This article explains how to check, with Compliance Blade, that you have a safe or patched version for the Endpoint Security Client Certificate expiration on January 1st 2021 issue (Endpoint security certificate cannot be validated), and set-up an auto-remediation for it.
Using SmartEndpoint, it is possible to add a compliance rule to check for the outdated driver that needs to be replaced.
Note: The patch and the driver that is patched are different for 32 bit systems and 64 bit systems.
Patches for auto-remediation:
For x64 versions of Windows: Click here
For x86 versions of Windows: Click here
Patched driver version:
220.127.116.1153 and higher on all Windows versions
Patched driver hashes:
e63164c2ec195e07333a6d0123faf7c2 C:\Windows\System32\Drivers\epklib.sys on x64 Windows
dd58488887c083bbb26acccc7805849f C:\Windows\System32\Drivers\epklib.sys on x86 Windows
Proceed as follows:
1. Clone Compliance Rule.
It is recommended to assign it to a Computer Group that contains all the affected machines, that should be prepared in advance.
Note: Only Windows systems are affected, macOS clients don’t need to be repaired.
If it is not possible, assign it to some global groups, like All Windows Desktops and All Windows Laptops.
2. Create a new rule in the "Required Applications and Files" section of the Compliance rule set.
For the rule to be working, the user should be logged in to the machine.
3. Create a Remediation that will be used in rules.
Note: The Remediation allows to configure a custom message that will be shown to the user. If you do not want users to see any notification, you can skip this step and use the pre-configured default_remediation object later in steps 4, 5, 6 and 7.
Create an empty Rule by pressing on Create Rule. Right-click on default_remediation that is automatically chosen and create a new Remediation.
If you want the Compliance Blade only to detect machines that need repair and show warnings to users, but not to perform an automatic remediation, uncheck Run Custom File and only configure a message in the required language by pressing Add...
This message will be shown to users.
If you want the Compliance blade to automatically repair machines using the patches above, you will need to create two Remediations, one for x86 machines and one for x64 machines.
Check Run Custom File
. Set the following fields:
- Download path: set to local path on machine where patch will be temporarily saved. We recommend to set it to %PUBLIC%\name_of_exe_file.exe
- URL: HTTP or SMB link from which the patch will be taken, for example \\local-share\name_of_exe_file.exe. Note that patches for x86 and x64 may have different names. Patches themselves can be found at the top of the article.
- Parameters: Uninstall password configured in organization.
- MD5 Checksum: if everything is configured correctly, when you click Calculate… the system fills this field in automatically. Otherwise, double-check the path.
Note that x86 and x64 patches have different checksums.
- Check Run as system
- Configure a message in the required language(s) that will be shown to users by pressing Add…
When configuring the second (x64
, you can use the same already configured messages:
4. Create a new Rule and a new "Required Entity Check" in it by right-clicking in the Checks column.
You can also change Rule Name
before configuring its Check
, or configure them all together at Step 7
5. Configure the Checks for updated file
Set Windows version from the following list. You will need to configure up to 8 separate checks
, one for each OS used in your environment:
- Windows 7 x86
- Windows 7 x64
- Windows 8 x86
- Windows 8 x64
- Windows 8.1 x86
- Windows 8.1 x64
- Windows 10 x86
- Windows 10 x64
Fill in the following fields:
- For x64 Windows versions, set File Path to be C:\Windows\Sysnative\Drivers
- For x86 Windows versions, set File Path to be C:\Windows\System32\Drivers
- Set Min File Version to 18.104.22.16853 and File Name to epklib.sys for all Windows versions
Note: Sysnative word in path for x64 configurations is not a typo. Although this folder cannot be open in Windows Explorer, Compliance Blade needs exactly this path on x64 machines to properly work.
Below is the example for Windows 7 x86:
6. Perform Steps 4 and 5 for all OS versions in your environment
Make sure to set:
- Correct Operating System (x86 versions do not have a bitness indication in the list, x64 versions are shown as x64)
- Correct File Path (should be C:\Windows\Sysnative\Drivers for x64 and C:\Windows\System32\Drivers for x86)
- Correct Remediation (previously created DriverErrorRepair_x86 and DriverErrorRepair_x64, or the unified remediation from step 3 if you do not configure automatic repair and just configure detection)
Below is the example for Windows 10 x64:
7. Save the Checks and Rules, then ensure the whole configuration looks like this:
Make sure that you have separate Rules for each OS in your environment, each rule has a separate Check and that Remediation is set to x64 and x86 according to OS version.
Note: If you did not configure Remediation in Step 3 and do not want to show any messages to user, choose the Observe action instead of Warn, and default_remediation instead of those configured in Step 3.
Note: Do not choose the Restrict action because it may affect Endpoint Policy and may disconnect machine from the Network. Use Warn if you want to notify users and show custom messages to them.
8. Compliance will be repeatedly checking for the updated driver and warn user (or repair machine) if it is not up-to-date.
Note: If on some machines Compliance status shows “File Not Found”, the most probable reason is an incorrect path was configured for Compliance Check for the corresponding OS version (like Windows 10 x64). Double-check Step 6 – All Windows x64 versions should have Sysnative in File Path, all x86 versions should have System32, otherwise it will fail.
This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.