Monday, November 18, 2019

Windows Defender Virus Definitions and more information via SCCM

With  Windows Defender gaining more and more popularity as the product to protect Windows 10 machines, getting visibility of what is managed is a key element.
The information an administrator needs will include virus definitions, last scan dates etc.

What is the best way to do it? For me as SCCM is deployed in my environment hence it is a no-brainer to use it.
Here's the problem, SCCM by default do not contain this information but we do have a way to add it in. How?
By adding a Class to be discovered.

The below powershell will show that you can extract a whole load of information from the namespace, root\Microsoft\SecurityClient.

Get-WmiObject -Namespace root\Microsoft\SecurityClient -class AntimalwareHealthStatus

Result:

__GENUS                            : 2
__CLASS                            : AntimalwareHealthStatus
__SUPERCLASS                       : ProtectionTechnologyStatus
__DYNASTY                          : SerializableToXml
__RELPATH                          : AntimalwareHealthStatus=@
__PROPERTY_COUNT                   : 31
__DERIVATION                       : {ProtectionTechnologyStatus, SerializableToXml}
__SERVER                           : DESKTOP01
__NAMESPACE                        : root\Microsoft\SecurityClient
__PATH                             : \\DESKTOP01\root\Microsoft\SecurityClient:AntimalwareHealthStatus=@
AntispywareEnabled                 : True
AntispywareSignatureAge            : 0
AntispywareSignatureUpdateDateTime : 2018-12-09T14:58:32.000Z
AntispywareSignatureVersion        : 1.283.218.0
AntivirusEnabled                   : True
AntivirusSignatureAge              : 0
AntivirusSignatureUpdateDateTime   : 2018-12-09T14:58:32.000Z
AntivirusSignatureVersion          : 1.283.218.0
BehaviorMonitorEnabled             : True
Enabled                            : True
EngineVersion                      : 1.1.15500.2
IoavProtectionEnabled              : True
LastFullScanAge                    : 4294967295
LastFullScanDateTimeEnd            :
LastFullScanDateTimeStart          :
LastFullScanSource                 : 0
LastQuickScanAge                   : 4294967295
LastQuickScanDateTimeEnd           :
LastQuickScanDateTimeStart         :
LastQuickScanSource                : 0
Name                               : Antimalware
NisEnabled                         : True
NisEngineVersion                   : 1.1.15500.2
NisSignatureVersion                : 1.283.218.0
OnAccessProtectionEnabled          : True
ProductStatus                      : 524288
RealTimeScanDirection              : 0
RtpEnabled                         : True
SchemaVersion                      : 1.0.0.1
Version                            : 4.18.1810.5
PSComputerName                     : DESKTOP01

So what you need to do is to add the above name space to be included in the hardware inventory cycle.

1) Go to SCCM Client settings and select "Hardware Inventory" then followed by "Set Class".


 2) Next, enter "root\Microsoft\SecurityClient" in the WMI namespace and click Connect
























3) Select the class, "AntimalwareDetectionStatus", click OK.

4) You are done now. If you expand the class, you will see tons of information.
All that is needed now is wait for the next hardware inventory cycle for the information to be sent back to SCCM.
5) The table that will created in SQL will be as dboANTIMALWAREHEALTHSTATUS_DATA.
You can get the information needed from here.

Monday, September 2, 2019

Skype for Business Server Users Client Prompts for Exchange Credentials for Office 365 MFA users


One of the environment that I had worked on as part of the Exchange Online migration involves the existence of Skype for Business.

For Exchange Online users that are provisioned for MFA, it has been reported that they encountered an error in Skype for Business client. "Exchange needs your credentials. Until then, you might see outdated info in Skype for Business".

Though this is not a hard error, this will result in stale Address Book Service (ABS), and intermittent Free/Busy presence issues.



To resolve this, add the registry key in the affected machines.

HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\Lync

Then, apply the AllowAdalForNonLyncIndependentOfLync registry key setting:

“AllowAdalForNonLyncIndependentOfLync”=dword:00000001