MicrosoftThe Microsoft Defender Security Console is the worst enterprise ssecurity product that I've used yet, and the Device Discovery and Monitored Networks are basically enabling this product to act as a virus. It's ironic.
I have no desire to collect a list of all of the machines when my users visit a coffee shop, especially when there is no option to delete junk data from the console. Further, I have to protect my users in that, higher risk environment (the coffee shop). So, showing me all of my users’ home devices, which I won’t ever control is generally pointless and clutters up my console from seeing data that I need to act on.
The Device Discovery Settings simply don't work. Mine is set to Basic and Selected tags, but machines without the selected tags are being discovered and even onboarded! This is happening even for machines that aren't in our Azure tenant, and I have no access to them. So, I can't offboard them and cant delete them from the console. This is another disctraction from the endpoints that I manage and need to protect and clean up.
Device Discovery returns incorrect information (e.g. shows Workgroup for domain joined Windows 10 machines).
Why is the setting to disable/turn off Device Discovery not on Device Discovery settings page?? SMH. Tip for others: it's in Settings > Endpoints > Advanced Features > way down the page.
If Monitored Networks was an explicit, assigned list, then it would be helpful, but as is noted on the Monitored Networks settings page and its supported documentation, “If less than 50 networks are identified as corporate networks, then list will show up to 50 networks with the most onboarded device.” So, while there is some partial truth in that I can control networks after discovery, I do not have control before discovery. I cannot limit discovery exclusively to my corporate network and nothing more. And again, I have no ability to clean up devices from the console. So, when three of my users visit a coffee shop, that network is monitored until I identify that and go in to ignore it. And my console is cluttered with all of the discovered mobile and desktop machines that connect in that coffee shop from the time it was discovered until I see it and tell it to ignore it. And, with all of the other junk in my console, how long would it be until I noticed this? Network discovery should absolutely have an option to turn off, and only be an assigned/explicit list!
The entire Defender/ATP/Security console is far too early for usage. I suggest that anyone who finds this before deciding to implement Defender as your AV solution to look elsewhere until 2025 or so when maybe this product will be ready to use. PS. it will probably have a different name then since...Microsoft.
