In the world of modern device management, ensuring that all devices are compliant and secure is needed. However, when OEMs use the Home edition of Windows to create their base images with images no MSSense is used, it can lead to significant challenges, particularly with onboarding devices to Microsoft Defender for Endpoint and ensuring compliance in Intune. In this blog post, we will explore this issue with the missing MSSense feature in detail and provide a step-by-step solution to resolve it.
The Issue with MSsense not installed
With the new CoPilot devices with with the ARM snapdragon devices, which are delivered with Windows 11 24H2, the OEMs used the Home edition of Windows to create their base images; with this image, MSsense is missing a key feature. This practice can lead to complications when trying to onboard devices to Microsoft Defender for Endpoint. The Home edition lacks certain features and capabilities that are essential for enterprise security and compliance, such as the Windows Sense Client required for Defender for Endpoint. There is a kb article about the issue KB5043950: Windows 11, version 24H2 support – Microsoft Support
Why It Matters
Without the necessary features, devices cannot be properly onboarded to Defender for Endpoint, resulting in non-compliance with security policies in Intune. This not only poses a security risk but also complicates device management and monitoring. The OEMs are currently working on creating the new base image for 24H2, so it will be resolved over time, but for now, we need to take care of this problem to keep our fleet of devices secure.
The Solution to remediate MSSense
To address this issue, we need to ensure that the Windows Sense Client is installed and running on all devices. Here’s a remediation script that checks if the Windows Sense Client is running and, if not, installs it using the DISM command. Therefore, we are first creating the detect script
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 |
#============================================================================================================================= # # Script Name: Detect_MSSenseOEMissue.ps1 # Description: # # Notes: Detect if the MSsense process is running to check if the OEM use a Home edition image #============================================================================================================================= # Get the MsSense process $process = Get-Process -Name "MsSense" -ErrorAction SilentlyContinue # Check if the process is available if ($process) { # Process is running, exit with code 1 Write-Output "Process is running" exit 1 } else { # Process is not running, exit with code 0 Write-Output "Process is not running" exit 0 } |
And now the remediation script:
|
1 2 3 4 5 6 7 8 9 |
#============================================================================================================================= # # Script Name: Remediate_MSSenseOEMissue.ps1 # Description: # # Notes: Remediate the MSsense Client to install it on the device #============================================================================================================================= DISM /online /Add-Capability /CapabilityName:Microsoft.Windows.Sense.Client~~~~ |
Steps to Deploy the Script in Intune:
Go to Devices | Scripts and remediations, click on +Create
Fill in a name and click Next
Now, we need to add the scripts to detect and remediate the first step of the detect script.
Copy and paste the scripts into the remediation policy to get things going. Assign it to a device group it might be good to use the new filter where we can use cpuArchitecture so we can only assign it to devices with the new ARM architecture or create a filter only to assign it to Windows 24H2 (this would be 10.0.26)
Conclusion
By ensuring that the Windows MSSense feature is installed and running, you can make sure that all devices are correctly able to be onboarded to Microsoft Defender for Endpoint and compliant with Intune policies. This not only enhances security but also simplifies device management and monitoring.
Windows Sense acts as a crucial component in creating a secure and well-managed environment for all devices within the network. It enables seamless integration with Microsoft Defender for Endpoint and ensures that all devices are in compliance with Intune policies, thus contributing to a more robust and secure IT infrastructure. Additionally, by having Windows Sense installed and running, organizations can effectively streamline device management processes and gain greater visibility into the security posture of their devices. This proactive approach to security and management not only mitigates potential risks but also optimizes the overall operational efficiency of the organization.