To stay updated on your favorite discussions, please create an account or log in. Then, click the Bookmark icon to subscribe and receive notifications.

Intune/MS endpoint manager compliancy rule for WithSecure Elements

henrirove
henrirove W/ Alumni Posts: 3 Security Scout

Hi,

Many of our security controls rely on Elements maintaining antivirus and certain other limitations on our devices. Therefore we need a way to monitor Elements is enabled on the devices. Frankly, there are better things to do than reconciling the device list manually, so we've created an automated compliance rule in Intune which takes care of it.


In essence, any device not running an up-to-date version of Elements is not granted access to our AAD services after a grace period.

When a user logs in, Intune runs a custom powershell script on the device, which queries MS Security Center for installed antivirus products' state. We limit the query to remove MS Defender from the results.

Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntivirusProduct | select-object displayname, productstate | where-object { $_.displayName -match 'Elements'} | convertto-json -compress

Then, a json ruleset checks if the product state equals 266240 - meaning enabled and up to date.


This works great, however some changes could lead to all of our devices getting blocked at the same time.

  1. We assume Elements will contain "Elements" in the DisplayName. Would using instanceGuid be a better alternative for this? Is the Guid always unique across devices, windows versions, product updates, etc.?
  2. We assume product state should be 266240. There are other states which also indicate 'enabled and up to date', such as 397568 for Defender and 397312 for MSE. What is the difference between these states, and is there a situation where Elements could show a different state while remaining compliant?

Finally, using this method we are able to see the device is running an instance of something called Elements. But we do not see if the device has been registered to the centralized monitoring via the company portal, or that the correct device profile has been applied. Is there a way to pull this information from Elements client-side using a powershell script?

Thanks!

Best Answers

Answers

  • Sethu Laks
    Sethu Laks W/ Partner, W/ Staff, W/ Moderator Posts: 216 Moderator

    Hi @henrirove

    We're glad you've posted your first message in our community. I will check this with our Elements Endpoint Protection team and update here as soon as possible.

    Thanks

    Sethu

  • henrirove
    henrirove W/ Alumni Posts: 3 Security Scout

    Thank you for your response. This would do it.

    However, WMI is unable to get information on the applied company profile, which is one of the things we need.


    Company profile is correctly applied on my device and I am able to find the correct name under Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\F-Secure\Monitoring\CentralManagement

    But when running Get-WmiObject -Namespace "root/fsecure" -Class CentralManagement the response for Profile property is System.Management.ManagementBaseObject


    Also, as this registry does not exist, there is an empty response for all queries with -Class Profile

    Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\F-Secure\Monitoring\Profile


    How do I get the installed profile information using WMI?

    Thanks!

  • Sethu Laks
    Sethu Laks W/ Partner, W/ Staff, W/ Moderator Posts: 216 Moderator

    Hi @henrirove

    For some reason, the backend team decided against disclosing profile names using WMI. You'll probably need to submit a feature request if you need them. However, we have customized script that helps to get all the information provided by WMI Provider.

    Some examples as below for your reference, so please let me know if you need the script so we will send you via Private Message.


    API

    =======

    Version: 1.0

     

    Product

    =======

    Name: F-Secure Client Security Premium

    Version: 15.30

    Build: 15.30.3961.0

     

    Anti-Virus

    ==========

    RealTimeScanning: Enabled

    DeepGuard: Enabled

    AvDefinitionsUpdateTime: 2022-04-17 10:29:15+000


    Central Management

    ==================

    LastConnectionTime: 2022-07-29 19:03:10+000

    PolicyUpdateTime: 2022-07-28 17:02:07+000

    Profile:

     Name:

     Series Name: 48

     Installation Time: 2022-07-28 17:02:07+000

This discussion has been closed.