AntiMalware

Monitor Windows Defender status for Intune MDM enrolled devices

In a previous blog I explained how to Automatically MDM Enroll Windows 10 devices using Group Policy and there’s another blog about configuring Windows Update for Business using Microsoft Intune. You can report on both Windows Updates and Endpoint Protection if you are using the classic Intune Software client and the Silverlight portal https://manage.microsoft.com/. That’s because the classic Intune Software client installs the Microsoft Management Agent and uses this for reporting Windows Updates and Endpoint Protection status back to the classic Intune portal.

This agent is not installed when enrolling devices to Intune using the MDM channel and therefore you won’t have the option to report on Windows Updates or Defender health & status by default.

In this blog (PART 1) I will start with Windows Defender reporting. When you are ready with this blog, you’ll have a very complete reporting portal while your devices are MDM enrolled to Azure Intune.. In part 2 I’ll focus on Monitoring Windows 10 Updates for Intune MDM enrolled devices so don’t forget to continue there.

Intune Threat agent status

Microsoft has released an update for Intune and you’ll have some basic reporting options for Windows Defender. It will only report and from this screen and there is no option to take action if need be. That being said, it is a very welcome addition and I hope more updates will soon follow. I couldn’t find official documentation about this feature so if you have any additional information, please share the knowledge.

Navigate to >Azure Portal> Intune> Device compliance blade and click on Threat agent status

Intune Threat agent status

There are no options to take action from this screen. If you see devices pending a full scan or devices with outdated signatures, you can look up the device and take action from the All devices blade.

Navigate to >Azure Portal> Intune> Devices> All Devices

Azure devices

Select the device you want to take action and click on More to open the drop-down menu. From here you can :

  • Restart the device
  • Start a Scan
  • Update the definition signatures

Sync Azure Intune Windows 10 devices

Operations Management Suite and Log Analytics

If you want to have even more control and reporting features, you will have to do a little more work. I’m referring to Operations Management Suite (OMS) and Azure Log Analytics. OMS is a collection of cloud-based services for managing on-premises and cloud environments. Data from devices is collected by Log Analytics and stored in the OMS repository. Remember I wrote the Microsoft Management Agent was not installed when MDM enrolling devices? You can install this agent manually for more reporting options. There’s a 5-minute QuickStart provided by Microsoft where you can Learn how to deploy Log Analytics and configure collection of data from your Windows 10 devices. Since that document is very complete, I’m not going to explain in detail, how to start with OMS in this blog.

Microsoft Monitoring Agent for Windows

Before installing the Microsoft Monitoring Agent for Windows, you need the workspace ID and key for your Log Analytics workspace. It’s good to know you can manage OMS from it’s own portal and from within the new Azure Portal. Also note that not all management options are available from the Azure portal yet. For this blog I will focus on the Azure Portal.

  • Navigate to >Azure Portal> Log Analytics
  • In your list of Log Analytics workspaces, select the workspace created earlier
  • Select Advanced Settings

Microsoft OMS and Log Analytics

  • Select Connected Sources, and then select Windows Servers.
  • Copy and paste both the Workspace ID and Primary Key into notepad.

Microsoft OMS and Log Analytics

Since you’re already here, please continue and download the Microsoft Monitoring Agent for Windows. We will need it later.

Deploying the Microsoft Monitoring Agent for Windows using Intune

Microsoft has an article on Connecting Windows computers to the Log Analytics service in Azure covering various ways to install the monitoring agent.

  • Manual installation
  • Deployed using an existing software distribution tool.
  • Azure Automation Desired State Configuration (DSC).
  • PowerShell script.
  • Resource Manager template for virtual machines running Windows on-premise in Azure Stack.

We however, are going to install the agent using EMS Intune. In a previous step you’ve downloaded the agent as a .exe file MMASetup-AMDxx.exe. We can only deploy .msi files using the Intune MDM channel, and therefore we will have to extract the .msi from the .exe.

I’m using 7-zip for this task. When extracted you will have a lot of files but only need MOMAgent.msi to continue. Now extract the .exe file and retrieve MOMAgent.msi before continuing.

Navigate to >Azure Portal> Intune> Mobile apps> Apps and click on Add

Intune Add software

 

The Add app blade will be displayed and allow you to configure app information and settings:

Microsoft Intune Deploy Apps

 

Scroll down to Command-line aruments: Microsoft Intune App configuration

Use the following command-line argument with your own workspace ID and Key. For obvious reasons I’ve obfuscated my own keys. Copy and paste the text below to notepad and use your own ID and Key.

