The 3 R's of Microsoft 365 Defender's Live Response

Introduction

Recently a client had quite an issue with DirectAccess.  I won't go into the specifics but I will say that, in addition to a number of remediation scripts that we needed to run using Intune - we did need to contact a significant number of users directly.  In these cases the user's device did have an issue contacting any of the on premise domain controllers. And because of this, some web based applications could not be accessed.

And we did need to initiate a remote viewing session with each user, either using QuickAssist or Teams.  With QuickAssist we would normally be able to execute commands or scripts with elevated privileges.  But in these cases this was not possible because no domain controller could be contacted to complete a Windows authorisation.  And in Teams we do have a remote sharing feature and also with the ability to take control of the user's desktop when required - but Teams is a collaboration application and not a remote troubleshooting tool - and there is not, as far as I know, any way of taking control with elevated privileges.

And so I thought the Live Response feature in the Microsoft 365 Defender cloud based solution might be the ticket.  And so it was.  You could almost say it was tailor made for our particular problem.

We had to achieve four things when we contacted each user:

1) Check child registry keys were cleared under HKLM:\Software\Policies\Microsoft\Windows NT\DNSClient\DnsPolicyConfig

2) Check the hosts file in c:\windows\system32\drivers\etc contained a specific IP address and URL

3) Run a PowerShell script if any of the above checks failed

4) Connect via a backup VPN solution and run gpupdate.

Using Teams or QuickAssist we could perform items 1 and 2 but not item 3.  And in any case often times the session would be slow and cumbersome.  Possibly we could guide the user to completing step 3 if they had local admin rights - and as a rule this was not the case.

And so the three R's of Live Response came to our rescue - Registry, Retrieve and Run.  Live response is a Remote Shell connection, giving us administrators a set of powerful commands for troubleshooting devices with elevated privileges.  And such troubleshooting requires no demands of the user - and if they can do some of their required work, issue permitting, then they can do so while the security administrator uses Live Response to troubleshoot and resolve the issue.  It sounds cool and it is cool, as we shall see.

Note: This article will not cover step 4 - connect via a backup VPN solution and run gpupdate

Allowing Live Response

We permit the use of Live Response in the Microsoft 365 Defender portal by navigating to Settings\Endpoints\Advanced features.  Turn on Allow users with appropriate RBAC permissions to investigate devices that they are authorized to access, using a remote shell connection.

In addition, if you need to run unsigned PowerShell scripts, turn on Live Response unsigned script execution.

Using Live Response

A Live Response remote shell is started by navigating, in the Defender Portal, to Devices.  In the Device Inventory blade you can type the name of the troubled device in the Search box

Click on the returned device and then click on the 3 ellipse points on the right hand side. Select Initiate Live Response Session from the drop down list.

Your command console sessions is then established.

Registry

The first R of our list of requirements, as stated above, is to check a particular registry key in the HKLM hive.  We do this by running the registry command with the path to the key.

registry "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DNSClient\DNSPolicyConfig"

After a few seconds the results are returned.

There are clearly many child keys under the DnsPolicyConfig key, and so this particular device does not pass the first of our two checks.

Retrieve

The second check, as detailed above, was to examine the hosts file.  For this we have the getfile command:

getfile c:\Windows\system32\drivers\etc\hosts

We press enter and after a few seconds the hosts file is copied to our Downloads directory for us to examine.

A quick examination confirmed this file to contain the required IP address and URL.

Run

In this particular example, one of our two checks failed - the hosts file checked OK but the DNSPolicyConfig key contained child keys that we need to remove - for the purpose of our DA issue.  

To do this I need to do the following.

1) Upload my script, called cleanDNS.ps1 to the Live Response library.

2) Run the following command in the command shell: run cleanDNS.ps1

Uploading the Script

This is done by clicking on Upload file to library, which is located on the right hand side above the command shell.

The next steps are fairly intuitive.  Click on Choose File and browse to and select the PowerShell script to run,  I chose my CleanDNS.ps1 file.

The next step is to click on Confirm.

