Skip to content

PowerShell module for automation of work with McAfee ePo Server


Notifications You must be signed in to change notification settings



Folders and files

Last commit message
Last commit date

Latest commit



21 Commits

Repository files navigation


How to install

  • Download the zip

  • Extract to folder to : C:\Program Files\WindowsPowerShell\Modules\MMePoTools

  • Unblock all the powershell files : dir -Path "C:\Program Files\WindowsPowerShell\Modules\MMePoTools" -Recurse | Unblock-File

  • Install module in Powershell : Import-Module -name MMePoTools

  • Test installation, open a Powershell try : Connect-MMePoServer -ServerName ePOSERVERNAME




    Connect McAfee ePo server.
    This command will create the variable $ePoVar in the module's context.
    PS C:\> Connect-MMePoServer -ServerName eposerver01 -Credential (Get-Credential eposerverAdmin -Message "Enter the password for eposerverAdmin")
    The command sets the values in the variable $ePoVar:
    ServerName       = eposerver01
    Port             = 8443
    URL              = "https://eposerver01:8443/remote"
    Credential       = <entered credential)
    SecurityProtocol = $([Net.ServicePointManager]::SecurityProtocol)
    Connected        = $false
    The command will try to get the version of the ePo server by command Get-MMePoVersion.
    If the Get-MMePoVersion returns the value, $ePoVar.Connected will change to $True
    and it will display the info about the version on the user console.




View / Export client tasks.
View / Exports client tasks
Requires view permission for at least one product.
If the parameter $FileName is omiited, output is displayed on the console.
PS C:\>Get-MMePoClientTaskExport -Name '^Install DLP$'
Find exactly "Install DLP" task.
PS C:\>Get-MMePoClientTaskExport -Name 'Install DLP'
Find all tasks whose name contains "Install DLP" string.
PS C:\>Get-MMePoClientTaskExport -FileName export
Export the client tasks configuration in to the c:\reports\export.xml file on the ePo server.
PS C:\>Get-MMePoClientTaskExport -FileName "export$(([datetime]::now).tostring("yyyyMMddhhmmss"))"
Export the client tasks configuration in to the c:\reports\exportACTUALDATETIME.xml file on the ePo server.


Find Client Tasks.
Finds client tasks filtered by supplied search text.
If search text is ommited, all tasks are listed.
Requires view permission for at least one product.


Run Client Tasks.
Runs the client task on a supplied list of systems
Requires edit permission for at least one product

[Name | Id] - A comma-separated list of system names/ip addresses
    or a comma-separated list of system IDs
productId  - Product ID (productID) as returned by Get-MMePoClientTaskFind command
taskId  - Task ID (objectID) as returned by Get-MMePoClientTaskFind command
RNDMinutes - Duration in minutes over which to randomly spread
    task execution. Defaults to 0 (execute on all clients immediately).

NOT Implemented:
retryAttempts  - Number of times the server will attempt to send the
    task to the client. Defaults to 1.
retryIntervalInSeconds  - Retry interval in seconds. Defaults to 30.
abortAfterMinutes - Maximum number of minutes before aborting all
    attempts. Defaults to 5.
useAllAgentHandlers - If true, any Agent Handler can send the task.
    Defaults to false (only the last connected Agent Handler will be used).
stopAfterMinutes - Maximum duration in minutes the client task is
    allowed to run. Defaults to 20.
Get-MMePoClientTaskFind | sort objectName | ft

Lists all the client tasks sorted by the objectname and format the output as a table.

objectId objectName                                             productId    productName                          typeId typeName
-------- ----------                                             ---------    -----------                          ------ --------
      38 Collect All                                            EPOAGENTMETA McAfee Agent                             12 McAfee Agent: McAfee Agent Statistics
      39 Collect only RelayServer                               EPOAGENTMETA McAfee Agent                             12 McAfee Agent: McAfee Agent Statistics
      59 Deploy ePO Deep Command Client                         EPOAGENTMETA McAfee Agent                             10 McAfee Agent: Product Deployment
      57 Deploy ePO Deep Command Discovery and Reporting Plugin EPOAGENTMETA McAfee Agent                             10 McAfee Agent: Product Deployment
     177 On-Demand Scan - Quick Scan                            ENDP_AM_1000 Endpoint Security Threat Prevention      26 Endpoint Security Threat Prevention: Policy Based On-Demand Scan

