How-To

Evaluating Windows Defender Antivirus with ConfigMgr

Posted on Updated on

A standard today’s threat landscape is to not rely on antivirus alone and other mechanisms of endpoint security should be in place to mitigate threats.  However,  having a solid AV is still beneficial. In the past year, Windows Defender Antivirus (WDAV) in Windows 10 and Server 2016 has made great strides to provide next-generation antivirus protection.  More and more organizations are beginning to realize this and consider using it to displace their age-old, costly platforms.

If you’re in the same position and are wondering how you might approach an evaluation of WDAV, consider the following high-level steps as I envision it.  First and foremost however, Microsoft has also published prescriptive guidance for evaluating WDAV outside of ConfigMgr, including a downloadable PDF.  I recommend reviewing that information in it’s entirety before taking action. It is also highly advised that you watch the recent session from Ignite 2017 – Next-Gen AV: Windows Defender Antivirus unleashed – BRK3063.

  1. Upgrade ConfigMgr to the current branch model to support the latest Windows 10 releases (note: please first ensure that you’re licensed for ConfigMgr current branch!!)
  2. Review and pre-determine the desired WDAV settings, such as:
    • Network bandwidth to override any BITS restrictions – note that any BITS client settings defined in these clients settings will override other client settings only if given a higher priority and will impact the rest of BITS configurations
    • Auto-uninstall other AV products
    • Real-time protection exclusions (ConfigMgr has templates available as well)
    • WDAV specific capabilities available in Win10 1703, such as:
      • Cloud protection options
      • Potentially unwanted programs
      • WDAV offline scanning
      • End-user interactions with the WDAV interface
      • End-user notifications
  3. Follow the 5 steps outlined for setup of ConfigMgr for WDAV management, which includes instructions for both server and clients, but does not include common instructions such as using collections, reporting, or setup of RBAC
    https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-protection-configure
  4. Additional ConfigMgr server/client setup considerations:
  5. Optional: Deployment guide for Windows Defender Antivirus in a virtual desktop infrastructure (VDI) environment
    https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus

To test the WDAV deployment and functionality:

  1. Assign the WDAV ConfigMgr client policy to the collection
  2. Ensure policy is delivered and has the appropriate priority to take effect
  3. Verify prior AV is uninstalled and WDAV becomes active
  4. Monitor the user experience as well as one potential risk may be that the uninstall of prior AV may need a restart of Windows to ‘unload’ executions in memory
  5. Perform AV protection tests as desired using the WDAV testground (hosted by Microsoft) as well as other standard testing by your security personnel
  6. Review alerts in the ConfigMgr console and reports

Note: to learn more about the security defense in-depth, see some of these recent sessions.

Advertisements

ConfigMgr Report for Antimalware Policies

Posted on Updated on

Let’s say for a moment that your organization uses SCCM for management of Windows Defender Antivirus (WDAV in Windows 10, Server 2016) or System Center Endpoint Protection (SCEP for legacy platforms).  Currently in SCCM (1706 or older) the only out-of-box mechanism to identify and report upon the antimalware policies being applied to a computer is through the SCCM console, such as in the image below.

ConsoleAntimalwarePolicies

What if the organization has a separate team or individual that needs that data – but you don’t want to provide them with the SCCM console?  You give them a report of course!  This quick guide will show you key things to do to obtain that info. The key steps are:

  1. Identify the SQL views being referenced by the SCCM console.
  2. Grant read permission of the SQL view to the SRSS reporting service account.
  3. Create the SRSS report.

Step 1: Identify the SQL views being referenced by the SCCM console.

  1. In the SCCM console, open the Antimalware Policies tab on the computer record
  2. Open the site server log SMSProv.log (and scroll to the end)
  3. Find the correlating “Execute SQL=” query to identify the SQL view(s) being used

    FindSQLqueryView

Step 2: Grant read permission of the SQL view to the SRSS reporting service account.

  1. Identify the service account being used by SCCM for SRSS reporting
    Tip: navigate to Administration > Security > Accounts, then locate the account being used for “ConfigMgr Reporting Services Point”
  2. Open SQL Management Studio (with a user account that has permissions to modify SQL permissions) and select the SCCM database
  3. Run the following GRANT command against the SCCM database
GRANT SELECT ON [dbo].[vSMS_G_SYSTEM_AmPolicyStatus] TO "DOMAIN\user"

GrantSQLview

Step 3: Create the SRSS report.  First off, there are many different ways that you can design the report.  To mimic what the SCCM console does, I usedan existing report with a selection box for the Computer Name, then just modified the executing query.

