MDE migration from 3rd party AV run MDE full scan once migrated

Copper Contributor

Hi, 

I am running the project when we are migrating from 3rd party EDR/AV solution. I want to follow recommendation from MS to run at least 1 full scan after 3rd party AV will be uninstalled and MDE AV will become active on that machines. We will deploy policies with Intune. However I have no clue how to configure policy to be sure once AV will switch from passive to active Full Scan will be triggered. 

In the past I observed e.g. that if your policy will be configured with catchup scans enabled, then once you will onboard to MDE then even if your AV is still passive the Scan will run anyway. I want to avoid that. My plan is to use scheduled quick scans daily only and first full scan. Did not found smart way to do that. Thx!

1 Reply

Hello @hibi6x ,

 

There is no policy to run only one full scan when defender is switched to active mode.

 

Assuming your devices are onboarded even while in Passive mode, there is a workaround to achieve your goal using MDE custom detection rules. Here is how:

  1. Go to Advanced hunting and run a query to list devices where defender was switched to active mode:
    DeviceRegistryEvents
    | where ActionType == "RegistryValueSet"
    | where InitiatingProcessFileName == "msmpeng.exe"
    | where RegistryKey contains "Windows Defender"
    | where RegistryValueName == "PassiveMode"
    | where RegistryValueData == "0"
    | where PreviousRegistryValueData == "1"
    | project DeviceId,DeviceName,Timestamp,ReportId
  2. Click on "Create detection rule"
  3. Set your own Detection name, Alert title and Description.
  4. Set the Severity to "Info".
  5. Make sure that Frequency is set to Continuous (NRT) and click Next.
  6. Set impacted entities to Device > DeviceId and click Next.
  7. In Actions, expand Devices and choose "Run antivirus scan". Then click Next.
    AdelAlDabbas_0-1708812461596.png

     

  8. In Scope, I suggest testing this on specific device group(s) before changing it to "All devices".
  9.  Review the Summary and Submit.

Expected result: On Windows devices, a full scan will be triggered within few minutes after Defender is switched to Active mode. The full scan should be triggered once.

 

Note: An alert will be generated whenever this is triggered. You can view the alerts/actions triggered when you open the detection rule page. 

 

For more information regarding Custom Detection rules: Create and manage custom detection rules in Microsoft Defender XDR | Microsoft Learn