For manual MDAV via PowerShell InstructionsPATH Computer Configuration -> Administrative Templates -> Windows Components -> Microsoft Defender Antivirus (or Windows Defender Antivirus) -> Threats -> Specify threat alert levels at which default action should not be taken when detected.
Value name: 2147771206
Value: 6
For SCEP via GPO Instructions:PATH: Computer Configuration -> Administrative Templates -> Windows Components -> Endpoint Protection-> Threats -> 指定當偵測到時不執行預設動作的威脅警報級別。
Value name: 2147771206
Value: 6
備註:若您沒有看到「Endpoint Protection」,請查看: Manage Endpoint Protection using Group Policies - Configuration Manager | Microsoft Docs
For MDAV and SCEP via SCCM Instructions:
PATH: Assets and Compliance, Endpoint Protection -> Antimalware Policies -> Threat overrides -> Enter Threat name: Trojan:MSIL/Solorigate.BR!dhaPATH: Assets and Compliance, Endpoint Protection -> Antimalware Policies -> <Select relevant policy> -> Threat overrides -> Enter Threat name: Trojan:MSIL/Solorigate.BR!dh
Override action: Allow
For MDAV via MEM using PowerShell Instructions:
利用以下內容建立Powershell script :
Set-MpPreference -ThreatIDDefaultAction_Ids 2147771206 -ThreatIDDefaultAction_Actions 6
Name it: Allow_SolarWinds.ps1
Save it to e.g. c:\temp
Browse to https://endpoint.microsoft.com
Devices -> Windows -> Powershell scripts
Click on "+Add"
Name: Allow SolarWinds temporarily
Description: Allow SolarWinds temporarily while patching.
Click on "Next"
Script location: Browse to e.g. c:\temp\Allow_SolarWinds.ps1
Run this script using the logged on credentials: No
Enforce script signature check: No
Run script in 64 bit Powershell Host: Yes
Click on Next
Scope tag: <default>
Click on Next
Assignments:
Click on "+Select groups to include"
Select the "Security Group" that has your Windows 10 based systems.
Click on Select
Click on Next
<Review>
Click on Add
Note: For MEM (Intune) Powershell script troubleshooting, 請查看:C:\ProgramData\Microsoft Intune Management Extension\Logs\IntuneManagementExtension.log
For manual MDAV via PowerShell Instructions:
Launch PowerShell as Admin
Set-MpPreference -ThreatIDDefaultAction_Ids 2147771206 -ThreatIDDefaultAction_Actions 6
For manual SCEP via PowerShell Instructions:
Launch PowerShell as Admin
Import-Module “$env:ProgramFiles\Microsoft Security Client\MpProvider\MpProvider.psd1”
Set-MProtPreference -ThreatIDDefaultAction_Ids 2147771206 -ThreatIDDefaultAction_Actions 6
若想取得上述說明的更新內容,請參考https://aka.ms/detect_solorigate。