-
Notifications
You must be signed in to change notification settings - Fork 0
feat: add Defender KEV version compliance remediation #3
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Open
Thugney
wants to merge
1
commit into
main
Choose a base branch
from
feat/defender-kev-version-compliance-remediation
base: main
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
Changes from all commits
Commits
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
93 changes: 93 additions & 0 deletions
93
intune/remediations/defender-kev-version-compliance/Detect-DefenderKevVersionCompliance.ps1
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,93 @@ | ||
| # ============================================================================ | ||
| # Eriteach Scripts | ||
| # Author: Robel (https://github.com/Thugney) | ||
| # Repository: https://github.com/Thugney/eriteach-scripts | ||
| # License: MIT | ||
| # ============================================================================ | ||
|
|
||
| <# | ||
| .SYNOPSIS | ||
| Kontrollerer Microsoft Defender motor- og plattformversjon. | ||
|
|
||
| .DESCRIPTION | ||
| Intune Proactive Remediation detection script for Microsoft Defender | ||
| Antivirus version compliance. The script checks Microsoft Defender | ||
| Malware Protection Engine and Antimalware Platform versions using | ||
| Get-MpComputerStatus. | ||
|
|
||
| Exit 0 = compliant. | ||
| Exit 1 = remediation required or detection failed. | ||
|
|
||
| Update the minimum versions before use. They should come from the | ||
| Microsoft advisory or rollout requirement you are responding to. | ||
|
|
||
| .NOTES | ||
| Author: Eriteach | ||
| Version: 1.0 | ||
| Intune Run Context: System | ||
| Run using logged-on credentials: No | ||
| #> | ||
|
|
||
| $LogRoot = 'C:\MK-LogFiles' | ||
| $LogPath = Join-Path -Path $LogRoot -ChildPath 'Detect-DefenderKevVersionCompliance.log' | ||
|
|
||
| # Example minimums. Replace with the required Microsoft Defender versions for your rollout. | ||
| $MinimumEngineVersion = [version]'1.1.26040.8' | ||
| $MinimumPlatformVersion = [version]'4.18.26040.7' | ||
|
|
||
| function Write-Log { | ||
| param( | ||
| [Parameter(Mandatory = $true)] | ||
| [string]$Message, | ||
|
|
||
| [Parameter(Mandatory = $false)] | ||
| [ValidateSet('INFO', 'WARNING', 'ERROR')] | ||
| [string]$Level = 'INFO' | ||
| ) | ||
|
|
||
| try { | ||
| if (-not (Test-Path -Path $LogRoot)) { | ||
| New-Item -Path $LogRoot -ItemType Directory -Force | Out-Null | ||
| } | ||
|
|
||
| $Timestamp = Get-Date -Format 'yyyy-MM-dd HH:mm:ss' | ||
| $Entry = '{0} [{1}] {2}' -f $Timestamp, $Level, $Message | ||
| $Entry | Out-File -FilePath $LogPath -Append -Encoding UTF8 | ||
| Write-Host $Entry | ||
| } | ||
| catch { | ||
| Write-Host ('Logging failed: {0}' -f $_.Exception.Message) | ||
| } | ||
| } | ||
|
|
||
| try { | ||
| Write-Log -Message 'Starting Defender version compliance detection.' | ||
|
|
||
| $Status = Get-MpComputerStatus -ErrorAction Stop | ||
| $EngineVersion = [version]$Status.AMEngineVersion | ||
| $PlatformVersion = [version]$Status.AMProductVersion | ||
|
|
||
| Write-Log -Message ('AMEngineVersion={0}; AMProductVersion={1}; AntivirusSignatureVersion={2}; AntivirusSignatureLastUpdated={3}' -f $Status.AMEngineVersion, $Status.AMProductVersion, $Status.AntivirusSignatureVersion, $Status.AntivirusSignatureLastUpdated) | ||
|
|
||
