DavidOverton.com
This site is my way to share my views and general business and IT information with you about Microsoft, IT solutions for ISVs, technologists and businesses, large and small.  
David Overton's Blog » How to wake a computer to perform a antimalware scan, particularly useful for Windows Intune
How to wake a computer to perform a antimalware scan, particularly useful for Windows Intune

While having the book reviewed one feature that was asked for, but is not possible with Windows Intune, was the ability to make Windows Intune wake a computer at night and carry out an anti-virus scan. This blog post is referred to in the book when setting the Anti-Malware policy.

To solve this, there are two issues to tackle:

  1. Wake up the computer
  2. Start a scan

The answer appears to be that to wake the computer we need to use a task in Task Scheduler and then we need to start a scan.  One very important thought here is that we need to ensure the power settings on the computer will put it back to sleep though!  The command line required is “%ProgramFiles%\Microsoft Security Client\Antimalware>MpCmdRun.exe -scan -scantype 0

While working on this, I also wanted something that could be deployed by Windows Intune.  In the end I have written a small piece of software that can create a task that wakes the computer and will start a scan.  If you do not want a scan to start, change the program to execute to “cmd.exe” and the command arguments to be “/c”.  This will start the computer and then open and close a command windows.  Any other scheduled tasks can then run while the computer is idle, including the Windows Intune scan.

So, download

 and extract to a folder.  There are 3 files.  The DLL is from http://taskscheduler.codeplex.com/ and I am grateful to David Hall for this code.  The other two files are the main program and a settings.xml file to enable changing the settings and running as a quiet install for Windows Intune.

The program looks like this:

Schedule Task Tool - screen shot

I would like to think I don’t have to explain to much, however, here are the basics:

  • The task can run either daily, on a set day each week, or a specific day number of each month (including the last day).  It runs at a specific time.
  • The command has 3 parts, the path, the command to run and the command line arguments.  The defaults here are those to run a default scan.

So now the buttons:

  • Set Task creates a task in the Task Scheduler to run the command.  If this is run silently by the Windows Intune installer, this will be owned by the SYSTEM user, otherwise it will be the current user.  If the Save Settings.xml box it ticked then a new Settings.xml file will be created from the settings in the console as well as a task created.
  • The Load button will load settings from the settings.xml file, so you can check your file can be parsed this way.
  • Finally you can read the disclaimer (This is free software with no warranties expressed or implied, plus the statement from David Hall on his software too) if you click on the © notice in the bottom right.

Hopefully we now have a settings.xml file.  The sections in the file are as follows:

<?xml version="1.0" encoding="utf-8"?>
<WakeSettings xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
    <!-- Wake_Type is Daily (0), Weekly (1) or Monthly (2) -->
  <wake_type>0</wake_type>
    <!-- Wake_Hour is a value from 0 to 23 to represent the time on the 24 hour clock -->
  <Wake_Hour>2</Wake_Hour>
    <!-- Wake_Min is a value from 0 to 59 to represent the minutes past the hour for the event to fire -->
  <Wake_Min>05</Wake_Min>
    <!-- Day_of_Week is a value between 0 and 6, where 0 in Sunday, 1 is Monday and so on.-->
  <Day_of_Week>0</Day_of_Week>
    <!-- Day_of_Month represents the day number in each month that the task will fire.  0 represents the last day, with 1 through 31 being the appropriate day through the month -->
  <Day_of_Month>1</Day_of_Month>
    <!-- Command_Path is the path to the command to be executed.  Normally it is %programfiles%\Microsoft Security Client\Antimalware\ -->
  <Command_Path>%programfiles%\Microsoft Security Client\Antimalware\</Command_Path>
    <!-- Command is the name of the executable to be executed. -->
  <Command>MpCmdRun.exe</Command>
    <!-- Command_Args are the command line argument for the executable.  For the Anti-Malware software with Windows Intune they are normally -scan -scantype 0 -->
  <Command_Args>-scan -scantype 0</Command_Args>
</WakeSettings>

This means that by editing the settings.xml file we can now pass the task creation information to the programme without user interaction – use /quiet /1 as the command line parameters to make this all work.  So now we get to Windows Intune and uploading our solution.  You will need to have all 3 files in one folder by themselves to make this work.

Finally, the Windows Intune “software load” process:

Schedule Task Tool - step 1  Start Windows Intune Management console by going to https://manage.microsoft.com.  Log in and navigate to the Software Workspace and in the overview, Select Step 1 – Upload Software

Schedule Task Tool - step 2  One the tool has loaded, choose the file from the folder with the 3 files required.  Remember to check the box to upload associated files

Schedule Task Tool - step 3  The software description should automatically be populated, but you can change it to anything you want

Schedule Task Tool - step 4  There should not be a requirement to limit the architecture, although I have not tested this on anything except Windows 7

Schedule Task Tool - step 5  Select Use the default detection rules

Schedule Task Tool - step 6Add a command line.  I would recommend “/quiet /1” – this provides a small amount of logging into the event log.  It is important that the /quiet is present otherwise Windows Intune will fail to install the application and a 2nd argument should always be present.

Schedule Task Tool - step 7  Accept the default return codes

You should now be ready to deploy the software.

Schedule Task Tool - step 8  Go back to the Software Workspace and go to the Managed Software section.  Click the software we have just uploaded and then click Deploy.

Schedule Task Tool - step 9  We are asked which computer groups to apply this too and when.  Select these and press OK and the solution will be deployed.

Points to note:

1) This can’t be “Uninstalled” as far as Windows Intune is aware it is an EXE installer.  If this becomes a pressing issue, I will work on a /delete switch and entry into the programme to remove the task

To check the program has deployed, either look in Task Scheduler or in "%Program Files%\Microsoft Security Client\Antimalware\ and you should see the settings.xml file that was applied.

OK, so we have our programme installed and we want to change the timings, so how do we do this?

Well, if you add the tool as an update (Through the updates workspace in the Non-Microsoft Updates section), it will be re-applied.  The one important piece of information when applying as an update is to set the Prerequisites to check for a file existing as the check if this update is requires.  The file should be "%Program Files%\Microsoft Security Client\Antimalware\Settings.xml

Schedule Task Tool - step 11

 

I hope this works for you.  Feel free to add comments and suggestions

 

Thanks


David

Posted Thu, Dec 15 2011 10:09 AM by David Overton
Filed under: , , , , , ,

Add a Comment

(required)
(optional)
(required)
Remember Me?

(c)David Overton 2006-23