How to use Intune for Defender for Endpoint catch-up protection updates

uMarko 2 31 Reputation points
2022-03-24T17:24:40.88+00:00

I am planning the phased deployment of Defender for Endpoint Plan 1 clients to Win10/11/macOS across our enterprise. I want to use Intune for the deployment.

I am also planning for operations after the deployment. One thing I anticipate is https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/manage-outdated-endpoints-microsoft-defender-antivirus?view=o365-worldwide . The article gives remediation methods using MECM, Group Policy, Powershell, WMI, but not Intune. How do we use Intune to manage outdated endpoints?

Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,808 questions
0 comments No comments
{count} vote

6 answers

Sort by: Most helpful
  1. christophe ghesquiere 1 Reputation point
    2022-03-24T21:03:02.24+00:00

    Hello,
    Create a compliance policy in intune and set to required the setting “Microsoft Defender Antimalware security intelligence up-to-date”
    And if it’s not enough, create a proactive remediation like detection (get-mpcomputerStatus).AntivirusSigantureAge -ge 2
    And remediation update-mpsignature with a short interval like every 4 hours for example.
    it's not the script just the content, you need to add conditions, exit, message for each phases ....
    Thanks

    0 comments No comments

  2. uMarko 2 31 Reputation points
    2022-03-25T16:00:15.287+00:00

    @ christopheghesquiere-3152
    I see this is where to create the compliance policy:

    Endpoint Manager > Devices > Compliance policies > Create policy > W10 and later > Compliance settings tab > System Security section > Microsoft Defender Antimalware = Require, Microsoft Defender Antimalware security intelligence up-to-date = Require , Real-time protection = Require

    However, this link to do the remediation is not available to me:

    Endpoint Manager > Reports > Endpoint Analytics

    I think its because we are using govcloud. The article https://learn.microsoft.com/en-us/enterprise-mobility-security/solutions/ems-intune-govt-service-description says Microsoft Endpoint Manager Endpoint Analytics and Log Analytics features are not currently available for US Government customers.

    How would you suggest we do the remediation?

    0 comments No comments

  3. christophe ghesquiere 1 Reputation point
    2022-03-25T23:06:12.173+00:00

    the intune compliance policy does remediation afterwards if you want to have a double check without being able to use the pro active remediation solution, no doubt I will create an Intune application (Win32) containing a script that installs a scheduler task and a script containing this compliance and remediation. but the compliance (&remediation) classic should suffice, it is better to focus on the configuration of the security endpoint part in defender.

    https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/manage-mde-post-migration-intune?view=o365-worldwide

    https://techcommunity.microsoft.com/t5/microsoft-365-defender-blog/become-a-microsoft-365-defender-ninja/ba-p/1789376

    0 comments No comments

  4. uMarko 2 31 Reputation points
    2022-03-29T14:28:12.263+00:00

    @ christopheghesquiere-3152, are you saying that in the compliance policy definition, there is a way to run a script on non-compliant endpoints? I don't see such an option in the "Actions for noncompliance tab".

    188002-catch-up-compliance-policy-settings.png

    197464-catch-up-compliance-policy-actions-does-not-allow.png

    0 comments No comments

  5. christophe ghesquiere 1 Reputation point
    2022-03-29T15:32:51.837+00:00

    Hello,

    • It is there but in preview for the moment. (and doesn't seem available to you)

    187909-image.png

    • But as already said classic compliance has native remediation:

    187910-image.png

    0 comments No comments