Jump to content

Windows Defender with Windows 10 1809 - updated definition

Recommended Posts

Hi All,

Following an update to 1809, we have had issues with definitions for any Windows 10 machine with Intune (or just the vanilla Windows Defender).

Turns out the 'RemediationEXE' referenced by the LT default definition no longer exists.

I create the below definition which seems to work fine - thought I'd share with you all! 😀

Name: Windows Defender 10
AV Process: msmpeng*
Program Location: {%_if|{%_ne|{%-HKLM\SOFTWARE\Microsoft\Windows Defender:DisableAntiVirus-%}|1_%}|{%-HKLM\SOFTWARE\Microsoft\Windows Defender:InstallLocation-%}MsMpEng.exe_%}
Definition Location: {%-HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates:SignatureLocation-%}\mpavdlta.vdm
Date Mask: (.*)
Update Command: "{%-HKLM\SOFTWARE\Microsoft\Windows Defender:InstallLocation-%}\mpcmdrun.exe" -SignatureUpdate -Trace -Grouping 15 -GetFiles


  • Like 2

Share this post

Link to post
Share on other sites

IT works on detecting its installed and also the virus definitions are correct. however, it always shows not running.

im not sure why because the AV process its looking for is msmpeng* which is correct exe it looks like. does anyone have any ideas why it shows not running?

Share this post

Link to post
Share on other sites

:)Brilliant thank you for the definition and it worked straight away and show's object under the location with Virus scanner and this definition

However I cannot get the "Antivirus Tile" on  the computer object to update,

Tried update config, resend full inventory, restart services, reload main control centre cache

And I know its this definition as soon as I chance the name, the name changes for the Virus Scanner on the agent showing under the location.

Thank you in advance for any ideas


Share this post

Link to post
Share on other sites

I just wanted to share my experience with this, in case anyone else is experiencing the same issue:

  1. I also needed to remove the * from the AP Process field
  2. When I copied and pasted the values from harryboyne's original post, it wasn't working.  I pinpointed this to some sort of issue with the Definition Location (I noticed this when pasting it into PowerShell--there was a trailing "?").  After typing this field in manually into the Labtech Dashboard, it worked fine.

As a general note, I've found that Labtech isn't good about refreshing the Virus Scan templates after editing/saving an existing entry.  When testing out different AV entries, I always delete and create a new entry in the Dashboard with each modification rather than editing my existing entry.  Also, I avoid using the regular Control Center for seeing the results since the Computer screen is slow to refresh (either requiring to reload system cache or even closing/reopening the whole Control Center).  The web Control Center shows the detected AV (after updating configs and resending system information on the agent and then refreshing the webpage).

Share this post

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...