| $EngineCompliant = $EngineVersion -ge $MinimumEngineVersion | ||
| $PlatformCompliant = $PlatformVersion -ge $MinimumPlatformVersion | ||
|
|
||
| if ($EngineCompliant -and $PlatformCompliant) { | ||
| Write-Log -Message 'Device is compliant with the configured Defender minimum versions.' | ||
| exit 0 | ||
| } | ||
|
|
||
| if (-not $EngineCompliant) { | ||
| Write-Log -Message ('Defender engine is below minimum. Current={0}; Required={1}' -f $EngineVersion, $MinimumEngineVersion) -Level WARNING | ||
| } | ||
|
|
||
| if (-not $PlatformCompliant) { | ||
| Write-Log -Message ('Defender platform is below minimum. Current={0}; Required={1}' -f $PlatformVersion, $MinimumPlatformVersion) -Level WARNING | ||
| } | ||
|
|
||
| exit 1 | ||
| } | ||
| catch { | ||
| Write-Log -Message ('Detection failed: {0}' -f $_.Exception.Message) -Level ERROR | ||
| exit 1 | ||
| } |
41 changes: 41 additions & 0 deletions
41
intune/remediations/defender-kev-version-compliance/README.md
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,41 @@ | ||
| # Defender KEV version compliance remediation | ||
|
|
||
| Intune Proactive Remediation pair for checking Microsoft Defender Antivirus engine/platform versions and triggering update mechanisms when an endpoint falls below a configured minimum. | ||
|
|
||
| ## Files | ||
|
|
||
| - `Detect-DefenderKevVersionCompliance.ps1` - exits `1` when engine or platform versions are below configured minimums. | ||
| - `Remediate-DefenderKevVersionCompliance.ps1` - runs Defender update mechanisms and logs before/after versions. | ||
|
|
||
| ## Intended use | ||
|
|
||
| Use this when a security advisory, known exploited vulnerability response, or internal baseline requires a specific Microsoft Defender engine/platform minimum. | ||
|
|
||
| The script does **not** decide the minimum versions for you. Update these variables before deployment: | ||
|
|
||
| ```powershell | ||
| $MinimumEngineVersion = [version]'1.1.26040.8' | ||
| $MinimumPlatformVersion = [version]'4.18.26040.7' | ||
| ``` | ||
|
|
||
| ## Intune settings | ||
|
|
||
| Recommended settings: | ||
|
|
||
| - Run this script using the logged-on credentials: **No** | ||
| - Enforce script signature check: according to your signing model | ||
| - Run script in 64-bit PowerShell: **Yes** | ||
| - Assignment: pilot first, then staged rollout | ||
|
|
||
| ## Safety notes | ||
|
|
||
| - Detection is read-only. | ||
| - Remediation only triggers Microsoft Defender update mechanisms. | ||
| - Both scripts log to `C:\MK-LogFiles`. | ||
| - Use a pilot assignment first and validate Intune remediation output before broad rollout. | ||
|
|
||
| ## Related docs | ||
|
|
||
| - Microsoft Intune remediations: https://learn.microsoft.com/en-us/intune/intune-service/fundamentals/remediations | ||
| - Get-MpComputerStatus: https://learn.microsoft.com/en-us/powershell/module/defender/get-mpcomputerstatus | ||
| - Update-MpSignature: https://learn.microsoft.com/en-us/powershell/module/defender/update-mpsignature |
117 changes: 117 additions & 0 deletions
117
...e/remediations/defender-kev-version-compliance/Remediate-DefenderKevVersionCompliance.ps1
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,117 @@ | ||
| # ============================================================================ | ||
| # Eriteach Scripts | ||
| # Author: Robel (https://github.com/Thugney) | ||
