Enabling Microsoft Antimalware User Interface on ARM VMs Post Deployment
Hello Azure security community!
Yuri Diogenes (CSI Enterprise Mobility and Azure Security team) here. In our blog post Microsoft Antimalware and Azure Resource Manager (ARM) VMs, we clarified some issues regarding Microsoft Antimalware deployment using PowerShell for ARM VMs and the supportability question regarding accessing the antimalware user interface (UI) post deployment.
As stated in that article, changing the cleanuppolicy.xml file to bypass this error message is not supported. However, you can create a custom policy in the VM itself if you want to enable the UI in the virtual machine.
If your company needs access to the UI in the virtual machine, you can create a custom policy using the example below:
<?xml version="1.0" encoding="utf-8"?> <SecurityPolicy
xmlns=" https://forefront.microsoft.com/FEP/2010/01/PolicyData "
Name="Microsoft Antimalware UI"
Version="1"
Description="Enables the UI for Azure Antimalware. This policy is applicable to Windows 2008 R2, Windows 2012, Windows 2012 R2."
IsBuiltIn="0"
CreatedBy="Microsoft"
LastModifiedBy="Microsoft"
>
<PolicySection Name="SCEP.ConfigPolicy">
<LocalGroupPolicySettings>
<!---- Configure UILockdown policy key to show UI, since default is no UI---->
<AddKey Name="SOFTWARE\Policies\Microsoft\Microsoft Antimalware\UX Configuration" Disabled="false">
<AddValue Name="UILockdown" Type="REG_DWORD" Disabled="false">0</AddValue>
</AddKey>
</LocalGroupPolicySettings>
</PolicySection>
</SecurityPolicy>
After creating this policy and applying, run gpupdate /force to update the local policies as shown in the example below:
D:\Program Files\Microsoft Security Client>ConfigSecurityPolicy.exe newpolicy.xml
Microsoft Security Client successfully applied policy: "Microsoft Antimalware UI".
D:\Program Files\Microsoft Security Client>gpupdate /force
Updating Policy...
User Policy update has completed successfully.
Computer Policy update has completed successfully.
Certain Computer policies are enabled that can only run during startup.
OK to Restart?. (Y/N)
Please reboot the virtual machine to ensure the change has been applied if you are still seeing the same pop up error message.
This is a supported workaround procedure for companies that need to have access to the antimalware UI post deployment.
Kudos to Rakesh Narayan and ASM Team for their contribution testing this solution.