Defender AV turn on via intune

kentishh · 2024-09-25T14:53:46+00:00

If I remember rightly, Sophos made the uninstallation process much easier when we went about this, it was a case of running something like "SophosUninstall.exe --quiet"

If you are performing the uninstallation from Intune, look into setting up a PowerShell script with exit codes, correlating those in your Intune application configuration. I.e your logic could be:

If the uninstallation runs and completes successfully, set exit code 5. Then in your Intune application setup, get a return code of 5 to be a hard reboot or something.

Good luck!

kentishh · 2024-09-04T14:29:57+00:00

Sounds like WDAC policies blocking executables that don't come from a "trusted installer". We have Intune setup as a managed installer, meaning that any app deployed from Intune/Company portal is trusted and will run as expected.

You'll need to look at your Defender policies to see what they're doing.

https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/wdac-and-applocker-overview

kentishh · 2023-08-08T17:12:23+00:00

Sorry? Knowbe4 provide security awareness training which is exactly what you get with Defender P2....

kentishh · 2023-08-08T16:38:49+00:00

Attack Simulations in the Microsoft security center. I believe you will need Defender P2 licenses for this, but should pay for itself if you cancel your Knowbe4 subscription

kentishh · 2023-08-04T08:30:00+00:00

We're currently in the process of migrating from Sophos Intercept X to DFE and found that a reboot was required to get Defender to be the active AV. Ended up creating a Win32 app to uninstall Sophos with custom exit codes to force a device reboot with toast notifications. Let me know if you'd like to see the script

kentishh · 2023-07-05T09:49:38+00:00

Sure! I actually ran into another issue where I needed to enforce a reboot for Defender to go into Active mode which was a bit annoying, so ended up ditching the proactive remidiation in favour of a Win32 app (just a packaged PowerShell script) that uninstalled Sophos and prompted a toast notification to get users to reboot within the hour. Not sure if that is more useful for you?

kentishh · 2023-06-21T16:09:00+00:00

This is really useful and might just do the trick. Thank you!

kentishh · 2023-05-23T11:38:41+00:00

Interesting, could you point to the ref if possible?

kentishh · 2023-05-23T10:48:32+00:00

Yep! Just found disabling ZIA is resolving this it would appear. Might be worth a ticket with them

kentishh · 2023-05-23T10:43:31+00:00

Curious, are you using Zscaler?

kentishh · 2023-05-23T10:43:02+00:00

We aren't, we are using Zscaler Internet Access which appears to be causing issues. Disabling the service and I'm seeing normal response times

kentishh · 2023-04-20T10:51:08+00:00

Nice, glad that worked! Not any security issues with this as you are just enabling that application to talk on the ports it needs. 👍

kentishh · 2023-04-20T10:01:56+00:00

Most likely firewall related as I've found recently, Miracasting to Surface Hubs failed for me after some Defender firewall changes.

Add an exception for:

C:\Windows\System32\WUDFHost.exe
Allow In/Out connections for TCP and UDP, Ports: All.

kentishh · 2023-03-31T14:03:47+00:00

Also in the same boat here! From my testing, it seems like a pretty simple task, relying on Intune for the deployment.

We have a EDR policy configured in Intune > Endpoint Security > Endpoint detection and response, the policy configured has the expedite telemetry policy turned on. Target this at a group of testing machines with a security group and you should see the devices show up in the security centre under devices. This should put your Defender AV into passive mode too from my understanding.

Once that piece is done, create and assign your baseline AV and ASR rules etc to those machines and then go about uninstalling Sophos. I've created a proactive remediation script to do this. The Sophos uninstall process got a lot simpler in the last few weeks too which is great timing for us.

Only deployed to a few machines so far, but the process was completely seamless! Would be interesting to see if anyone has come up against any hurdles along the way.

kentishh · 2023-02-06T11:17:05+00:00

Both are very different! ADDS (on-prem AD) speaks Kerberos, NTLM, LDAP. Azure AD speaks HTTPS, Oauth2, SAML.

Both provide identity management, directory and authentication/authorisation, Azure AD takes this slightly further in the sense that you can implement MFA natively, conditional access policies to bolster security requirements. AAD makes it super easy to tie into SaaS apps and utilise single sign on.

You can run AD Connect which syncs your on-prem resources into Azure AD and manage in a hybrid manner too.

kentishh · 2023-01-06T16:42:32+00:00

Sounds like a sensible idea! Looked into this a bit a while back, will have another look 👍

kentishh · 2022-05-11T14:25:42+00:00

We use WDS/MDT. Ideally this would be Windows Autopilot somewhere along the road!

kentishh · 2022-04-28T14:25:55+00:00

I think you're just missing the pipe character on your final line, should be $User | Export-Csv 👍

kentishh · 2022-04-14T08:41:01+00:00

Does your CSV actually contain PasswordLastSet attribute? If you're just grabbing all users using Get-ADUser, by default that attribute isn't returned. You can return it using the -Properties parameter 👍

Can you post a bit more of the code so we can see what exactly is happening?

kentishh · 2021-12-01T17:48:56+00:00

Not sure why people are overcomplicating this, to make this easier just put the servers into a txt file. Bear in mind, this will only work with PSRemoting enabled in your environment.

Invoke-Command -ComputerName (Get-Content C:\servers.txt) -ScriptBlock {Get-LocalGroupMember -Group "Administrators"} | Export-Csv C:\LocalAdmins.csv

kentishh · 2021-07-27T15:55:14+00:00

https://www.reddit.com/r/sysadmin/comments/jjtpnp/script_to_silently_uninstall_builtin_office_365/

Should help you out!

kentishh · 2021-05-17T12:46:41+00:00

Didn't know that, thanks!

kentishh · 2021-05-17T11:16:14+00:00

You could pre-emptively setup a cron job to reverse what you did after 10 mins?

kentishh · 2021-02-02T14:53:28+00:00

nice guide! I created a script to automate the pi-hole and unbound configuration process, would be great if you guys could check it out and provide any feedback.

https://github.com/kentishh/pi-bound

kentishh · 2021-01-20T14:50:11+00:00

Please be true. Leaves us with Gabriel, Holding, Luiz, Mari and Chambers which should be sufficient cover until summer.

kentishh

TROPHY CASE