Archive for March, 2022

Datto (Autotask) RMM Agents showing previous AV endpoint after removing from Agent endpoint.

Recently I switched from using two separate endpoint AV solutions (ESET and Webroot) to using Windows 10 Defender and Huntress labs scanning agent. The cost difference was significant enough and have found that Huntress has found infections that previous AV software missed/didn’t report on.

In order to make this all happen successfully, one needs to uninstall the AV endpoints (ESET/Webroot/Sentinel1,others) first. My Datto RMM had several uninstallers built-in and I even added some that went through and purged the Endpoint from registry after doing a manual uninstall of the endpoint using the MSI file on the systems. The problem arose when looking at the devices in my RMM console, the display still showed either Endpoint as the primary AV product. Subsequent calls to ESET, Webroot and others, proved that re-installing and re-uninstalling had no effect.

I even tried deleting the RMM agent from system and re-installing figuring it as something in the RMM agent software – NOPE!

I connected via Chat to Datto community and the engineer there suggested I run this powershell command: Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct

Results showed this:

__GENUS : 2
__CLASS : AntiVirusProduct
__DYNASTY : AntiVirusProduct
__RELPATH : AntiVirusProduct.instanceGuid=”{D68DDC3A-831F-4fae-9E44-DA132C1ACF46}”
__NAMESPACE : ROOT\SecurityCenter2
__PATH : \ODIN\ROOT\SecurityCenter2:AntiVirusProduct.instanceGuid=”{D68DDC3A-831F-4fae-9E44-DA132C1A
displayName : Windows Defender
instanceGuid : {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
pathToSignedProductExe : windowsdefender://
pathToSignedReportingExe : %ProgramFiles%\Windows Defender\MsMpeng.exe
productState : 397568
timestamp : Thu, 17 Mar 2022 18:24:07 GMT
PSComputerName : XXXXX

__GENUS : 2
__CLASS : AntiVirusProduct
__DYNASTY : AntiVirusProduct
__RELPATH : AntiVirusProduct.instanceGuid=”{885D845F-AF19-0124-FECE-FFF49D00F440}”
__NAMESPACE : ROOT\SecurityCenter2
__PATH : \ODIN\ROOT\SecurityCenter2:AntiVirusProduct.instanceGuid=”{885D845F-AF19-0124-FECE-FFF49D00
displayName : ESET Security = > this is what showed in the RMM Console.
instanceGuid : {885D845F-AF19-0124-FECE-FFF49D00F440}
pathToSignedProductExe : C:\Program Files\ESET\ESET Security\ecmds.exe
pathToSignedReportingExe : C:\Program Files\ESET\ESET Security\ekrn.exe
productState : 266240
timestamp : Tue, 14 Sep 2021 19:43:46 GMT
PSComputerName : XXXXXX

The Datto support tech then said to run same powershell command but with delete option to delete all wmi objects for the Security Center:

Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct | ForEach-Object{$_.Delete()}

The result cleared all objects for Security Center and in the RMM console, the computers showed Windows Defender – the required result. No reboots necessary.

Hope this proves helpful for those with similar types of RMM console trouble when switching AV products.

Categories: Remote Monitoring

Outlook client can’t find O365 to authenticate license

Have had several colleagues have a problem authenticating and authorizing their O365 office software to the O365 license servers.

Red Bar: Invalid license/not licensed

Yellow bar: other said Activate now – nothing worked to activate user to O365.

To fix this problem, had to import this registry info via a O365fix.reg file

Note: copy and paste below starting with the Windows Registry… to the 001 value on last line.

save file as o365fix.reg to c:\temp folder and then right click and merge the key on the client machine. from there it should authenticate to the license servers and be able to be used from there.

Windows Registry Editor Version 5.00


hope this helps all out there.

Categories: Active Directory