Update the Virus Definition
Follow the below steps to make ready your Self-Healing environment.
- Download the Detection and Remediation PowerShell script from my GitHub account. https://github.com/harvansh007/Defender-Self-Healing-Automation—Virus-Definition-Update
- Create a Group in Intune that will used to deploy the Remediation script.
- Create the Self remediation script.
Login to Intune console and click on Devices then click on Script and Remediation’s. Click on Create under Remediation section.
Fill the Name details and click on Next.
Now Select the Detection and Remediation script and click on next.
Use the Default Scope and click on Next.
Add the Group with we created for Remediation.
Now everything is ready and click on Create.
Now your Self-Healing script is ready.
Use the below KQL query to get all non-updated device more than 5 days.
DeviceTvmSecureConfigurationAssessment
| where Timestamp > ago(30d)
| where ConfigurationId == ‘scid-2011′ and Context !='[]’
| extend SigUpdate = todatetime(parse_json(Context)[0][2])
| extend SigAge = datetime_diff(‘day’,now(),SigUpdate)
| where SigAge > 5
| project Timestamp, DeviceName, SigAge, SigUpdate
Add these devices in the group.