When Symantec Endpoint Protection (SEP) and Threat Defense for Active Directory (TDAD) are utilized, a Forensic Report can be requested. However, if the SEP client is quaranited or isolated due to a Host Integrity failure or Endpoint Detection and Response Isolation request, the Forensic Report request will fail.

The SEP client's firewall policy will block TCP port 445 traffic by default when the client fails a Host Integrity check and is placed into a Quarantine Location.

Microsoft Windows

The Quarantine Firewall policy applied to the quarantine location(s) in question can be edited to allow traffic for svchost.exe on local TCP port 445 where the remote IP matches the TDAD server.