    1. Used report “Computer information for a specific computer” as an example baseline for selecting the computer name for a variable.
    2. Create a new report (using SQL Report Builder) to mimic the above report with the appropriate Data Source, Data Set(s), and Parameters

      AntimalwareReportBuilder

    3. Modified the SQL query to use the following code
SELECT APS.Name, APS.Priority, APS.LastMessageTime, @variable AS 'Computer Name'
FROM vSMS_G_SYSTEM_AmPolicyStatus as APS
JOIN v_R_System as SYS on APS.MachineID = SYS.ResourceID
WHERE SYS.Name0 = @variable
  1. Test execute the report to confirm the results
    Tip: in Report Builder, click the Run button on the Home tab
  2. Save, finish, and report!

AntimalwareReportResults

Creating Your Own Custom ConfigMgr 2012 Compliance Packs

Posted on Updated on

This demonstration will show you how to create your own custom compliance packs to import into ConfigMgr 2012/R2.

  1. First, download and install the Microsoft Security Compliance Manager (SCM) solution accelerator.  Note that this can be easily from your workstation computer, it does not need to be on a Windows Server.  Also, a version of SQL (including the Express edition) needs to be installed locally as a prerequisite.  http://technet.microsoft.com/en-us/solutionaccelerators/cc835245.aspx
    scm01
    scm02
  2. When SCM has been launched for the first time, it will check for, download, and import baselines.
    scm03
  3. However, newer baselines will still be missing.  Select the option to download baselines automatically.
    scm04
    scm05
  4. From the available products and baseline options, multi-select the desired configuration items, then export to SCCM DCM 2007 (.cab) –even for ConfigMgr 2012/R2!
    scm06
  5. Next, store/save a copy of the .cab file where it can be easily imported into ConfigMgr.  If you’ve made a “complex” DCM, then I recommend ensuring that you’ve either created instructions on how to rebuild the cab, or retain/backup the original file.
  6. In the ConfigMgr console for Compliance Settings > Configuration Items, select to Import Configuration Data.
    scm07
  7. In the wizard, click the Add button to include the baseline(s) that have been created and are ready for import.  Then complete the remainder of the wizard.
    scm06b
  8. Note that with the imported configuration data, the baseline(s) are automatically created as well.
    scm09
  9. Finally, deploy the baseline(s) to the desired collection of systems.
    scm10

And that’s all there is to quickly using SCM for creating your own compliance packs for ConfigMgr 2012/R2!

App-V 5.0 Standalone – How to Activate Deployment Scripts

Posted on Updated on

This is the walk-through in preparation for demonstrations from my Microsoft Master webcast on App-V 5.0 scripting.  For the full webcast information, visit https://t3chn1ck.wordpress.com/2014/02/03/playback-of-microsoft-master-app-v-5-0/.

This demo will show how to “activate” a deployment script (which may contain either user or global/PC scripts) that you may have added to the DeploymentConfig.xml of an App-V package.

  1. In your the App-V web console, locate the package and click Editappv-dep-scripts01
  2. For the deployed user or computer group, click Edit Default Config
    Note: do not select the drop-down option for “Custom” as this is only for activating UserScriptsappv-dep-scripts02
  3. On the Default Configuration pane, select Advanced from the left-side menu, the click Import and Overwrite this Configurationappv-dep-scripts03
  4. Locate and open the DeploymentConfig.xml
    Important: due some irregularities with Silverlight, after opening the XML, the console may revert back to the main package administration pane.  You’ll need to navigate back to the Advanced configuration (e.g. repeat steps 1-3 above).appv-dep-scripts04
  5. In the window, select to Overwrite the configurationappv-userscripts05

App-V 5.0 Standalone – How to Activate User Scripts

Posted on

This is the walk-through in preparation for demonstrations from my Microsoft Master webcast on App-V 5.0 scripting.  For the full webcast information, visit https://t3chn1ck.wordpress.com/2014/02/03/playback-of-microsoft-master-app-v-5-0/.

This demo will show how to “activate” a user script that you may have added to the UserConfig.xml of an App-V package.

  1. In your the App-V web console, locate the package and click Edit

    appv-userscripts01

  2. For the deployed user group, select the drop-down option for “Custom” and click Edit

    appv-userscripts02

  3. On the Custom Configuration pane, select Advanced from the left-side menu, the click Import and Overwrite this Configuration

    appv-userscripts03

  4. Locate and open the UserConfig.xml
    Important: due some irregularities with Silverlight, after opening the XML, the console may revert back to the main package administration pane.  You’ll need to navigate back to the Advanced configuration (e.g. repeat steps 1-3 above).

    appv-userscripts04

  5. In the window, select to Overwrite the configuration

    appv-userscripts05

App-V 5.0 Demo – Application Shims

Posted on Updated on

This is the walk-through for demo #2 in my Microsoft Master webcast on App-V 5.0 scripting.  For the full webcast information, visit https://t3chn1ck.wordpress.com/2014/02/03/playback-of-microsoft-master-app-v-5-0/.

