/build/static/layout/Breadcrumb_cap_w.png

Systems Management Question


Any way to use KACE reporting to report firewall status of Windows Defender for devices?

11/22/2019 262 views

I am hoping someone knows of a way to utilize KACE and reporting to be able to see what the status of my domain PCs firewall status is via Windows Defender... any ideas?

2 Comments   [ + ] Show comments

Comments

  • I also needed to see the status of Windows Firewall on domain PCs (just whether it was enabled or disabled) So I created a custom inventory rule using the following:
    ShellCommandTextReturn(cmd.exe /c netsh advfirewall show allprofiles)

    I'm know you can do a lot more with the "netsh advfirewall" command I just didn't really need to investigate any further.
  • I use a Custom inventory Rule, and works like a charm for my needs.

    ShellCommandTextReturn(powershell.exe -NoLogo -NonInteractive -NoProfile -Command "Get-NetFirewallProfile | Select Name, Enabled")

All Answers

1

Review this page.
https://www.windowscentral.com/how-use-windows-defender-command-prompt-windows-10

Here you can find the usual commands, which you can use in a Custom Inventory Rule to report the status.


Answered 11/22/2019 by: Nico_K
Red Belt

1

The KACE Appliance can Report about Registry status.... These are called custom inventory rule.

You will need to tell the appliance what Key or Keys to look for and give it a name...

The problem is Microsoft constantly changes the registry and the firewall status is tied to a couple of registry keys...

See:

https://www.wintips.org/how-to-disable-defender-antivirus-firewall-in-windows-10/

Look at the amount of keys they mod to turn off the firewall, you will need a Custom Inventory rule to check the status of all of those keys...


Like if 

Key A=1 and Key B=1 and Key C=1  then it will fall into the creteria of a Custom Inventory Rule named "Win Defender Firewall Enabled"

Custom Inventory Rules where very popular for customers who wanted to report on each version of Internet Explorer a couple of years ago, see:

https://www.itninja.com/blog/view/kace-custom-inventory-rules-101

There is also another possibility, if you could get the status of that firewall via powershell , you could simply use a Custom Inventory Rule with the ShellCommandTextReturn function, and that will gather the status into the inventory, without having to query the registy places.

Answered 11/22/2019 by: Channeler
Red Belt

1

I use a Custom inventory Rule, and works like a charm for my needs.

ShellCommandTextReturn(powershell.exe -NoLogo -NonInteractive -NoProfile -Command "Get-NetFirewallProfile | Select Name, Enabled")

9k=

The result in the Inventory looks like this:

9k=


My Report shows all devices, but you can filter it to only show anything with a False for Domain for example

Z



Answered 11/26/2019 by: Jako
White Belt

1

What I do,


I set up a custom rule with:

RegistryValueEquals(HKEY_LOCAL_MACHINE64\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications,DisableNotifications,00000001)


Then I have a smart label that detects windows 10 devices that DO NOT have this custom inventory item..


Then a script is set on a schedule to set this registry key on the smart label devices..


Works for us real well

Answered 11/27/2019 by: jct134
Senior White Belt