Tuesday, 27 December 2022

Re-enabling Defender on Windows 2016 servers via command line

I've carried out a number of Microsoft Defender for Endpoint deployments recently. I find that workstations are easy enough to deal with but it can be a pain working with low level servers. Windows Defender shipped natively with Windows 2016 Servers and organizations came up with some pretty creative ways to stop Defender from running. In fairness, at the time, Defender caused some pretty serious CPU spikes when co-existing with a third party antivirus solution.

I've come across three scenarios in particular. They are easy enough to deal with in the UI but I just wanted to show how you can also deal with these using commands. This was essential for me when working at scale and using management tools to automate the solution.

Scenario 1: the Defender feature had been uninstalled.

The Defender features can be added back using the "Add Roles and Features wizard". Don't forget to add the sub-features as well.

Scenario 1 command line:

Dism /Online /Enable-Feature /FeatureName:Windows-Defender-Features

Dism /Online /Enable-Feature /FeatureName:Windows-Defender

Dism /Online /Enable-Feature /FeatureName:Windows-Defender-Gui

Don't forget to add a reboot step afterwards.

Scenario 2: Defender service had been disabled.


You'll be notified that the Defender service is stopped and you won't be able to start it. I found this scenario when Microsoft Defender Antivirus was disabled through Group Policy.


First make sure that you reverse this policy. Just set it to Not Configured, do not choose Disable.

Scenario 2 command line:

Then re-enable Defender using this command:

MpCmdRun.exe -wdenable

It must be executed from "C:\Program Files\Windows Defender" and you must add a step to reboot the system afterwards.


Scenario 3: Defender is turned off.


Essentially this means that Real-time protection is turned off.


It can be turned on in Settings > Windows Defender.

Scenario 3 command line:

You can turn on Real-time protection programatically using PowerShell

Set-MpPreference -DisableRealtimeMonitoring 0


You don't need a reboot for this one.

I hope this information is helpful to automate your Defender deployment. 

Until next time.....


Wednesday, 14 December 2022

Windows 10 devices not enrolling in Intune

This is just a quick post to describe a customer issue I encountered this week. Customer had previously configured Azure AD Connect and all devices were hybrid joined. They had just implemented a GPO to enrol the devices into Intune

Administrative Templates > Windows Components > MDM > Enable automatic MDM enrollment using default Azure AD credentials

However no devices were enrolled.

I looked a the event viewer on one of the devices and this told me where the problem was. In the DeviceManagement-Enterprise-Diagnostics-Provider log I saw this error

Auto MDM Enroll: Device Credential (0x0), Failed (Unknown Win32 Error code: 0x8018002b)

I figured that this was nothing to do with credentials but was caused by the user not being assigned a license. I was half right. The user had been assigned a license but it was a standalone Intune license. This is not enough for automatic Intune enrollment, that also requires an Azure AD Premium P1 license. I explained that it was still possible to enrol each device manually, but advised that wasn't a sustainable approach. 

Customer cancelled the Intune licenses and EM+S E3 licenses were provisioned. Problem solved and devices are now being automatically enrolled.

Moral of the story: Standalone Intune licenses are not recommended. You "may" get away with them if you are just managing mobile devices (Android & iOS), but not when you are managing Windows. EM+S or M365 is recommended.

Until next time....