MDE ‐ Live Response Overview

Summary

I have been asked a couple of times now about how to use live response and the benefit of it. In my opinion, live response is great for getting on an endpoint collecting data or correcting situations.

Top customer situations:

1. Need to kick off an antivirus scan(you could use the console also)
2. Need to make a configuration change on the endpoint
3. Need to remotely wipe the machine(this is assuming you don't want or don't have Intune)
4. Remove a device from MDE Management
5. Download a file from an endpoint

Perquisites

• Live Reponse Configured
• PowerShell Scripts or knowledge to create them

Basic settings

To access Live Response, you will need to navigate to the device, Device Inventory is a one of the locations. Click on the ellipses and click on Initiate Live Response.

You can upload PowerShell scripts to your tenant library in the top right corner.

For the most recent commands, please view them here.

Situations

Need to kick off an antivirus scan

The script for this is pretty easy:
cd 'C:\Program Files\Windows Defender\'
.\MpCmdRun.exe -scan -scantype 1

I'm kicking off a quick scan, but you can do whichever you need(documentation below).

• Configure and manage Microsoft Defender Antivirus with the mpcmdrun.exe command-line tool

Now that we have the script, save it and upload it to your library.

Validate the script was uploaded using the library command to list all your files.

Upload the file to the endpoint: putfile RunQuickScan.ps1

You should get this once its done.

Need to make a configuration change on the endpoint

Need to remotely wipe the machine

Let's say you are not using Intune or something came up where you need to wipe a device immediately. Well we need to script that out, I found the one Microsoft had posted here: MDM_RemoteWipe class
$namespaceName = "root\cimv2\mdm\dmmap"
$className = "MDM_RemoteWipe"
$methodName = "doWipeMethod"
$session = New-CimSession
$params = New-Object Microsoft.Management.Infrastructure.CimMethodParametersCollection
$param = [Microsoft.Management.Infrastructure.CimMethodParameter]::Create("param", "", "String", "In")
$params.Add($param)
try
{
$instance = Get-CimInstance -Namespace $namespaceName -ClassName $className -Filter "ParentID='./Vendor/MSFT' and InstanceID='RemoteWipe'"
$session.InvokeMethod($namespaceName, $instance, $methodName, $params)
}
catch [Exception]
{
write-host $_ | out-string
}

Upload the script to the Library.

Validate the script uploaded.

Upload the file to the endpoint.

Run the script.

Once the script runs, the system will restart right away. Your Live Response will disconnect or error out shortly after.

Remove a device from MDE Management

Download a file from an endpoint

References

• Live Response - Basic commands
• Live response command examples
• Configure and manage Microsoft Defender Antivirus with the mpcmdrun.exe command-line tool
• MDM_RemoteWipe class