Intune/MS endpoint manager compliancy rule for WithSecure Elements
Hi,
Many of our security controls rely on Elements maintaining antivirus and certain other limitations on our devices. Therefore we need a way to monitor Elements is enabled on the devices. Frankly, there are better things to do than reconciling the device list manually, so we've created an automated compliance rule in Intune which takes care of it.
In essence, any device not running an up-to-date version of Elements is not granted access to our AAD services after a grace period.
When a user logs in, Intune runs a custom powershell script on the device, which queries MS Security Center for installed antivirus products' state. We limit the query to remove MS Defender from the results.
Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntivirusProduct | select-object displayname, productstate | where-object { $_.displayName -match 'Elements'} | convertto-json -compress
Then, a json ruleset checks if the product state equals 266240 - meaning enabled and up to date.
This works great, however some changes could lead to all of our devices getting blocked at the same time.
- We assume Elements will contain "Elements" in the DisplayName. Would using instanceGuid be a better alternative for this? Is the Guid always unique across devices, windows versions, product updates, etc.?
- We assume product state should be 266240. There are other states which also indicate 'enabled and up to date', such as 397568 for Defender and 397312 for MSE. What is the difference between these states, and is there a situation where Elements could show a different state while remaining compliant?
Finally, using this method we are able to see the device is running an instance of something called Elements. But we do not see if the device has been registered to the centralized monitoring via the company portal, or that the correct device profile has been applied. Is there a way to pull this information from Elements client-side using a powershell script?
Thanks!
Best Answers
-
Hi @henrirove
Please find below the response from our backend team,
Using instanceGuid is not recommended since its value is dependent on the signer certificate for the binaries, which may change from time to time, therefore its value may change as well. Although it may be more stable than product names, it cannot be guaranteed that it will not change over time.
Nevertheless, it is possible to check the connection to the portal and profile name using WMI in our client. Here is the documentation: https://help.f-secure.com/product.html#business/psb-portal/latest/en/concept_E8B1C2F45269429D84CA9F073FF6D491-psb-portal-latest-en
About AV state in Windows Security Center the value is a combination of bit fields. We've found the following article: https://mcpforlife.com/2020/04/14/how-to-resolve-this-state-value-of-av-providers/
2 -
In that case, WMI can be bypassed to get the installed profile name.
Get-ItemProperty -Path HKLM:\SOFTWARE\WOW6432Node\F-Secure\Monitoring\CentralManagement -Name "Profile_ProfileName"
Thanks for your help!
0
Answers
-
Hi @henrirove
We're glad you've posted your first message in our community. I will check this with our Elements Endpoint Protection team and update here as soon as possible.
Thanks
Sethu
1 -
Thank you for your response. This would do it.
However, WMI is unable to get information on the applied company profile, which is one of the things we need.
Company profile is correctly applied on my device and I am able to find the correct name under Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\F-Secure\Monitoring\CentralManagement
But when running Get-WmiObject -Namespace "root/fsecure" -Class CentralManagement the response for Profile property is System.Management.ManagementBaseObject
Also, as this registry does not exist, there is an empty response for all queries with -Class Profile
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\F-Secure\Monitoring\Profile
How do I get the installed profile information using WMI?
Thanks!
0 -
Hi @henrirove
For some reason, the backend team decided against disclosing profile names using WMI. You'll probably need to submit a feature request if you need them. However, we have customized script that helps to get all the information provided by WMI Provider.
Some examples as below for your reference, so please let me know if you need the script so we will send you via Private Message.
API
=======
Version: 1.0
Product
=======
Name: F-Secure Client Security Premium
Version: 15.30
Build: 15.30.3961.0
Anti-Virus
==========
RealTimeScanning: Enabled
DeepGuard: Enabled
AvDefinitionsUpdateTime: 2022-04-17 10:29:15+000
Central Management
==================
LastConnectionTime: 2022-07-29 19:03:10+000
PolicyUpdateTime: 2022-07-28 17:02:07+000
Profile:
Name:
Series Name: 48
Installation Time: 2022-07-28 17:02:07+000
1
Categories
- All Categories
- 4.6K WithSecure Community
- 3.6K Products
- 1 Get Support