Windows defender VDI onboarding to Security Center and now VM's don't display defender engine status?

[DaveBaker1]

We're running a non-persistent VDI pool with FileShares as the definition update source. This has been working fine until we added the Startup script which onboards the VM's into Azure Defender Security Center. I've used the powershell 'single entry' method described here:


Onboarding VDI devices


However, the child VM's are no longer displaying their status or last update time - the engine just egg timers and the log file mplog.log shows these entries:





Windows Defender Antivirus (77BDAF73-B396-481F-9042-AD358843EC24) Service Log

Started On 04-22-2021 17:24:12

************************************************************

OS install time: 03/01/2021 15:26:23.0 UTC

Current time: 04/22/2021 15:24:12.398459700 UTC (1233875 ms since boot)

2021-04-22T15:24:12.398Z ProductId: 2, ProductFeature: 0, LaunchedProtected: 3, IsWcos: 0, IsContainerOs: 0, DirtyShutdownDetected: 0, PassiveRemediation: 0, IsHybridModePolicyEnabled: 0

2021-04-22T15:24:12.418Z [WPP] Starting WPP trace with buffersize 4MB, maxfilesize: 16MB, filename: MpWppTracing-20210422-172412-00000003-ffffffff.bin ...

2021-04-22T15:24:12.431Z [WPP] Trace session started - MpWppTracing-20210422-172412-00000003-ffffffff.bin

2021-04-22T15:24:12.431Z OS Build/Branch info: 18362.1.amd64fre.19h1_release.190318-1202

2021-04-22T15:24:12.433Z MpReinforceExclusionsAcls (hr = 0x0)

2021-04-22T15:24:12.433Z [PlatUpd] Service launched successfully from: C:\ProgramData\Microsoft\Windows Defender\platform\4.18.2101.9-0

2021-04-22T15:24:12.448Z [PlatUpd] MpManagementUpdateHandler: starting update for install path %ProgramData%\Microsoft\Windows Defender\platform\4.18.2101.9-0.

2021-04-22T15:24:12.448Z [PlatUpd] MpManagementUpdateHandler: calling MpUpdateManagement()

2021-04-22T15:24:12.448Z [PlatUpd] MpUpdateManagement: Management platform update started for components (3)

2021-04-22T15:24:12.448Z [PlatUpd] CSP platform update started

2021-04-22T15:24:12.448Z [PlatUpd] Defender MDM CSP platform update not required

2021-04-22T15:24:12.448Z [PlatUpd] WMI/PS provider platform update started

2021-04-22T15:24:12.448Z [PlatUpd] WMI/PS provider platform update not required

2021-04-22T15:24:12.448Z [PlatUpd] MpUpdateManagement: Management platform update completed

2021-04-22T15:24:12.448Z [PlatUpd] MpCheckAndUpdateBinaryLocationTo(%ProgramData%\Microsoft\Windows Defender\platform\4.18.2101.9-0): 7 items checked, 0 required update. hrMui: 0x00000001 hrEtw: 0x00000000

2021-04-22T15:24:12.448Z RegisterSModeChangeListener: hr = 0x1

2021-04-22T15:24:12.448Z RegisterHybridModeChangeListener: hr = 0x1

2021-04-22T15:24:12.603Z Passive Mode Registry key changed from 1 to 1

2021-04-22T15:24:12.603Z SENSE is enabled and product disabled. Enabling product in passive mode.

2021-04-22T15:24:12.603Z Service is asked to be reenabled.

Product disabled...Stopping service

2021-04-22T15:24:12.606Z Task(-DisableService) launched as PPL process

2021-04-22T15:24:13.040Z Service stop requested (ServiceError: 0x0). Calling CleanupMpService ...

Windows Defender Antivirus (77BDAF73-B396-481F-9042-AD358843EC24) Log

Stopped On 04-22-2021 17:24:13 (Exit Code = 0x0)

************************************************************


I don't understand what the enrolment does - I assumed it juust makes the VM's manageable /report into Azure, but it appears to change the way they fetch updates? Any help on this please?

Continue reading...