Note:  The cleanDNS.ps1 script is very simple and contains the following command - Remove-Item -path "HKLM:\Software\Policies\Microsoft\Windows NT\DNSClient\DnsPolicyConfig\*" -recurse

Run cleanDNS.ps1

Now we can run our script using the run <name of script> command.

So we do type in run cleanDNS.ps1 and click on Enter. The script successfully executes.

Note:  The name of the file is case sensitive.

We now have remediated the registry issue.  For this real world example, the next step was to connect the device using the backup VPN solution and run a gpupdate, which would populate the DNSPolicyConfig key with the required child keys, properties and values.  After a reboot the DA feature was once more working and the user could access their required internal web based applications,

I hope you enjoyed reading this article and I wish you as much success with your testing of the Live Response feature in Microsoft 365 Defender

Colin

Lenovo WarrantyLookup BatchQuery and MECM Data

Introduction

MECM is a very powerful management system and does collect a lot of data about devices, and this means I often get asked for information about devices.  One manager might want to know which devices have Firefox installed and another may need to know which devices are low on disk space.  There is so much information in the database and, in most cases, I'm able to whip up a query and deliver on the data request within the hour, workload permitting.

A few weeks ago I got asked about warranty information for laptops.  Which laptops are out of warranty and which laptops will soon be out of warranty.  I was able to produce some reports based on the date the devices were registered in MECM, but this was only an estimation.

1) A machine may have been provisioned months after purchased - and the warranty period starts from the date of purchase or delivery, not the provisioning date.

2) A machine may have been returned for a rebuild - and in this situation the estimation could be hugely inaccurate.

3) A machine entry in the MECM database may have been deleted, for whatever reason, and the client reinstalled and re-registered.

And then I discovered the UK Lenovo Warranty Lookup page at:

https://pcsupport.lenovo.com/uk/en/warrantylookup#/

And then I discovered the Run batch query page at:

https://pcsupport.lenovo.com/uk/en/warrantylookup/batchquery

I knew then I had the means to supply this manager with exactly the information he required for all the Lenovo devices.

In this article I will describe how I completed this request. I will cover the following steps:

1) Download the Lenovo Template.

2) Populate the Lenovo Template.

3) Submit the data and retrieve the warranty information.

4) Retrieve additional data from a MECM query.

5) Create a database and import the required information - this is to add machine name and other information to the warranty data returned from Lenovo.

6) Create a SQL query to connect the Lenovo data with the MECM data.

Download the Lenovo Template

If you are in the UK navigate to:

https://pcsupport.lenovo.com/uk/en/warrantylookup/batchquery and click on Download the Latest Template

An excel files called Warranty_Batch_Lookup_Template.xlsx will be downloaded.  This file contains the columns that need to be populated with information from our MECM database.  At the time of writing we can see that we need the devices' serial numbers and model numbers.

Save this file to a convenient location and provide it with a relevant name such as LenovoUpload.xlsx.

Populate the Lenovo Template

Next, we need to create a query in the MECM console.  This will allow us to populate the Excel template file downloaded in the previous step.  Thus we need to create a query to retrieve the model number and the serial number.  Open the MECM console and navigate to Monitoring\Queries.  Right click and select Create Query.  Enter in a name such as Lenovo Batch Info.

Click on Edit Query Statement.

Click on Show Query Language and copy the following query statement into Query Statement area.

select SMS_G_System_COMPUTER_SYSTEM.Model, SMS_G_System_PC_BIOS.SerialNumber from  SMS_R_System inner join SMS_G_System_PC_BIOS on SMS_G_System_PC_BIOS.ResourceID = SMS_R_System.ResourceId inner join SMS_G_System_COMPUTER_SYSTEM on SMS_G_System_COMPUTER_SYSTEM.ResourceID = SMS_R_System.ResourceId inner join SMS_G_System_OPERATING_SYSTEM on SMS_G_System_OPERATING_SYSTEM.ResourceId = SMS_R_System.ResourceId where SMS_G_System_PC_BIOS.Manufacturer = "LENOVO" and SMS_G_System_OPERATING_SYSTEM.Caption like "Microsoft Windows 10%"

Click on OK and Next to create the query.

