Enable or Disable Archive Scanning with Intune Policies

Managing Archive Scanning with Intune Policy: Enable or Disable

This article explores how to allow or disallow the scanning of archive files—such as .ZIP or .CAB—using an Intune policy. This policy determines how security software, such as antivirus programs, handles compressed folders during scans for harmful or unwanted software.

Archive files are often used to compress and store multiple items, but they can also conceal hidden threats. The Intune policy controls whether these files are scanned during routine checks, directly affecting security and performance.

How the Policy Works

1. Enabled (Not Configured): When this setting is enabled or left unconfigured, archive files like .ZIP or .CAB are always scanned during regular checks. This ensures comprehensive protection by identifying potential hidden threats but may slightly increase the scan time.
2. Disabled: Disabling this policy skips scanning archive files during routine checks. However, individual files inside the archive will still be scanned if you manually scan the specific archive (e.g., right-click and select "Scan"). This setting can improve scan speed but increases the risk of missing threats hidden inside compressed files.

Key Considerations

This post provides detailed guidance on enabling or disabling archive scanning using an Intune policy. It explains the functionality of the policy, the configuration options, and the trade-offs between security and performance when managing archive scanning.

By understanding these settings, you can make informed decisions tailored to your organization's security requirements and operational priorities.

Windows CSP: AllowArchiveScanning

The AllowArchiveScanning policy in Windows Configuration Service Provider (CSP) enables you to configure archive scanning settings on devices running Windows 10 and later. This policy is managed through mobile device management (MDM) tools such as Microsoft Intune, and it uses OMA-URI (Open Mobile Alliance Uniform Resource Identifier) settings to apply configurations.

Key Details:

• Scope of Application: This policy is applied to devices, not individual users. It ensures consistent behavior across all applicable devices within your organization.
• Supported Versions: The policy is compatible with Windows 10 version 1607 and later, including the following editions:
• OMA-URI Path: The path for configuring this setting is: ./Device/Vendor/MSFT/Policy/Config/Defender/AllowArchiveScanning

This configuration is crucial for managing how Windows Defender handles the scanning of archive files, such as .ZIP and .CAB, ensuring alignment with your organization's security requirements.

Enable or Disable Archive Scanning Using Intune Policy

To configure archive scanning settings through Intune, follow these steps:

1. Sign In: Log in to the Microsoft Intune Admin Center.

2. Navigate to Configuration Profiles:Go to Devices > Configuration Profiles > Create Profile.

3. Choose Platform:In the profile creation window, select Windows 10 and later as the platform.

4. Select Profile Type:Choose Settings Catalog from the available profile types.

5. Create the Profile:Click the Create button to start defining the settings for archive scanning.

This process allows you to customize and deploy the policy effectively, ensuring it aligns with your organization's security and performance requirements.

Creating a Profile: Basics Settings

In the Basics section, provide a clear and descriptive name for the profile to ensure easy identification later. You can also include an optional description to outline the profile's purpose or additional details.

Once you've completed this step, click Next to proceed to the next configuration stage.

Refer to the screenshot below for a visual guide to these steps.

Configuring Defender: Allow Archive Scanning

In the Configuration Settings section, follow these steps to configure the Defender settings:

1. Click Add Settings to open the Settings Picker window.
2. Browse through the available categories or use the search bar to quickly locate specific settings.

Steps to Enable Archive Scanning:

• In the search field, type Defender to filter the settings.
• Locate and select Allow Archive Scanning from the list of options.

This ensures that Defender is configured to scan archive files, enhancing your device’s security posture.

Allow Archive Scanning

This setting lets you choose whether to allow or block the scanning of archive files. The dropdown menu has two options: allow or block.

• Allowed – Scans archive files.
• Not allowed – Turns off scanning for archive files.

The Scope Tag is an optional feature in Microsoft Intune that can be utilized during app deployment. Since you didn’t include any specific details for the deployment, you may skip this section. The Scope Tag simply helps assign apps or policies to specific groups, users, or regions within your organization.

Assignments: Applying Policies in Microsoft Intune

The Assignments section is a crucial step in any policy configuration within Microsoft Intune. This section allows you to specify which users or devices the policy will apply to, ensuring targeted and effective management.

Key Features of the Assignments Section:

1. Include and Exclude Options: The Assignments tab is divided into two parts:
2. Adding Groups:
3. Proceed to the Next Step:

This structured approach ensures that policies are applied to the right audiences, minimizing the risk of misconfiguration and enhancing overall policy management efficiency.

Review and Create: Finalizing Your Policy

The Review and Create step marks the final stage in the policy creation process. This step provides an opportunity to thoroughly review all the details and settings configured for the policy, ensuring accuracy before finalization.

• Final Review: Carefully check all the policy details, including the name, description, platform, assignments, and configuration settings.
• Create the Policy: Once you are confident that everything is correct, click the Create button to finalize the policy.

Post-Creation Confirmation

• After the policy is successfully created, you will receive a confirmation notification.
• At this point, you can close the Create Profile section and begin monitoring or managing the policy as needed.

This step ensures that your policy is ready for deployment without any errors, serving as a critical checkpoint in the creation process.

Monitoring Status

The Scanning of Archives policy was successfully created. The Succeeded value displays 45, indicating that the creation process completed without any issues.

Refer to the screenshot below for additional details on this process and its successful implementation.

Client-Side Verification

The MDM Policy Manager applies the AllowArchiveScanning policy under the Defender category. Key parameters like Enrollment ID, Int Value, Enrollment Type, and Scope may vary for each device, reflecting its specific configuration and policy assignment.

Example Parameters (May Vary):

• Enrollment ID: A unique identifier for the device's enrollment (e.g., B1E9301C-8666-412A-BA2F-3BF8A55BFA62). This value is specific to each enrolled device.
• Int Value: Represents the applied policy’s status or configuration (e.g., 0x0). Check for deviations that might indicate an issue.
• Enrollment Type: Indicates the type of enrollment used (e.g., 0x6 for MDM-managed devices).
• Scope: Defines the policy's application scope (e.g., 0x0 for device-level policies).

Verification and Troubleshooting

To confirm the policy is correctly applied:

1. Open the Event Viewer on the device.
2. Navigate to: Applications and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostics-Provider > Admin.
3. Look for event details associated with the policy application, and cross-check key parameters. Note that Event IDs, such as 814, may be commonly associated with success, but could vary based on the policy.

If discrepancies are observed:

• Compare the event parameters to expected values.
• Ensure the device has synced with Intune and check the Intune Admin Center for assignments.
• Refer to official documentation for additional troubleshooting based on the log output.

This approach accounts for variability in these parameters, helping ensure accurate validation across different devices.

More Information

For additional guidance on configuring the "Allow or Disallow Scanning of Archives" policy using Microsoft Intune, refer to the following resources on Microsoft Learn:

• Overview of Microsoft Intune
• Configuration Service Provider (CSP) Policies
• Settings Catalog in Intune
• Managing Devices with Intune
• Assigning Policies and Apps in Intune

These resources provide comprehensive instructions on setting up, managing, and optimizing device configurations with Microsoft Intune.

Thank you!

??? Ricardo Barbosa

?? MCT Microsoft Certified Trainer | ?? Cloud Architect

?? Technology Director - https://altelix.com