Invoke-MMePoClientTaskRun -Name comp1,comp2,comp3 -ProductID ENDP_AM_1000 -TaskID 177

From the previous command we want to use the On-Demand scan
ObjectID = 177 = TaskID
ProductID = ENDP_AM_1000
and start it on the computers comp1, comp2 and comp3



Exports all permission sets.
Exports all permission sets. Returns the permission sets as a string of XML or throws on error.
Requires administrator rights.
Default output is user's console.
Displays the all permission sets to the user's console.
PS>Get-MMePoCoreExportPermissionSets > x:\ePo_perm_sets.xml
Redirects the all permission sets output into the x:\ePo_perm_sets.xml file.


 Lists all registered commands and displays help strings.  Returns the list of
 commands or throws on error.
 Lists all registered commands and displays help strings.  Returns the list of
 commands or throws on error.

 Command - If specified, the help string for a specific command is
 displayed. If omitted, a list of all commands is displayed.
 It is a Case Sensitive!!!

 Prefix - If specified, only commands with the given prefix are listed. This is
 useful for showing the commands for a single plug-in. This has no effect if the
 'Command' argument is specified.
 PS C:\>Get-MMePoCoreHelp -DisplayAll | Select-String cleartag
 @{Command=system.clearTag; Description=names tagName [all] - Clears the tag from supplied systems}
 PS C:\>Get-MMePoCoreHelp system.clearTag
 system.clearTag names tagName [all]
 Clears the tag from supplied systems
 Requires Tag use permission
  [names (param 1) | ids] - You need to either supply the "names" with a ...


List permission sets
List permission sets in the system optionally filtered by username or id.
Note: Dynamically assigned permission sets are not represented. Returns the list of permission sets or throws on error.
Requires global administrator privilege.


Get all queries
Displays all queries that the user is permitted to see. Returns the list of
queries or throws on error.
Requires permission to use queries.

Output NoteProperties:
id            : 1
name          : Effective permissions for users
description   : Shows all permissions for each user
conditionSexp : Permission Does not equal "%%NOEPOROLES%%"
groupName     : Permissions
databaseType  :
target        : EntitlementView
createdBy     : ePoServerAdmin
createdOn     : 2016-05-16T14:26:50+02:00
modifiedBy    : ePoServerAdmin
modifiedOn    : 2016-05-16T14:26:50+02:00

C:\PS>Get-MMePoCoreListQueries | ? name -match 'effective'
id            : 1
name          : Effective permissions for users
description   : Shows all permissions for each user
conditionSexp : Permission Does not equal "%%NOEPOROLES%%"
groupName     : Permissions
userName      : Public
databaseType  :
target        : EntitlementView
createdBy     : ePoServerAdmin
createdOn     : 2016-05-16T14:26:50+02:00
modifiedBy    : ePoServerAdmin
modifiedOn    : 2016-05-16T14:26:50+02:00

D:\ PS>(Get-MMePoCoreListQueries | ? createdby -eq 'ePoServerAdmin').count

D:\ PS>Get-MMePoCoreListQueries | group createdby -NoElement
Count Name
----- ----
 52 ePoServerAdmin
351 admin123456
 66 user12345
 18 oper123456
 22 oper1234



List users in the system
List users in the system optionally filtered by permission set name or id.
Returns the list of users or throws on error.
Requires administrator rights.
    [permSetName (param 1) | permSetId] - Either the unique id or name of the permission set
list all ePo users


 Invokes ePo query by query ID
 Invokes ePo query by query ID. ID can be find by function Get-MMePoCoreListQueries
 Returns the data from the execution of the query or throws on error.
 Requires permission to use queries.

 add  execute own query
 core.executeQuery target=<> [select=<>] [where=<>] [order=<>] [group=<>] [database=<>] [depth=<>] [joinTables=<>]
 target - The SQUID target type to query. Optionally, the database type can be prepended to the target with a '.' (for example,
 select - The SQUID select clause of the query; if blank, all columns will be returned
 where - The SQUID where clause of the query; if blank, all rows will be returned
 order - The SQUID order-by clause of the query; if blank, database order will be returned
 group - The SQUID group-by clause of the query; if blank, no grouping will be performed
 database - The name of the remote database; if blank, the default database for the given database type will be used
 depth - The SQUID depth to fetch sub results (default: 5)
 joinTables - The comma-separated list of SQUID targets to join with the target type; * means join with all types



 Gets version of ePo server.
 Gets the ePO version.
 Requires admin rights on the ePo server.



