Saturday 18 February 2023

Tips for onboarding servers to Defender for Endpoint

This week is all about Microsoft Defender for Endpoint (MDE). It's very easy to onboard workstations (Windows 10/11) to MDE. Intune does that automatically for you.


Navigate to Endpoint Security > Endpoint detection and response, create the policy and assign to all devices. 

There is a little more to do for servers as they are not supported for enrollment in Intune.

First, how would you know if your server was already onboarded to MDE? Obviously you could search for the server in the Microsoft 365 Defender portal, but how can you tell on the server itself?

Look at the services. If the Windows Defender Advanced Threat Protection Service (Service name: Sense) is Automatic and Running, then the server has been onboarded. The screenshot above shows a server that has not been onboarded. The behaviour and the onboarding steps are slightly different depending on the server operating system.

Note: when you use Microsoft Defender for Cloud to monitor servers, they are automatically onboarded to Defender for Endpoint. For this blog post, I'm assuming you are not using Defender for Cloud. 

Windows Server 2012R2

2012R2 servers do not include Defender Antivirus or Defender for Endpoint natively. You must install the unified Defender solution on these servers.

Onboarding steps are as follows:

  • Install the unified Defender client (this is downloaded from MDE portal). This installs Microsoft Defender Antivirus and the EDR sensor. It creates the Windows Defender Advanced Threat Protection Service. The service is not started and is set to Manual.
  • Install the unified Defender client update package (KB5005292 - download here). This updates the EDR sensor, which communicates with MDE.
  • Run the MDE onboarding script (this is downloaded from MDE portal). This onboards the server to MDE. It starts the Windows Defender Advanced Threat Protection Service and configures it to be Automatic.

Windows Server 2016

2016 servers natively include Defender Antivirus (as long as the Defender feature is added) but not Defender for Endpoint. You must install the unified Defender solution on these servers.

Onboarding steps are as follows:

  • Verify that the Defender feature is added and updated. Defender must also be turned on.
  • Run updateplatform hotfix (download here from Microsoft Malware Protection Center (MMPC)). This updates Defender to the latest version.
  • Install the unified Defender client (this is downloaded from MDE portal). This installs the EDR sensor. It creates the Windows Defender Advanced Threat Protection Service. The service is not started and is set to Manual.
  • Install the unified Defender client update package (KB5005292 - download here). This updates the EDR sensor, which communicates with MDE.
  • Run the MDE onboarding script (this is downloaded from MDE portal). This onboards the server to MDE. It starts the Windows Defender Advanced Threat Protection Service and configures it to be Automatic.
You will get this error if you don't update the platform before you install the unified Defender client.


Please update Windows Defender Antivirus (KB4052623) to the latest version.

Windows Server 2019 (and 2022)

These servers already include Defender AV and the EDR sensor. The Windows Defender Advanced Threat Protection Service already exists but is not running and is set to Manual.

There is one onboarding step:
  • Run the MDE onboarding script (this is downloaded from MDE portal). This onboards the server to MDE. It starts the Windows Defender Advanced Threat Protection Service and configures it to be Automatic.
The steps above can be automated using your server management solution. 

You've now onboarded the server and the Windows Defender Advanced Threat Protection Service is running. Where can you see the onboarding details?



You need to look in the registry. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SenseCM. Here you can see the Tenant ID and enrollment status. You should see EnrollmentStatus = 1.

I hope this helps. Until next time......

Wednesday 8 February 2023

Intune app install failed - an app update is available 0x87D13B9F

I'm working on an iOS management solution for a customer this week involving the integration of Apple Business Manager and Intune. I also integrated Apple VPP with Intune for the deployment of volume purchased apps. Everything was working well until I noticed that some apps were failing. Microsoft Teams and Microsoft OneDrive has reported as Failed (big red icon) in the Intune console, with this error:

"An app update is available. Available apps can be updated using Company Portal and required apps will auto-update on device sync. (0x87D13B9F)".

This wasn't quite right. The apps had installed, but Intune was telling me that there was a new version available. I didn't like the red "failed" icon so I wanted to fix it.


In Apple Business Manager I had a look at Teams and could see that a new version had just been published.


I had configured the VPP token in Intune to automatically update apps, so why did it fail? You can find the answer in the Microsoft docs

"By default, Intune syncs with the Apple Business Manager service twice a day".

Therefore the latest version of the app wasn't yet available in Intune. I could just have waited for the automatic sync and this would have just resolved itself. 