| # Repository: https://github.com/Thugney/eriteach-scripts | ||
| # License: MIT | ||
| # ============================================================================ | ||
|
|
||
| <# | ||
| .SYNOPSIS | ||
| Oppdaterer Microsoft Defender og validerer motor- og plattformversjon. | ||
|
|
||
| .DESCRIPTION | ||
| Intune Proactive Remediation remediation script for Microsoft Defender | ||
| Antivirus version compliance. The script updates Defender security | ||
| intelligence, triggers the local Defender command-line update mechanism, | ||
| and logs before/after versions for evidence. | ||
|
|
||
| Exit 0 = device is compliant after remediation. | ||
| Exit 1 = device remains below minimum or remediation failed. | ||
|
|
||
| Update the minimum versions before use. They should come from the | ||
| Microsoft advisory or rollout requirement you are responding to. | ||
|
|
||
| .NOTES | ||
| Author: Eriteach | ||
| Version: 1.0 | ||
| Intune Run Context: System | ||
| Run using logged-on credentials: No | ||
| #> | ||
|
|
||
| $LogRoot = 'C:\MK-LogFiles' | ||
| $LogPath = Join-Path -Path $LogRoot -ChildPath 'Remediate-DefenderKevVersionCompliance.log' | ||
|
|
||
| # Example minimums. Replace with the required Microsoft Defender versions for your rollout. | ||
| $MinimumEngineVersion = [version]'1.1.26040.8' | ||
| $MinimumPlatformVersion = [version]'4.18.26040.7' | ||
|
|
||
| function Write-Log { | ||
| param( | ||
| [Parameter(Mandatory = $true)] | ||
| [string]$Message, | ||
|
|
||
| [Parameter(Mandatory = $false)] | ||
| [ValidateSet('INFO', 'WARNING', 'ERROR')] | ||
| [string]$Level = 'INFO' | ||
| ) | ||
|
|
||
| try { | ||
| if (-not (Test-Path -Path $LogRoot)) { | ||
| New-Item -Path $LogRoot -ItemType Directory -Force | Out-Null | ||
| } | ||
|
|
||
| $Timestamp = Get-Date -Format 'yyyy-MM-dd HH:mm:ss' | ||
| $Entry = '{0} [{1}] {2}' -f $Timestamp, $Level, $Message | ||
| $Entry | Out-File -FilePath $LogPath -Append -Encoding UTF8 | ||
| Write-Host $Entry | ||
| } | ||
| catch { | ||
| Write-Host ('Logging failed: {0}' -f $_.Exception.Message) | ||
| } | ||
| } | ||
|
|
||
| function Get-DefenderVersionState { | ||
| $Status = Get-MpComputerStatus -ErrorAction Stop | ||
|
|
||
| return [PSCustomObject]@{ | ||
| EngineVersion = [version]$Status.AMEngineVersion | ||
| PlatformVersion = [version]$Status.AMProductVersion | ||
| SignatureVersion = $Status.AntivirusSignatureVersion | ||
| SignatureLastUpdated = $Status.AntivirusSignatureLastUpdated | ||
| } | ||
| } | ||
|
|
||
| try { | ||
| Write-Log -Message 'Starting Defender version compliance remediation.' | ||
|
|
||
| $Before = Get-DefenderVersionState | ||
| Write-Log -Message ('Before: Engine={0}; Platform={1}; Signature={2}; SignatureLastUpdated={3}' -f $Before.EngineVersion, $Before.PlatformVersion, $Before.SignatureVersion, $Before.SignatureLastUpdated) | ||
|
|
||
| try { | ||
| Write-Log -Message 'Running Update-MpSignature.' | ||
| Update-MpSignature -ErrorAction Stop | ||
| } | ||
| catch { | ||
| Write-Log -Message ('Update-MpSignature failed: {0}' -f $_.Exception.Message) -Level WARNING | ||
| } | ||
|
|
||
| $MpCmdRun = Join-Path -Path $env:ProgramFiles -ChildPath 'Windows Defender\MpCmdRun.exe' | ||
| if (Test-Path -Path $MpCmdRun) { | ||
| try { | ||
| Write-Log -Message 'Running MpCmdRun signature update.' | ||
| Start-Process -FilePath $MpCmdRun -ArgumentList '-SignatureUpdate' -Wait -NoNewWindow -ErrorAction Stop | ||
