Today a short post about a way to forcefully update Windows Defender Antimalware during our Windows Autopilot enrollments.
When a Windows device is enrolled by an end-user the Windows Defender Antimalware version might be outdated. And because of that, sometimes even real-time protection is turned off. When Windows Update is running, the Antimalware version will get an update sooner or later and real-time protection turned on. But when your company uses a Intune compliance policy in which a Microsoft Defender Antimalware minimum version is required and no grace period is used, that might give your end-user a bad user experience. The device will be marked as non compliant until the Antimalware version is updated.
With this PowerShell script we can forcefully trigger for an Antimalware update. If we package the script into a WIN32 app, we can make sure the script is run during Autopilot enrollments, and Defender is updated to the latest version before the user signs into the device.
The script can be found on my GitHub repo.
The script
To update Defender their is not much more needed as a PowerShell one-liner. I added that to a script with some logging and wrapped that as WIN32 application. This way I can deploy it as application during Autopilot enrollment and if needed set it as dependency to another app. But you can also change the script to your own needs and deploy it as ‘normal’ script with Intune.
Let’s see what’s in the script.
As the Microsoft Intune Management Extension might start a 32-bit PowerShell instance, the script first restarts as 64-bit PS instance.
In the functions region, we define a CleanUpAndExit function, which is also used for Intune detection when wrapped as a win32 package.
And a transcript is started that writes a log file to %programdata%\Microsoft\IntuneManagementExtension\Logs so the log file can be remotely collected when using the Intune diagnostics feature.
The script first collects the current Windows Defender Status and writes that to the log file:
Get-MpComputerStatus | FL AMEngineVersion,AMProductVersion,AntivirusSignatureLastUpdated,RealTimeProtectionEnabledNext, it triggers a Defender update directly from the Microsoft Malware Protection Center (and bypassing Windows Update):
$MpCmdRun = "C:\Program Files\Windows Defender\MpCmdRun.exe"
If (Test-Path $MpCmdRun -PathType Leaf) {
Write-Output "Force Windows Defender Update"
$UpdateResult = & $MpCmdRun -SignatureUpdate -MMPC
Write-Output $UpdateResult
} Else {
Write-Output "Cannot find the Microsoft Antimalware Service Command Line Utility: $MpCmdRun"
}And after triggering the update, the updates Defender status is retrieved to write to the log file.
After that it runs the cleanup and exit function and writes the status to the registry, which can be used for detection in Intune. And that’s already it.
Intune install and detection
In case you also want to deploy the script as WIN32 applications I’ll show the install command and detection for this script.
The install command is like this (depending on the PS1 file name):
PowerShell.exe -ExecutionPolicy Bypass -file .\WindowsDefenderUpdateV1.0.ps1
And the detection rule that checks the registry:
HKEY_LOCAL_MACHINE\Software\Klapwijk\WindowsDefenderUpdate\v1.0
End-result
There is not much to write about the end-result.
As we can see in the log file, Defender was outdated and after running the script it runs the latest version.
Thanks for reading and have a nice day!
2 Comments
Hi Peter – great idea and script…I’m considering running it as a platform script though. I know we lose visibility of the code this way but it feels nice to get this update executed as soon as possible – did you consider this approach and already rule it out? thanks 👍
Hi Carl,
I didn’t try is as a platform script, but don’t see a reason it shouldn’t work as platform script.
Regards,
Peter