Additional Script Updates
This commit is contained in:
Andrew Amason
@@ -0,0 +1,10 @@
|
||||
# Check if cloud-delivered protection is enabled
|
||||
$cloudProtection = Get-MpPreference | Select-Object -ExpandProperty MAPSReporting
|
||||
|
||||
if ($cloudProtection -ne 0) {
|
||||
Write-Output "Cloud-delivered protection is enabled."
|
||||
exit 0
|
||||
} else {
|
||||
Write-Output "Cloud-delivered protection is disabled."
|
||||
exit 1
|
||||
}
|
||||
@@ -0,0 +1,3 @@
|
||||
# Enable cloud-delivered protection
|
||||
Set-MpPreference -MAPSReporting Advanced
|
||||
exit 0
|
||||
@@ -0,0 +1,10 @@
|
||||
# Check if exploit protection settings are applied
|
||||
$exploitProtection = Get-MpPreference | Select-Object -ExpandProperty ExploitProtection
|
||||
|
||||
if ($exploitProtection) {
|
||||
Write-Output "Exploit protection settings are applied."
|
||||
exit 0
|
||||
} else {
|
||||
Write-Output "Exploit protection settings are not applied."
|
||||
exit 1
|
||||
}
|
||||
@@ -0,0 +1,3 @@
|
||||
# Apply recommended exploit protection settings
|
||||
Add-MpPreference -ExploitProtectionSettings "Recommended"
|
||||
exit 0
|
||||
@@ -0,0 +1,10 @@
|
||||
# Check if network protection is enabled
|
||||
$networkProtection = Get-MpPreference | Select-Object -ExpandProperty EnableNetworkProtection
|
||||
|
||||
if ($networkProtection -eq 1) {
|
||||
Write-Output "Network protection is enabled."
|
||||
exit 0
|
||||
} else {
|
||||
Write-Output "Network protection is disabled."
|
||||
exit 1
|
||||
}
|
||||
@@ -0,0 +1,3 @@
|
||||
# Enable network protection
|
||||
Set-MpPreference -EnableNetworkProtection Enabled
|
||||
exit 0
|
||||
@@ -0,0 +1,7 @@
|
||||
if((Get-MpPreference).PUAProtection -eq 1) {
|
||||
Write-Output "Device Compliant"
|
||||
exit 0
|
||||
} else {
|
||||
Write-Output "Device Non-Compliant"
|
||||
exit 1
|
||||
}
|
||||
@@ -0,0 +1,9 @@
|
||||
try {
|
||||
Set-MpPreference -PUAProtection Enabled
|
||||
Write-Output "Device Remediated"
|
||||
exit 0
|
||||
}
|
||||
catch {
|
||||
Write-Output "Remediation Failed"
|
||||
exit 1
|
||||
}
|
||||
@@ -0,0 +1,15 @@
|
||||
# Detection Script: Detect_Malware.ps1
|
||||
|
||||
# Perform a quick scan using Microsoft Defender
|
||||
Start-MpScan -ScanType QuickScan
|
||||
|
||||
# Check the scan results
|
||||
$scanResults = Get-MpThreatDetection
|
||||
|
||||
if ($scanResults) {
|
||||
Write-Output "Malware detected: $($scanResults.ThreatName)"
|
||||
exit 1
|
||||
} else {
|
||||
Write-Output "No malware detected."
|
||||
exit 0
|
||||
}
|
||||
@@ -0,0 +1,15 @@
|
||||
# Remediation Script: Remediate_Malware.ps1
|
||||
|
||||
# Perform a full scan using Microsoft Defender
|
||||
Start-MpScan -ScanType FullScan
|
||||
|
||||
# Check the scan results
|
||||
$scanResults = Get-MpThreatDetection
|
||||
|
||||
if ($scanResults) {
|
||||
# Remove detected malware
|
||||
Remove-MpThreat -ThreatID $scanResults.ThreatID
|
||||
Write-Output "Malware removed: $($scanResults.ThreatName)"
|
||||
} else {
|
||||
Write-Output "No malware detected."