A manual sync of the VPP token does the trick.


The new version was automatically installed and reported successful.

This Microsoft doc has further information. 

"When updating a VPP app, it can take up to 24 hours for the device to receive the updated VPP app".

This is more an annoyance than an error, especially when you are doing customer demonstrations, but it is easily solved. 

I hope this helps. Until next time.....


Monday 6 February 2023

Remove pre-installed HP software during Autopilot

This was a task I was given by a customer recently. They wanted all the pre-installed HP software removed when provisioning HP ProBook 450 G8 laptops using Autopilot and Intune. As I like to tell customers, "if you can script it you can do it with Intune".

This was the list:

  1. HP Connection Optimizer
  2. HP Documentation
  3. HP ICS
  4. HP Notifications 
  5. HP Security Update Service
  6. HP Support Assistant
  7. HP Wolf Security
1. HP Connection Optimizer

This one is a little tricky and requires the help of an answer file. I got a little help from Reddit

Create an InstallShield answer file. Copy the text to Notepad and save as .iss file (I called it HPConnOpt.iss)

[InstallShield Silent]
Version=v7.00
File=Response File
[File Transfer]
OverwrittenReadOnly=NoToAll
[{6468C4A5-E47E-405F-B675-A70A70983EA6}-DlgOrder]
Dlg0={6468C4A5-E47E-405F-B675-A70A70983EA6}-SdWelcomeMaint-0
Count=3
Dlg1={6468C4A5-E47E-405F-B675-A70A70983EA6}-MessageBox-0
Dlg2={6468C4A5-E47E-405F-B675-A70A70983EA6}-SdFinishReboot-0
[{6468C4A5-E47E-405F-B675-A70A70983EA6}-SdWelcomeMaint-0]
Result=303
[{6468C4A5-E47E-405F-B675-A70A70983EA6}-MessageBox-0]
Result=6
[Application]
Name=HP Connection Optimizer
Version=2.0.18.0
Company=HP Inc.
Lang=0409
[{6468C4A5-E47E-405F-B675-A70A70983EA6}-SdFinishReboot-0]
Result=1
BootOption=0 

I copied the answer file to Azure storage and generated a shared access signature so that the file could be downloaded from anywhere.

Next is the script (UninstallHPConnOpt.ps1)

invoke-webrequest -uri "https://xxx.blob.core.windows.net/autopilot-scripts/HPConnOpt.iss?MySharedAccessSignature" -outfile "C:\Windows\Temp\HPConnOpt.iss"

&'C:\Program Files (x86)\InstallShield Installation Information\{6468C4A5-E47E-405F-B675-A70A70983EA6}\setup.exe' @('-s', '-f1C:\Windows\Temp\HPConnOpt.iss')

The script downloads the answer file and copies to C:\Windows\Temp. It then executes setup.exe for HP Connection Optimizer and calls the answer file. This uninstalls the app.

To deploy the solution via Intune, copy the script and answer file to a folder. Then create a Win32 app which results in a .IntuneWin file containing both files.

2. HP Documentation

This one is a bit more straightforward. The script sets the location to "C:\Program File\HP\Documentation" and then runs the uninstall command.

Set-location "C:\Program Files\HP\Documentation"
.\Doc_uninstall.cmd

Upload the script to Intune and assign to a group.

3. HP ICS

They're getting easier

$Prod = Get-WMIObject -Classname Win32_Product | Where-Object Name -Match 'ICS'
$Prod.UnInstall()

Upload the script to Intune and assign to a group.

4. HP Notifications

This one is the same format.

$Prod = Get-WMIObject -Classname Win32_Product | Where-Object Name -Match 'HP Notifications'
$Prod.UnInstall()

5. HP Security Update Service

Same format again.

$Prod = Get-WMIObject -Classname Win32_Product | Where-Object Name -Match 'HP Security Update Service'
$Prod.UnInstall()

6. HP Support Assistant

This one is a little different. It's an appx installation. Nicolaj Andersen has an excellent script for removing unwanted built-in appx apps during provisioning, except those that you explicitly whitelist. The script will remove the HP Support Assistant.

7. HP Wolf Security

Same format as before

$Prod = Get-WMIObject -Classname Win32_Product | Where-Object Name -Match 'HP Wolf Security'
$Prod.UnInstall()


These are the settings you need when you are deploying your scripts with Intune.

I hope this helps you and saves you time if have the same task. 

Until next time......