables it for all members of the Microsoft System Center Advisor Monitoring Server Group which is the group that devices you add in SCOM to have data uploaded to Operational Insights get added to and rules/monitors for the Operational Insights management packs get targeted at usually.
Rather than mess with this one, as we still want it to gather AppLocker events for supported devices, we are going to override the rule with a value of False, but make sure the Enforce option is ticked so that it overrules the default Operational Insights override.
And that's it. SCOM should no longer try to run that rule, therefore not trying to access a non-existent event log on the members of the group you selected (Server 2012 R2 Core OS devices in my case).
4 comments:
I have witnessed a similar problem with AppLocker. The customer service could not understand the problem and I had to suffer for days. This is the perfect solution but is quite complicated.
feliz año nuevo 2020 Thanks for sharing I like this post because we can get some useful information from your blog.
As information and data is amassed on pretty much any subject you want to envision
Restaurants Near Me
connecting hp deskjet 3520 printer wireless setup is made simple. The given information will hand you to connect printer on a wireless network.
Post a Comment