At Risk Clients

SCCM reports active clients at risk mainly for one of two reasons - out of date virus definitions or a failure to apply Endpoint Protection Policy Application State.

Virus definitions can take care of themselves via SCCM, commonly seen when a machine goes offline and reports before downloading the latest version.

Application failures usually occur due to a group policy failure or a problem with WMI

WMI can be repaired using the winmgmt command in an admin command prompt.

winmgmt /verifyrepository can check the consistency of WMI

winmgmt /salvagerepository attempts to repair the WMI repository

winmgmt /resetrepository can reset WMI to defaults, This may force you to uninstall any programs that have corrupted WMI to begin with.

Group Policy updates failed

gpuppdate /force forces group policy to update. 

gpresult /h <filepath.html> can run an HTML format report can be useful if gpupdate fails to update group policy.

Common errors with group policy file corruption is a corrupted POL file for group policy, recommend removing the following:

c:\windows\system32\GroupPolicy\Machine\registry.pol

c:\windows\system32\GroupPolicy\User\registry.pol

Then doing a gpupdate /force again to see if group policy updates properly.

Once this is done, to expedite getting anti-malware policies back, you can go to Control Panel > Configuration Manager > Actions > and run Machine Policy Retrieval and Evaluation Cycle.