|
||||
}
|
||||
@@ -0,0 +1,7 @@
|
||||
if((Get-MpComputerStatus).BehaviorMonitorEnabled -eq "True") {
|
||||
Write-Output "Device Compliant"
|
||||
exit 0
|
||||
} else {
|
||||
Write-Output "Device Non-Compliant"
|
||||
exit 1
|
||||
}
|
||||
@@ -0,0 +1,9 @@
|
||||
try {
|
||||
Set-MpPreference -DisableBehaviorMonitoring $false
|
||||
Write-Output "Device Remediated"
|
||||
exit 0
|
||||
}
|
||||
catch {
|
||||
Write-Output "Remediation Failed"
|
||||
exit 1
|
||||
}
|
||||
@@ -0,0 +1,8 @@
|
||||
|
||||
if((Get-MpComputerStatus).RealTimeProtectionEnabled -eq "True") {
|
||||
Write-Output "Device Compliant"
|
||||
exit 0
|
||||
} else {
|
||||
Write-Output "Device Non-Compliant"
|
||||
exit 1
|
||||
}
|
||||
@@ -0,0 +1,9 @@
|
||||
try {
|
||||
Set-MpPreference -DisableRealtimeMonitoring $false
|
||||
Write-Output "Device Remediated"
|
||||
exit 0
|
||||
}
|
||||
catch {
|
||||
Write-Output "Remediation Failed"
|
||||
exit 1
|
||||
}
|
||||
@@ -0,0 +1,10 @@
|
||||
# Check if scheduled scans are configured
|
||||
$scanSchedule = Get-MpPreference | Select-Object -ExpandProperty ScanScheduleQuickScanTime
|
||||
|
||||
if ($scanSchedule) {
|
||||
Write-Output "Scheduled scans are configured."
|
||||
exit 0
|
||||
} else {
|
||||
Write-Output "Scheduled scans are not configured."
|
||||
exit 1
|
||||
}
|
||||
@@ -0,0 +1,4 @@
|
||||
# Schedule quick scans daily and full scans weekly
|
||||
Set-MpPreference -ScanScheduleQuickScanTime (Get-Date).AddDays(1).TimeOfDay
|
||||
Set-MpPreference -ScanScheduleFullScanTime (Get-Date).AddDays(7).TimeOfDay
|
||||
exit 0
|
||||
@@ -0,0 +1,10 @@
|
||||
# Check if security intelligence updates are up-to-date
|
||||
$lastUpdate = Get-MpComputerStatus | Select-Object -ExpandProperty AntivirusSignatureLastUpdated
|
||||
|
||||
if ($lastUpdate -lt (Get-Date).AddDays(-1)) {
|
||||
Write-Output "Security intelligence updates are outdated."
|
||||
exit 1
|
||||
} else {
|
||||
Write-Output "Security intelligence updates are up-to-date."
|
||||
exit 0
|
||||
}
|
||||
@@ -0,0 +1,3 @@
|
||||
# Update security intelligence
|
||||
Update-MpSignature
|
||||
exit 0
|
||||
@@ -0,0 +1,10 @@
|
||||
# Check if tamper protection is enabled
|
||||
$tamperProtection = Get-MpPreference | Select-Object -ExpandProperty DisableTamperProtection
|
||||
|
||||
if ($tamperProtection -eq $false) {
|
||||
Write-Output "Tamper protection is enabled."
|
||||
exit 0
|
||||
} else {
|
||||
Write-Output "Tamper protection is disabled."