After creating this query, run it to retrieve the results.  Press CTRL A and then CTRL C to select the results and copy the results.

Open the previously created template spreadsheet and paste (CTRL V) the results into the spreadsheet.  Save the spreadsheet.

Submit the data and retrieve the warranty information.

Having retrieved the serial and model numbers from MECM and copied them into the template spreadsheet, we can now upload them to the Lenovo portal and retrieve the desired warranty information.

Navigate to the following URL:

https://pcsupport.lenovo.com/gb/en/warrantylookup/batchquery

Click on Browse and select the previously populated and saved spreadsheet.

Click on Submit to download the required warranty information

After you have had a good look at all this useful warranty information in Excel, save it as a .csv file.  In my case I save it as lenovo.csv.  We will need this file later when we import the data into our custom database.

Retrieve additional data from a MECM query

And this information is what we require, but of course it does not contain the netbios machine names - because this is provided by the engineer after it is purchased.  It does contain the serial numbers however.  And in MECM we have the serial number and the machine name and we need some way to connect the machine name to the warranty information.  We could do this manually but that is not realistic, given there maybe hundreds or thousands of machines.

Note:  The template upload file also has a comments column.  Another way of achieving this is to populate the comments column with the netbios name or any other information you require in the report.  This would be an easier approach if you are more confident working with MECM queries and you are sure exactly what information you would like to attach to the warranty information, before uploading the template spreadsheet.

We need to create a query in MECM that returns at least the netbios names and the serial numbers.  So let us create such a query, in the same way that we created the last MECM query for the upload.  I call this query Basic Information and it has the following SQL query.

select SMS_R_System.NetbiosName, SMS_G_System_PC_BIOS.SerialNumber from  SMS_R_System inner join SMS_G_System_PC_BIOS on SMS_G_System_PC_BIOS.ResourceId = SMS_R_System.ResourceId

After running this query, press CTRL A and then CTRL C and paste the data into an Excel file.  The column headings I added to my spreadsheet were name and serial.

Save this spreadsheet as a .csv file called mecm.csv.  We now have two files called lenovo.csv and mecm.csv.  These will be used in the next section.  The data in these two files will be imported into our custom database.

Create a database and import the information 

And now we have all the data required for our warranty and in two files.  You could hand them over to your database administrator and ask kindly for him or her to do their magic and combine the netbios names in the mecm.csv file with all the warranty data in the lenovo.csv file - but where is the fun in that?

We can do it ourselves.  You might prefer to use an Access database, but here I use the SQL database on my test server.

I open up the Microsoft SQL Server Management Studio and right click on Databases and select New Database.  In the Database name field I enter in WarrantyLookup and click on OK.

The database is created and that is how simple such a thing is.  Now we need to import the lenovo.csv and the mecm.csv files into the database - each file will be imported into its own table.

Navigate to the WarrantyLookup database in the SQL Server Management Studio and right click and select Tasks and then Import Flat File.

Click Next at the Introduction window of the wizard.  On the Specify Input File windows browse to the the mecm.csv file.  You can leave the default table name or change it to mecm to match our example.

Click Next on the Preview Data page.  On the Modify Columns page confirm you are happy with the column names.

Click on Next and then Finish and Close.  We can see that the mecm table is created.

Repeat all of the above steps in this section to import the lenovo.csv file.  Your new database will now contain two tables with the information we need to produce our final report.

 Create a SQL query to connect the Lenovo data with the MECM data

Now we are ready to combine the data from both the tables we created in the previous section.  In the SQL Management Studio  navigate to the WarrantyLookup database and click on New Query, in the upper ribbon.  In query window enter in the following SQL query.

select * from 

mecm me

inner join lenovo le

on le.serial = me.serial

After pressing Execute our required data will be returned.

This data can be copied and pasted into an Excel spreadsheet (CTRL A and CTRL C and CTRL V) and filtered according to your requirements. 

I hope you enjoyed reading this article and I hope your manager appreciates your hard work when you present to him or her, the warranty data relevant to your environment.

Colin