D
DaveBaker1
Guest
We're running a non-persistent VDI pool with FileShares as the definition update source. This has been working fine until we added the Startup script which onboards the VM's into Azure Defender Security Center. I've used the powershell 'single entry' method described here:
Onboarding VDI devices
However, the child VM's are no longer displaying their status or last update time - the engine just egg timers and the log file mplog.log shows these entries:
Windows Defender Antivirus (77BDAF73-B396-481F-9042-AD358843EC24) Service Log
Started On 04-22-2021 17:24:12
************************************************************
OS install time: 03/01/2021 15:26:23.0 UTC
Current time: 04/22/2021 15:24:12.398459700 UTC (1233875 ms since boot)
2021-04-22T15:24:12.398Z ProductId: 2, ProductFeature: 0, LaunchedProtected: 3, IsWcos: 0, IsContainerOs: 0, DirtyShutdownDetected: 0, PassiveRemediation: 0, IsHybridModePolicyEnabled: 0
2021-04-22T15:24:12.418Z [WPP] Starting WPP trace with buffersize 4MB, maxfilesize: 16MB, filename: MpWppTracing-20210422-172412-00000003-ffffffff.bin ...
2021-04-22T15:24:12.431Z [WPP] Trace session started - MpWppTracing-20210422-172412-00000003-ffffffff.bin
2021-04-22T15:24:12.431Z OS Build/Branch info: 18362.1.amd64fre.19h1_release.190318-1202
2021-04-22T15:24:12.433Z MpReinforceExclusionsAcls (hr = 0x0)
2021-04-22T15:24:12.433Z [PlatUpd] Service launched successfully from: C:\ProgramData\Microsoft\Windows Defender\platform\4.18.2101.9-0
2021-04-22T15:24:12.448Z [PlatUpd] MpManagementUpdateHandler: starting update for install path %ProgramData%\Microsoft\Windows Defender\platform\4.18.2101.9-0.
2021-04-22T15:24:12.448Z [PlatUpd] MpManagementUpdateHandler: calling MpUpdateManagement()
2021-04-22T15:24:12.448Z [PlatUpd] MpUpdateManagement: Management platform update started for components (3)
2021-04-22T15:24:12.448Z [PlatUpd] CSP platform update started
2021-04-22T15:24:12.448Z [PlatUpd] Defender MDM CSP platform update not required
2021-04-22T15:24:12.448Z [PlatUpd] WMI/PS provider platform update started
2021-04-22T15:24:12.448Z [PlatUpd] WMI/PS provider platform update not required
2021-04-22T15:24:12.448Z [PlatUpd] MpUpdateManagement: Management platform update completed
2021-04-22T15:24:12.448Z [PlatUpd] MpCheckAndUpdateBinaryLocationTo(%ProgramData%\Microsoft\Windows Defender\platform\4.18.2101.9-0): 7 items checked, 0 required update. hrMui: 0x00000001 hrEtw: 0x00000000
2021-04-22T15:24:12.448Z RegisterSModeChangeListener: hr = 0x1
2021-04-22T15:24:12.448Z RegisterHybridModeChangeListener: hr = 0x1
2021-04-22T15:24:12.603Z Passive Mode Registry key changed from 1 to 1
2021-04-22T15:24:12.603Z SENSE is enabled and product disabled. Enabling product in passive mode.
2021-04-22T15:24:12.603Z Service is asked to be reenabled.
Product disabled...Stopping service
2021-04-22T15:24:12.606Z Task(-DisableService) launched as PPL process
2021-04-22T15:24:13.040Z Service stop requested (ServiceError: 0x0). Calling CleanupMpService ...
Windows Defender Antivirus (77BDAF73-B396-481F-9042-AD358843EC24) Log
Stopped On 04-22-2021 17:24:13 (Exit Code = 0x0)
************************************************************
I don't understand what the enrolment does - I assumed it juust makes the VM's manageable /report into Azure, but it appears to change the way they fetch updates? Any help on this please?
Continue reading...
Onboarding VDI devices
However, the child VM's are no longer displaying their status or last update time - the engine just egg timers and the log file mplog.log shows these entries:
Windows Defender Antivirus (77BDAF73-B396-481F-9042-AD358843EC24) Service Log
Started On 04-22-2021 17:24:12
************************************************************
OS install time: 03/01/2021 15:26:23.0 UTC
Current time: 04/22/2021 15:24:12.398459700 UTC (1233875 ms since boot)
2021-04-22T15:24:12.398Z ProductId: 2, ProductFeature: 0, LaunchedProtected: 3, IsWcos: 0, IsContainerOs: 0, DirtyShutdownDetected: 0, PassiveRemediation: 0, IsHybridModePolicyEnabled: 0
2021-04-22T15:24:12.418Z [WPP] Starting WPP trace with buffersize 4MB, maxfilesize: 16MB, filename: MpWppTracing-20210422-172412-00000003-ffffffff.bin ...
2021-04-22T15:24:12.431Z [WPP] Trace session started - MpWppTracing-20210422-172412-00000003-ffffffff.bin
2021-04-22T15:24:12.431Z OS Build/Branch info: 18362.1.amd64fre.19h1_release.190318-1202
2021-04-22T15:24:12.433Z MpReinforceExclusionsAcls (hr = 0x0)
2021-04-22T15:24:12.433Z [PlatUpd] Service launched successfully from: C:\ProgramData\Microsoft\Windows Defender\platform\4.18.2101.9-0
2021-04-22T15:24:12.448Z [PlatUpd] MpManagementUpdateHandler: starting update for install path %ProgramData%\Microsoft\Windows Defender\platform\4.18.2101.9-0.
2021-04-22T15:24:12.448Z [PlatUpd] MpManagementUpdateHandler: calling MpUpdateManagement()
2021-04-22T15:24:12.448Z [PlatUpd] MpUpdateManagement: Management platform update started for components (3)
2021-04-22T15:24:12.448Z [PlatUpd] CSP platform update started
2021-04-22T15:24:12.448Z [PlatUpd] Defender MDM CSP platform update not required
2021-04-22T15:24:12.448Z [PlatUpd] WMI/PS provider platform update started
2021-04-22T15:24:12.448Z [PlatUpd] WMI/PS provider platform update not required
2021-04-22T15:24:12.448Z [PlatUpd] MpUpdateManagement: Management platform update completed
2021-04-22T15:24:12.448Z [PlatUpd] MpCheckAndUpdateBinaryLocationTo(%ProgramData%\Microsoft\Windows Defender\platform\4.18.2101.9-0): 7 items checked, 0 required update. hrMui: 0x00000001 hrEtw: 0x00000000
2021-04-22T15:24:12.448Z RegisterSModeChangeListener: hr = 0x1
2021-04-22T15:24:12.448Z RegisterHybridModeChangeListener: hr = 0x1
2021-04-22T15:24:12.603Z Passive Mode Registry key changed from 1 to 1
2021-04-22T15:24:12.603Z SENSE is enabled and product disabled. Enabling product in passive mode.
2021-04-22T15:24:12.603Z Service is asked to be reenabled.
Product disabled...Stopping service
2021-04-22T15:24:12.606Z Task(-DisableService) launched as PPL process
2021-04-22T15:24:13.040Z Service stop requested (ServiceError: 0x0). Calling CleanupMpService ...
Windows Defender Antivirus (77BDAF73-B396-481F-9042-AD358843EC24) Log
Stopped On 04-22-2021 17:24:13 (Exit Code = 0x0)
************************************************************
I don't understand what the enrolment does - I assumed it juust makes the VM's manageable /report into Azure, but it appears to change the way they fetch updates? Any help on this please?
Continue reading...