|
||||
exit 1
|
||||
}
|
||||
@@ -0,0 +1,3 @@
|
||||
# Enable tamper protection
|
||||
Set-MpPreference -DisableTamperProtection $false
|
||||
exit 0
|
||||
@@ -0,0 +1,51 @@
|
||||
## Microsoft Defender AV
|
||||
|
||||
### Get-CloudDeliveredProtection
|
||||
[Link](https://github.com/AntoPorter/Intune-Remediations/tree/main/MicrosoftDefenderAV/Get-CloudDeliveredProtection)
|
||||
- **Detection**: Checks if Cloud-Delivered Protection is enabled.
|
||||
- **Remediation**: Enables Cloud-Delivered Protection if it is disabled.
|
||||
|
||||
### Get-ExploitProtection
|
||||
[Link](https://github.com/AntoPorter/Intune-Remediations/tree/main/MicrosoftDefenderAV/Get-ExploitProtection)
|
||||
- **Detection**: Checks if Exploit Protection is enabled.
|
||||
- **Remediation**: Enables Exploit Protection if it is disabled.
|
||||
|
||||
### Get-NetworkProtection
|
||||
[Link](https://github.com/AntoPorter/Intune-Remediations/tree/main/MicrosoftDefenderAV/Get-NetworkProtection)
|
||||
- **Detection**: Checks if Network Protection is enabled.
|
||||
- **Remediation**: Enables Network Protection if it is disabled.
|
||||
|
||||
### Get-PUAProtection
|
||||
[Link](https://github.com/AntoPorter/Intune-Remediations/tree/main/MicrosoftDefenderAV/Get-PUAProtection)
|
||||
- **Detection**: Checks if PUA Protection is enabled.
|
||||
- **Remediation**: Enables PUA Protection if it is disabled.
|
||||
|
||||
### Get-QuickScan
|
||||
[Link](https://github.com/AntoPorter/Intune-Remediations/tree/main/MicrosoftDefenderAV/Get-QuickScan)
|
||||
- **Detection**: Performs a Quick Scan via Defender AV on the endpoint.
|
||||
- **Remediation**: Performs a Full Scan if malware is detected during the Quick Scan.
|
||||
|
||||
### Get-RealTimeBehaviour
|
||||
[Link](https://github.com/AntoPorter/Intune-Remediations/tree/main/MicrosoftDefenderAV/Get-RealTimeBehaviour)
|
||||
- **Detection**: Checks if Real Time Behaviour is enabled.
|
||||
- **Remediation**: Enables Real Time Behaviour if it is disabled.
|
||||
|
||||
### Get-RealTimeProtection
|
||||
[Link](https://github.com/AntoPorter/Intune-Remediations/tree/main/MicrosoftDefenderAV/Get-RealTimeProtection)
|
||||
- **Detection**: Checks if Real Time Protection is enabled.
|
||||
- **Remediation**: Enables Real Time Protection if it is disabled.
|
||||
|
||||
### Get-ScheduledScan
|
||||
[Link](https://github.com/AntoPorter/Intune-Remediations/tree/main/MicrosoftDefenderAV/Get-ScheduledScan)
|
||||
- **Detection**: Checks if a Scheduled AV Scan is present on the Endpoint.
|
||||
- **Remediation**: Configures a Daily Quick Scan and Weekly Full Scan if no scan is present on the Endpoint.
|
||||
|
||||
### Get-SecurityIntelligenceUpdates
|
||||
[Link](https://github.com/AntoPorter/Intune-Remediations/tree/main/MicrosoftDefenderAV/Get-SecurityIntelligenceUpdates)
|
||||
- **Detection**: Checks if Security Intelligence Updates are current on the Endpoint.
|
||||
- **Remediation**: Runs a Security Intelligence Updates if the device is found not to be running a recent version of Security Intelligence Updates.
|
||||
|
||||
### Get-TamperProtection
|
||||
[Link](https://github.com/AntoPorter/Intune-Remediations/tree/main/MicrosoftDefenderAV/Get-TamperProtection)
|
||||
- **Detection**: Checks if Tamper Protection is enabled.
|
||||
- **Remediation**: Enables Tamper Protection if it is disabled.
|
||||
Reference in New Issue
Block a user