 Finds policies filtered by specified search text.
 policy.find [searchText]
 Finds policies filtered by specified search text in all  policy properties
 featureId, featureName, objectId, objectName,  objectNotes
 Requires view permission for at least one product
 searchText (param 1) - Search text. Wildcards and  regular expressions are not
 Get-MMePoPolicyFind "policyname"
 Find the all policy configurations with "policyname"  string.
 Get-MMePoPolicyFind -PolicyName 'VIRUS' | ft -AutoSize


Export client policy.
policy.export productId [fileName]
Exports policies to an XML file in export folder
Requires view permission for at least one product
productId (param 1) - Product ID as returned by policy.find command
fileName (param 2) - Location within the export folder for the XML file to be
stored, e.g. foo.xml, foo/foo.xml, etc.
Get-MMePoPolicyExport -ProductID 'VIRUSCAN8800' -FolderPath c:\temp
Export the policy configuration for ProductID VIRUSSCAN8800
in to the c:\temp\MMePoPolicyExport\export.xml on local machine.
If file with the export already exists in the export folder, the filen will be rewritted.
(Get-MMePoPolicyFind VIRUSCAN8800 | group productId).name | Get-MMePoPolicyExport -FolderPath c:\temp
Export the policy configuration for ProductID VIRUSSCAN8800
in to the c:\temp\MMePoPolicyExport\ folder on the local machine.
If file with the export already exists in the export folder, the file will be rewritted.
(Get-MMePoPolicyFind | group productId).name | Get-MMePoPolicyExport -FolderPath c:\temp
Export all the policy configurations in to the c:\temp\MMePoPolicyExport\export.xml on local machine.
If files with the exports already exist in the export folder, the files will be rewritted.



Finds repositories filtered by specified search text.
Finds repositories filtered by specified search text.
Requires repository view permission.
searchText (param 1) - Search text. Wildcards and regular expressions are not supported.
list all repositories
PS>Get-MMePoRepositoryFind -SearchText asdfg
list repositories containing asdfg text in their names



Get server task by name or ID
Gets details about a specific server task. Returns the task or throws on error.
Requires permission to run server tasks.

TaskName | TaskId - The unique id of the task or the task name


 Displays all server tasks.
 Displays all server tasks. Returns the list of tasks or throws on error.
 Requires permission to view server tasks.



Find system or systems
Find systems in the ePO tree by name, IP address, MAC address, user name, agent
GUID or tag.  Returns a list of database ids that can be used as input to any of
the system commands.

Requires permission to at least one group in the System Tree

- Search text can be IP address, MAC address, user name, agent GUID or tag
- If this value is set to "true" we will only search the computer name. This might improve performance.


Finds groups in the System Tree filtered by the search text.
Finds groups in the System Tree filtered by search text.
Requires access to at least one group in the System Tree.
Wildcards are not supported, but it is possible to use partially parts.
If search text is ommited, all groups are listed.


Find Tags.
Find Tags filtered by search text.
If search text is ommitted, all tags are listed.


Move systems to a specified destination group.
Move systems to a specified destination group by the name or the ID as returned by the function Get-MMePoSystemFind.
The ID of the destination group can be find by the function Get-MMePoSystemFindGroup.
AutoSort param - If true, system is enabled for sorting. Defaults to false.


Clears the tag from supplied systems.
system.clearTag names tagName [all]
Clears the tag from supplied systems
Requires Tag use permission
 [SystemName (param 1) | SystemID] - You need to either supply the "names" with a
   comma-separated list of names/ip addresses or a comma-separated list of "IDs".
 [TagName (param 2) | TagID] - You need to either supply the tag name or the tag ID.
 All (param 3) - Setting this argument to "true" clears all tags from the chosen
   systems. If this is set, the tagName or tagID provided is ignored.
Connected to ePoServer eposervername:8443
Ver.: 5.9.1

PS>$pctags = (Get-MMePoSystemFind -SearchNameOnly compxy).Tags
Drive Encryption Uninstall, PCs, Windows10
The command lists the all tags associated with the computer / system compxy.

PS>Remove-MMePoSystemClearTag -SystemName compxy -all
OK: 1 of 1 cleared successfully.