/passive ADD_OPINSIGHTS_WORKSPACE=1 OPINSIGHTS_WORKSPACE_ID=111a111a-aa11-1a11-11a1-111aa11a11a1 OPINSIGHTS_WORKSPACE_KEY= aAaAaA0AaA0AaaAAAAAA+aaCC+1AAAAaaaaaaAAAAAAA1AA1AAAA11AA1A1AAAAA11AAAAAaaaAaAAaAaaAA1a== AcceptEndUserLicenseAgreement=1

Click on OK and finally click on Add to start the upload to EMS Intune. When the upload is ready, you can assign the package to a user group.

 

App assignments in Microsoft Intune

Navigate to >Azure Portal> Intune> Mobile apps> Apps

  • Select your application
  • Click on Assignments
  • Click on Add Group
  • From the dropdown menu for Assignment type, choose Required
  • Click on Select groups to include
  • Search for your security group containing users who need to install the software.

App assignments in Microsoft Intune

Now your app is ready and Microsoft Monitoring Agent will be deployed when the devices sync with Intune. You can also force a sync from the devices blade;

Navigate to >Azure Portal> Intune> Devices> All Devices and select the device you want to force a Sync. Click on More to open the drop-down menu. From here you can select the Sync action. Go back above to have a peak at a screenshot.

If you are familiar with deploying software using EMS Intune and the MDM channel then configure this to your own liking. If this is the first time you are deploying an app with EMS Intune, I suggest you read the following blogs:

Recap on what we did

  • Use Threat agent status
  • You have setup Log Analytics and your OMS workspace
  • You have Downloaded the Monitoring Agent, your KEY and ID
  • You have Deployed the Monitoring Agent to your devices

Add management solutions to OMS workspaces

It’s time to add some solutions to your OMS workspace but before I continue I want to make clear why I refer to original Microsoft documentation where possible. This is to ensure that you have the latest updated information available. I strongly advise you to read their documentation and use my blog as a quick reference or a complete step-by-step guide. Microsoft documented how to add management solutions to your workspace so go ahead and have a look. When you get to step 4: In the Management Solutions blade, select a management solution that you want to add to your workspace. Look for Antimalware Assessment and click on Create. Continue to step 5 and follow the rest of the documentation to add the solution to your workspace.

Add management solutions to OMS workspaces

The solution will now be created and added to your workspace. It might take up to 24 hours or even longer before information becomes available. There is nothing you can do about this so give it some time to collect data from your devices.

How to monitor Windows Defender health and status

  1. Navigate to >Azure Portal> Log Analytics
  2. In your list of Log Analytics workspaces, select the workspace created earlier
  3. Click on Overview
  4. Click on the Antimalware Assessment solution tile

How to monitor Windows Defender health and status

This will open a new window and from there on you can even further analyze your data. There is information about threats status, detected threats, protection status and type of protection. Click on any of them and zoom in on device level.

Identifying malware using the Malware Assessment solution in Log Analytics

please read Identifying malware using the Malware Assessment solution in Log Analytics for a complete understanding of the solution.

Setting up Alerts

To wrap this part up, we’ll configure some alerts. This way you will get notified by e-mail or SMS when an alert is triggered.

  1. Navigate to >Azure Portal> Log Analytics
  2. In your list of Log Analytics workspaces, select your workspace
  3. Click on Alerts (Preview)

Setting up Alerts

The Alerts blade is still in Preview in the Azure Portal but you can configure them from here. Microsoft has an article about creating activity log alerts using the new Alerts (Preview) experience. If you’ve already created alert in the old portal you can continue to do so but Microsoft will extend alerts from OMS to Azure starting 23 April 2018. If you’ve just started with OMS then you can only create alerts from the Azure portal.

extend alerts from OMS to Azure

Quote:

“The process of extending alerts from OMS into Azure, does not involve changing your alert definition, query, or configuration in any way. The only change required is that in Azure, all actions such as email notification, webhook call, running automation runbook or connecting to ITSM tool are done via Action Group. Hence if appropriate action group are associated with your alert – they will become extended into Azure.”

Creating Log alerts in Azure is out of scope of this blog and I hope I’ve provided the information needed for you to get started. Kiran Madnani wrote a very good read about The next generation of Azure Alerts

This concludes the first part of this blog and reporting about Windows Defender health and status. Please continue with PART 2Monitor Windows 10 Updates for Intune MDM enrolled devices

 

Additional Information

Monitor Intune Device compliance policies
What is Operations Management Suite (OMS)?
What is Azure Log Analytics?
Collect data from Windows computers hosted in your environment
Add Azure Log Analytics management solutions to your workspace