This demo is on scripting the install of an application shim (for app compatibility) when an App-V package is published to a system.  For this example, I used an all time favorite software of mine … SMS Installer.

1) SMS Installer requires elevated rights in order to execute.  So if the user is a non-admin such as for my demos, they cannot use the software.  Below is the screen shot of how this gets blocked.  Even if your end users have elevated rights themselves, you may be able to use a shim to correct any UAC elevation prompts.  Additionally, you can see the “shield” on the shortcut.

smsinst-demo01

2)  Create shim with the Application Compatibility Toolkit – for more info on this process of creating a shim, visit http://spablog.ontrex.ch/2013/04/23/shims-and-app-v-5-0/

  • SMSINS32.exe
  • Run As Invoker
  • ForceAdminAccess

smsinst-demo02

3)  Add the shim into the package scripts

smsinst-demo03

4)  Update the DeploymentConfig.xml file from the package to install the shim


<MachineScripts>

<PublishPackage>

<Path>sdbinst.exe</Path>

/q "[{AppVPackageRoot}]\..\Scripts\shim.sdb"

<Wait RollbackOnError="true" Timeout="30"/>

</PublishPackage>

</MachineScripts>

5)  Add the new application into ConfigMgr and publish to user.  For more info on doing this process, see an example from https://t3chn1ck.wordpress.com/2014/02/05/app-v-5-0-demo-uninstall-a-native-application/

6)  Voila!  You can now see that the “shield” is no longer on the shortcut and that the application runs successfully!

smsinst-demo04

App-V 5.0 Demo – Uninstall a Native Application

Posted on Updated on

This is the walkthrough for demo #1 in my Microsoft Master webcast on App-V 5.0 scripting.  For the full webcast information, visit https://t3chn1ck.wordpress.com/2014/02/03/playback-of-microsoft-master-app-v-5-0/.

This demo is on uninstalling native (local) applications when an App-V package is added to a system.  For this example, I used 7-zip.

1)  First, sequence your application (7-zip).  Nothing special to do, just make sure it’s been done ;-)

2)  Create a .bat file to perform the uninstall of the software.  In this case, I just looked up GUID of the package to have msiexec perform the uninstall and added an extra step to then echo “Removed 7zip” into a text file for evidence that the script executed.  So my batch file looks like below.

Note: that you don’t have necessarily have to do this uninstall so simply as I have .. or even use a .bat script.  It could be VBScript.  Or PowerShell.  And/or include any custom checks to make sure it gets removed.  And the options go on.


MsiExec.exe /x {23170F69-40C1-2702-0920-000001000000} /qb

echo Removed 7zip >> C:\uninst_7zip.txt

3)  Save your .bat file onto a server share.  This share needs to have read, list, execute rights for all users and all computers of the domain.  In my examples, I essentially just had the share as \\server\AppV_Scripts\ which I can use for other scripts and whatnot.

4)  Edit the DeploymentConfig.xml file of the AppV package.  What we want to do is

  1. Locate the <MachineScripts> section – uncomment the blocked text so it can used
  2. Locate the <AddPackage> element and delete the rest of the elements
  3. Set the <Path> to execute cmd.exe on the system
  4. Set the <Arguments> to run the .bat file on the server; if you’re unaware /c means to cmd.exe to “run this command” which would then be your \\server\share\script.bat

<!-- Machine Scripts Example - customize and uncomment to use machine scripts -->
<MachineScripts>
<AddPackage>
<Path>cmd.exe</Path>
<Arguments>/c \\alderaan2\appv_scripts\uninst_7zip.bat</Arguments>
<Wait RollbackOnError="true" Timeout="30"/>
</AddPackage>
</MachineScripts>

5)  Now we’ll add the package into ConfigMgr as an Application.  Note that ConfigMgr will choose the most recently modified Config.xml file to use for the Deployment Type.

  1. Add a new Application7zip-demo-01
  2. Select to add an App-V 5.0 package and select the .appv file7zip-demo-02
  3. Complete the wizard
  4. Using standard ConfigMgr procedures, deploy the application to the desired user collection (or computer)
  5. Run the application from the targeted user’s Application Catalog7zip-demo-03
  6. Watch the local system as the natively installed application is removed and replaced by the AppV package is there!
  7. Then check that the C:\ for presence of the uninst_7zip.txt file thus giving further proof that script executed!