| } | ||
| catch { | ||
| Write-Log -Message ('MpCmdRun signature update failed: {0}' -f $_.Exception.Message) -Level WARNING | ||
| } | ||
| } | ||
| else { | ||
| Write-Log -Message ('MpCmdRun not found at {0}' -f $MpCmdRun) -Level WARNING | ||
| } | ||
|
|
||
| Start-Sleep -Seconds 20 | ||
| $After = Get-DefenderVersionState | ||
| Write-Log -Message ('After: Engine={0}; Platform={1}; Signature={2}; SignatureLastUpdated={3}' -f $After.EngineVersion, $After.PlatformVersion, $After.SignatureVersion, $After.SignatureLastUpdated) | ||
|
|
||
| if ($After.EngineVersion -ge $MinimumEngineVersion -and $After.PlatformVersion -ge $MinimumPlatformVersion) { | ||
| Write-Log -Message 'Device is compliant after remediation.' | ||
| exit 0 | ||
| } | ||
|
|
||
| Write-Log -Message ('Device remains below minimum. Engine={0}/{1}; Platform={2}/{3}' -f $After.EngineVersion, $MinimumEngineVersion, $After.PlatformVersion, $MinimumPlatformVersion) -Level ERROR | ||
| exit 1 | ||
| } | ||
| catch { | ||
| Write-Log -Message ('Remediation failed: {0}' -f $_.Exception.Message) -Level ERROR | ||
| exit 1 | ||
| } | ||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🧩 Analysis chain
🌐 Web query:
What are the documented/typical install locations of Microsoft DefenderMpCmdRun.exeon current Windows versions, including platform-serviced paths?💡 Result:
On current Windows versions, the Microsoft Defender command-line utility, MpCmdRun.exe, is documented to reside in two primary locations [1][2]. 1. C:\Program Files\Windows Defender 2. C:\ProgramData\Microsoft\Windows Defender\Platform<antimalware platform version>\ The path C:\ProgramData\Microsoft\Windows Defender\Platform<antimalware platform version> (often referred to as the platform-serviced path) is the recommended location [1][2]. Microsoft advises that the latest version of the utility is always available within this folder if it exists on the system [1][2]. Because these directories are not included in the system PATH environment variable by default, you must navigate to the directory or use the full path to execute the file [1][2]. Microsoft provides an official script snippet to programmatically identify and switch to the most current version of the utility: (set "_done=" & if exist "%ProgramData%\Microsoft\Windows Defender\Platform" (for /f "delims=" %d in ('dir "%ProgramData%\Microsoft\Windows Defender\Platform" /ad /b /o:-n 2^>nul') do if not defined _done (cd /d "%ProgramData%\Microsoft\Windows Defender\Platform%d" & set _done=1)) else (cd /d "%ProgramFiles%\Windows Defender")) >nul 2>&1 [1][2] This approach is the standard practice for ensuring that scripts and automated tasks interact with the most recent, serviced version of the Defender platform [1][2][3].
Citations:
MpCmdRun.exelookup is incomplete and misses platform-serviced Defender installations.Line 88 only checks
$env:ProgramFiles\Windows Defender\MpCmdRun.exe. Microsoft documents two primary locations forMpCmdRun.exe: the legacyProgram Files\Windows Defenderdirectory and the platform-serviced path at$env:ProgramData\Microsoft\Windows Defender\Platform\<version>\MpCmdRun.exe. The platform path is the recommended location and contains the latest serviced version. On many endpoints, this causes the script to skip the signature update and reduces remediation success rates.Suggested diff
🤖 Prompt for AI Agents