Hi,
Many of our security controls rely on Elements maintaining antivirus and certain other limitations on our devices. Therefore we need a way to monitor Elements is enabled on the devices. Frankly, there are better things to do than reconciling the device list manually, so we've created an automated compliance rule in Intune which takes care of it.
In essence, any device not running an up-to-date version of Elements is not granted access to our AAD services after a grace period.
When a user logs in, Intune runs a custom powershell script on the device, which queries MS Security Center for installed antivirus products' state. We limit the query to remove MS Defender from the results.
Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntivirusProduct | select-object displayname, productstate | where-object { $_.displayName -match 'Elements'} | convertto-json -compress
Then, a json ruleset checks if the product state equals 266240 - meaning enabled and up to date.
This works great, however some changes could lead to all of our devices getting blocked at the same time.
- We assume Elements will contain "Elements" in the DisplayName. Would using instanceGuid be a better alternative for this? Is the Guid always unique across devices, windows versions, product updates, etc.?
- We assume product state should be 266240. There are other states which also indicate 'enabled and up to date', such as 397568 for Defender and 397312 for MSE. What is the difference between these states, and is there a situation where Elements could show a different state while remaining compliant?
Finally, using this method we are able to see the device is running an instance of something called Elements. But we do not see if the device has been registered to the centralized monitoring via the company portal, or that the correct device profile has been applied. Is there a way to pull this information from Elements client-side using a powershell script?
Thanks!
