Microsoft

System Center Configuration Manager Feedback

Suggestion box powered by UserVoice

How can we improve Configuration Manager?

SCEP Antimalware detection history view does not show accurate remediation detail

The v_AM_NormalizedDetectionHistory view in the SCCM database does not accurately reflect the RemediationType for detected threats. It almost always shows NoAction, even though the threat was quarantined or removed.

We are using this view to report status to our SIEM system, and our security team would prefer that it actually show how the threat was remediated.

45 votes
Vote
Sign in
Check!
(thinking…)
Reset
or sign in with
  • facebook
  • google
    Password icon
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    Matt Schultz [BCBSNE] shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

    7 comments

    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      Signed in as (Sign out)
      Submitting...
      • Santosh Seth commented  ·   ·  Flag as inappropriate

        We are using SCCM 1806 and have handful of SCEP clients. Select * from v_AM_NormalizedDetectionHistory returns 74 records of which Remediation type of 50 is Quarantined. I have checked the remaining no action and did not find anything sucpicious. Please suggest if this has been removed?

      • Anonymous commented  ·   ·  Flag as inappropriate

        @Ben Ridley, we have a ticket with MS as well, and they say they can't find a reference to this bug. Do you have an Id of some kind that MS provided to track this bug ?

      • Bradley Fox commented  ·   ·  Flag as inappropriate

        We are seeing the same issue, bump on fixing this as an alert is much less useful when I have to go to each machine to verify the malware was actually remediated.

      • Ben Ridley commented  ·   ·  Flag as inappropriate

        Hi all, for anyone who is experiencing this issue, we raised a premier support ticket months ago. Eventually, the product development team confirmed the issue as a bug and have said it will be fixed in the next release.

      • Curtis commented  ·   ·  Flag as inappropriate

        We are experiencing this behavior as well. Exactly as stated, and the alerts show NoAction 95 percent of the time. We need more clear status on these. Defender is doing it's job, so we should see the remediation status reflect this.

      • Anonymous commented  ·   ·  Flag as inappropriate

        I've also experienced this issue - And the alerts being sent out by Endpoint Protection almost always say "NoAction", when we check them closer they have been quarantined. Why is this?

      Feedback and Knowledge Base