Have ever experienced a warning message in the Windows 7 Action Center that it is “important” to find and install an antivirus program – even though the computer already does have a functional AV installed? I myself have experienced this many times (at random) over the last year since we began deploying computers with Windows 7. While the cause is unknown to us at this time (is it the AV or Windows?), we do know how it can be identified.
WMI contains a namespace called “securitycenter2”. There are three classes to pay attention to, particularly AntiVirusProduct. If this class does not contain any instances, but rather is empty, then this will cause the Action Center to report the warning.
So now you be asking, “how does one identify this across an organization?” By using Desired Config Management (DCM) within SCCM of course! So here is how you go about creating a DCM to identify these computers.
- Create a new Configuration Item (CI) in DCM.
- In the CI, on the Settings tab, create a new WQL query
- Call the display name anything you like (I used “AV_Query”)
- Enter the namespace as “Root\securitycenter2”
- Enter the class as “AntiVirusProduct”
- Enter the property as “displayName”
- Click on the Validation tab and change the instance count operator from “Greater than” to “Not equals”
- Optional – change the severity to “Information – no Windows event message”
- On the Applicability tab, limit the specified platforms to only Win7 computers
- Click OK throughout to save the CI
- Create a new Configuration Baseline
- In the baseline, on the Rules tab, add the CI to the “applications and general configuration items”
- Assign the baseline to a collection of computers
- Use the default web reports to monitor the status of the deployment and results (I used report “Summary compliance for a configuration item by computer”).
- Computers saying that they are “Non-compliant” in column Actual Compliance State are actively impacted by this issue.
When doing this in our enviroment, I discovered that about 5% of our Windows 7 computers are affected. The other great thing about using a DCM to do this is that collections can be created based upon the compliance and a SWD package be used to take actions on the computers in the collection.