Microsoft Defender Live Response - The last line of defence!

-
Ever been in a situation when the state of the device is so bad, so unusable that it feels like you have exhausted all options and there is no hope? I think it is safe to say that most of us in the world of endpoint management, would have such days at some point in our lives.

I recently delt with a device that was in a deadlock state. To give some more context, here is a snapshot of what I was dealing with -

1. The device reset had failed from Microsoft Intune and as part of the process was also deleted from the admin portal.
2. To make matters worse, the device object was deleted from Entra ID as well. (Don't ask why, it's just the way it is.:-) ).
3. The enrolled user had standard permissions and in order to elevate the permissions, one would need either a GA role or LAPS. While LAPS was configured, due to step 2, there was no way to retrieve the password, even through Graph.
4. GA wouldn't work as well as the device had lost trust with Entra ID.
5. Even if you rebooted into terminal through advanced recovery, you needed the BitLocker recovery key to unlock the OS drive. But due to step 2, there was no way to retrieve the BitLocker recovery key, even through Graph and mysignins.
6. I was hoping to catch a glimpse of something relevant in the Entra ID audit logs, but couldn't salvage anything.

I then remembered that the device was onboarded on Defender for Endpoint and had been managed for all P2 features, including Live Response. You see MDE uses its own communication channel through the 'Sense' service that doesn't necessarily rely on Entra ID joined state and Intune management. In order to get the device back in a clean state, I decided to disjoin the device locally from Entra ID and start over. The device was showing all the tell-tale signs of a bad WinRE environment and instead of spending anymore time in repairing it, I decided to just re-install the OS.

The easiest way to run scripts through MDE remote shell is using custom PS scripts. However, you cannot run the PS commands the usual way. Live Response has its own library where the scripts have to be uploaded. You can still run some basic commands that do not involve using the custom scripts.

The easiest way to upload and manage all your scripts is by navigating to security.microsoft.com > Settings > Endpoints


To upload a script, just hit the upload option above the filters.



You can check the repository by just running the command library



To execute a command, use the syntax run <exact name of the script>. Note: The scripts are case sensitive.


I then ran the script for disjoin of the device and rebooted it manually in advanced recovery. The contents of the script is as follows -

& "C:\Windows\System32\dsregcmd.exe" /leave

The device was no longer reporting as joined to Entra ID locally. The policies were refreshed and BitLocker protection was showing as 'Off'. This gave me access to the C: in recovery and I was able to create another admin account and use that to elevate the permissions, ultimately allowing me to re-install the OS. 

Tip: Since the device is rebooted into WinRE in recovery, to access the OS partition, you will need to select the correct drive letter. In case you are working with registries, you will need to mount the OS registry hive temporarily, make the changes, save it and then unload it.

There might be other ways to fix this kind of issue, but I wanted to get this device back up as quickly as possible and using Microsoft Defender Live Response seemed like a viable option. A very elegant option if you ask me. Although, considering the power of this feature, my advice will be to implement RBAC in Defender.

Until next time..

Comments

Post a Comment

Popular posts from this blog

Fixing Tamper Protection Blob Error 65000 using Microsoft Intune

-
Image
I recently encountered an issue with enabling Tamper protection as part of the implementation of Defender for Endpoint in one of customer's tenant and considering how unusual the behavior was and how I didn't encounter this before, I decide to blog my experience. If you have been battling with the same issue, then this blog may just help you. There are multiple ways to enable Tamper protection as part of MDE. One can enable at a tenant level using Defender portal or do it using Intune. I normally choose the Intune, especially when dealing with endpoints to maintain uniformity with other Defender policies being managed by Intune. However, in this particular instance, the issue started cropping randomly on some endpoints where tamper protection would not enable and throw an error code 65000, as show below. Additionally, the status in Defender will report as Unknown instead of reporting Active or something else like EDR in block mode to suggest that Defender Antimalware is running...
Read more

How to force escrowing of BitLocker recovery keys using Intune

-
Image
Every now and then it so happens that BitLocker recovery keys do not escrow in AAD. The usual culprits are incorrect BitLocker policies and\or the device hardware configuration failing to meet the minimum requirements. The other scenario and something I recently experienced is when everything is setup right and still the recovery key doesn’t escrow in AAD. As I understand, this can happen if the escrow process got interrupted the first time due to network or local devices related issues and the process could not resume. To circumvent this issue, one can simply push a PowerShell script to the devices to force the escrow of the recovery keys to AAD. Here is a script to do so. try{ $BitlockerVol = Get-BitLockerVolume -MountPoint $env:SystemDrive         $KPID=""         foreach($KP in $BitlockerVol.KeyProtector){             if($KP.KeyProtectorType -eq "RecoveryPassword"){              ...
Read more

Prevent users from running certain programs or applications on Windows endpoints using Intune

-
Image
  When it comes to blocking or preventing users from running an application on Windows devices, one normally uses App locker policy, Windows Defender Application Control and not so new but pretty useful method called Defender Vulnerability management within Microsoft 365 Defender Portal. A recent question on the Tech Community Microsoft forum prompted me to look for all possible alternatives. I started reminiscing over the legacy GPO policies and that is when I stumbled upon the policy  Don’t run specified Windows applications  located under User Administrative Templates - The policy setting does come with its own caveat - " This policy setting only prevents users from running programs that are started by the File Explorer process. It does not prevent users from running programs, such as Task Manager, which are started by the system process or by other processes. Also, if users have access to the command prompt (Cmd.exe), this policy setting does not prevent them from st...
Read more