Blog Post

Microsoft Defender for Endpoint Blog
7 MIN READ

Endpoint Discovery - Navigating your way through unmanaged devices

Steve Newby's avatar
Steve Newby
Icon for Microsoft rankMicrosoft
Apr 13, 2021
Today (June 22nd), we released into GA a new set of capabilities for Microsoft Defender for Endpoint that empower organizations to discover and secure network devices and unmanaged endpoints. This is...
Updated Jul 12, 2021
Version 5.0
jayreg's avatar
jayreg
Copper Contributor
Jan 14, 2022

Thanks for the reply, Chris Hallum

 

"Device discovery is specifically designed to not discover devices that are on public networks (e.g.: local coffee shop), or even private ones like your home network."
That is definitely not my experience. It added my home network, presummably because I was doing Autopilot testing at home and onboarding those devices, but it still isn't a corporate network. The text I pasted above from the Monitored Networks page disagrees with your statement as well, and I believe is the reason why my home network was added. I don't see why the same wouldn't apply for coffee shops when a few of my users are all on that network. I stupidly deleted my home network instead of clicking Ignore, but I'm happy to help your team investigate it, assuming I can do so with Device Discovery turned off. I have zero intension of re-enabling it again! 

 

"If it appears that devices have been automatically onboarded the devices must have been managed by another Microsoft product."
Perhaps. 
The only automated enrollment that I saw in the link you provided was tDefender for Cloud, which sounds like it has to be deployed on a server. That is definitely not the case in our envirnoment. 
For all I know, those are machines owned by spouses of our staff, and which are managed by another tenant. I doubt that since they're "Workgroup" computers. However, my corporate, domain-joined devices were discovered as being in the "Workgroup" domain instead of our corporate domain. So, who knows if that's accurate on those machines. There's really so many problems with Device Discovery. Back to the enrolled mystery machines... I have no idea how they got there. They aren't in Azure. The Security console has no information about the signed-in user ("No user logged in") or how they were onboarded. One has an IP address suggesting it was on our corporate network (which shouldn't onboard them without being managed), but others have 192.168.x.x addresses. Worst of all is because I have no idea what/where/whose machine it is, then I have no access to it and can't offboard it because there's no option in the Security console to offboard machines (like the Retire feature in Intune). We need options to delete, retire, and I'm starting to think a block function is necessary for mystery machines. They aren't our corporate machines, aren't under my management, and are cluttering up my view for things that need my attention.