PS>(Get-MMePoSystemFind -SearchNameOnly compxy).Tags
PS>Set-MMePoSystemApplyTag -SystemName compxy -TagName PCs
OK: 1 of 1 applied successfully.

PS>Set-MMePoSystemApplyTag -SystemName compxy -TagName Windows10
OK: 1 of 1 applied successfully.

PS>Set-MMePoSystemApplyTag -SystemName compxy -TagName 'Drive Encryption Uninstall'
OK: 1 of 1 applied successfully.

PS>(Get-MMePoSystemFind -SearchNameOnly compxy).Tags
Drive Encryption Uninstall, PCs, Windows10
PS>Remove-MMePoSystemClearTag -SystemName compxy -TagName 'Drive Encryption Uninstall'
OK: 1 of 1 cleared successfully.

PS>(Get-MMePoSystemFind -SearchNameOnly compxy).Tags
PCs, Windows10

PS>Set-MMePoSystemApplyTag -SystemName compxy -TagName 'Drive Encryption Uninstall'
OK: 1 of 1 applied successfully.

PS>(Get-MMePoSystemFind -SearchNameOnly compxy).Tags
Drive Encryption Uninstall, PCs, Windows10


Deletes systems from the System Tree by name or ID if permissions allow.
system.delete names [uninstall] [uninstallSoftware]
Deletes systems from the System Tree by name or ID if permissions allow.
Requires permission to edit System Tree groups and systems
 [SystemName (param 1) | SystemID] - You need to either supply the "names" with a
 comma-separated list of names/ip addresses or a comma-separated list of "IDs".
  Uninstall (param 2) - If true, this will also attempt to uninstall the agent
  from the affected systems. Default is false.
   UninstallSoftware (param 3) - If true, this will also attempt to uninstall all
   point products installed on the systems before uninstalling the agent. Default
   is false.
PS C:\>$dupl = Invoke-MMePoCoreExecuteQuery -Id 935 | group 'EPOLeafNode.NodeName' -NoElement | select -ExpandProperty name
PS C:\>$dupl | %{$t = (Get-MMePoSystemFind -SearchText $_ -SearchNameOnly | ? ComputerName -eq $_ | sort LastUpdate -Descending)
PS C:\>Remove-MMePoSystemDelete -SystemID ($t[1..$t.count].parentid -join ',') | ft -autosize}

The initial command lists all duplicate systems in the ePo DB using ePo query, then groups them by the system names, and the result stores into the variable $dupl.
The next command runs through array $dupl, got all the systems with the same name, order them by LastUpdate property descending and the result saves into the temporary array $t.
Finaly we take the all systems from the array $t except for the index 0 (the systems in the index 0 are the last communicated systems with the ePo server), get the ParentIDs from these systems, and these IDs we will use in the command Remove-MMePoSystemDelete.


Apply tag name / ID.
Apply tag name "tagName" or tag "ID".
Assign the given tag to a supplied list of systems. System list can contain
names, IP addresses or IDs.
Requires Tag use permission.



Get the info about the OnDemand Scan tasks running on the computers from thier OnDemandScan_Activity.log files.
This command retrieves a data from the OnDemand Scan log file/s on the computer/s.
This log file (OnDemandScan_Activity.log) is located on the computer
in the folder 'c:\programdata\mcafee\endpoint security\logs' by default.
The path can be changed in the property $OnDemandLogPath.
The command is looking for 'scan started' or 'scan resumed' messages in the log
and from this line returns all next lines till the line matched
'scan completed' or 'scan stopped' or 'scan auto paused' patterns.
Get-MMePoOndemanScanReport -ComputerName comp1,comp2,comp3
Returns all ondemand scan informations from comp1 ... comp3 computers.
The every event is reported as an object and can be further processed through the pipe,
or added to a variable.
Get-MMePoOndemanScanReport -ComputerName omp1,comp2,comp3 | ? DateTime -gt ((get-date).AddHours(-1)) | ft
Returns all ondemand scan informations from comp1 ... comp3 computers and filters out only last hour.
The result is displayed as the table.
[string[]] for $ComputerName
[string]$OnDemandLogPath cannot be pipped into this cmdlet
System.Array Output from this cmdlet is array of pscustom objects


PowerShell module for automation of work with McAfee ePo Server







No releases published


No packages published


  • PowerShell 100.0%