Monday, November 18, 2019

Windows Defender Virus Definitions and more information via SCCM

With  Windows Defender gaining more and more popularity as the product to protect Windows 10 machines, getting visibility of what is managed is a key element.
The information an administrator needs will include virus definitions, last scan dates etc.

What is the best way to do it? For me as SCCM is deployed in my environment hence it is a no-brainer to use it.
Here's the problem, SCCM by default do not contain this information but we do have a way to add it in. How?
By adding a Class to be discovered.

The below powershell will show that you can extract a whole load of information from the namespace, root\Microsoft\SecurityClient.

Get-WmiObject -Namespace root\Microsoft\SecurityClient -class AntimalwareHealthStatus


__GENUS                            : 2
__CLASS                            : AntimalwareHealthStatus
__SUPERCLASS                       : ProtectionTechnologyStatus
__DYNASTY                          : SerializableToXml
__RELPATH                          : AntimalwareHealthStatus=@
__PROPERTY_COUNT                   : 31
__DERIVATION                       : {ProtectionTechnologyStatus, SerializableToXml}
__SERVER                           : DESKTOP01
__NAMESPACE                        : root\Microsoft\SecurityClient
__PATH                             : \\DESKTOP01\root\Microsoft\SecurityClient:AntimalwareHealthStatus=@
AntispywareEnabled                 : True
AntispywareSignatureAge            : 0
AntispywareSignatureUpdateDateTime : 2018-12-09T14:58:32.000Z
AntispywareSignatureVersion        :
AntivirusEnabled                   : True
AntivirusSignatureAge              : 0
AntivirusSignatureUpdateDateTime   : 2018-12-09T14:58:32.000Z
AntivirusSignatureVersion          :
BehaviorMonitorEnabled             : True
Enabled                            : True
EngineVersion                      : 1.1.15500.2
IoavProtectionEnabled              : True
LastFullScanAge                    : 4294967295
LastFullScanDateTimeEnd            :
LastFullScanDateTimeStart          :
LastFullScanSource                 : 0
LastQuickScanAge                   : 4294967295
LastQuickScanDateTimeEnd           :
LastQuickScanDateTimeStart         :
LastQuickScanSource                : 0
Name                               : Antimalware
NisEnabled                         : True
NisEngineVersion                   : 1.1.15500.2
NisSignatureVersion                :
OnAccessProtectionEnabled          : True
ProductStatus                      : 524288
RealTimeScanDirection              : 0
RtpEnabled                         : True
SchemaVersion                      :
Version                            : 4.18.1810.5
PSComputerName                     : DESKTOP01

So what you need to do is to add the above name space to be included in the hardware inventory cycle.

1) Go to SCCM Client settings and select "Hardware Inventory" then followed by "Set Class".

 2) Next, enter "root\Microsoft\SecurityClient" in the WMI namespace and click Connect

3) Select the class, "AntimalwareDetectionStatus", click OK.

4) You are done now. If you expand the class, you will see tons of information.
All that is needed now is wait for the next hardware inventory cycle for the information to be sent back to SCCM.
5) The table that will created in SQL will be as dboANTIMALWAREHEALTHSTATUS_DATA.
You can get the information needed from here.

Monday, September 2, 2019

Skype for Business Server Users Client Prompts for Exchange Credentials for Office 365 MFA users

One of the environment that I had worked on as part of the Exchange Online migration involves the existence of Skype for Business.

For Exchange Online users that are provisioned for MFA, it has been reported that they encountered an error in Skype for Business client. "Exchange needs your credentials. Until then, you might see outdated info in Skype for Business".

Though this is not a hard error, this will result in stale Address Book Service (ABS), and intermittent Free/Busy presence issues.

To resolve this, add the registry key in the affected machines.


Then, apply the AllowAdalForNonLyncIndependentOfLync registry key setting:


Tuesday, May 24, 2016

Reconnecting Deleted Users on O365

If the Directory  Sync connection between an Office 365 and AD account breaks for some reason (AD user is deleted, server corruption etc) it can be tricky to get them reconnected. These steps may help:
1) Use Office 365 Control panel to restore deleted user.  It will now be marked as “In Cloud” instead of “Synced with Active Directory”.
2) Use the local AD tools to re-create user if it is missing. Local Exchange tools should be used to create a new mail user with an SMTP address that matches the SMTP address of the Office 365 User.
3) Fire up Powershell and connect to the Office 365 Azure Cloud using the following commands:
Import-Module MSOnline 
$O365Cred = Get-Credential 
$O365Session = New-PSSession –ConfigurationName Microsoft.Exchange -ConnectionUri -Credential $O365Cred -Authentication Basic -AllowRedirection 
Import-PSSession $O365Session -AllowClobber 
Connect-MsolService –Credential $O365Cred
4) Use the following command to delete the ImmutableID from the Office 365 Account where ‘User Principal Name’ is either the name or the email address of the user being reset:
Set-MsolUser -UserPrincipalName 'User Principal Name' -ImmutableId '$null'
5) Wait for, or force, the AD Sync and it should reconnect the accounts.