Recent Discussions
Defender Onboarding
I have domain joined device. Implementing Defender thru Intune Connector. (Connector Status is on - EDR policy is Deployed correctly) -ASR All Rules in place -AV policy in place 2 Same OS Version Device I tried to Onboard 1 got onboarded & 1 Did not. Not sure why? Also Domain joined 1 Device got on boarded with some issue where Realtime Protection and Behavior monitoring is disabled. Any Solution ? Please Don't Recommend to make any changes to GPO thru Onprem. Help me to resolve issue thru intune.
Tuning a defender alert
Hi all, I'm looking for some guidance on tuning a Microsoft Defender alert. I've received an alert that gets triggered when an encoded PowerShell command is executed. I attempted to suppress it by creating a custom rule specifying that if this encoded command is seen, it shouldn't trigger the alert. However, the rule doesn't seem to be working as expected. Could anyone help me understand what I might be doing wrong or suggest a better approach to tuning this alert? I have attached images of the alert. Thanks in advance!Inquire about Microsoft Defender for Endpoint Deployment
I would like to kindly ask for some guidance. Our office is currently considering deploying Microsoft Defender for Endpoint P1, or possibly Defender for Business. We have a total of 30 PCs, all running Windows 11. Currently, we are using Microsoft 365 Exchange Online (30 licenses) for email communication. All PCs are currently not joined to any Active Directory (either on-prem or Entra ID). If we proceed with purchasing Microsoft Defender for Endpoint, I would like to ask: What setup model would be required for our environment? Do all PCs need to be joined to Microsoft Entra ID (formerly Azure AD) in order to use Defender for Endpoint? A brief overview of the setup steps would also be very helpful. Thank you very much.
Question about adopting the E5 Security add-on for M365 Business Premium: Is there a way back?
Hello everyone. I run a small business and am responsible for system administration, including security. While I'm generally happy with the comprehensive security package included in Microsoft 365 Business Premium, I want to try E5 Security because I noticed that I can only use one group in Endpoint Security (Defender). When I attempt to switch the license from Defender for Business to Defender for Endpoint P2 in the Defender portal, I receive a warning that I can never revert to Defender for Business. Obviously, if it literally states that I can't go back, that's the end of the line, but I would like to try it if possible and revert if necessary. Bottom line, in the worst-case scenario, everything I configured in the Defender portal will be wiped, and I don't mind re-enrolling the devices; I'd just like to know if I can undo it somehow. Thanks in advance. Have a great Friday.
Intune Website Block Policy Not Working on Newly Enrolled Devices
We configured URL blocking for multiple cloud storage services via Microsoft 365 Defender portal at https://security.microsoft.com > Settings > Endpoints > Indicators. The policy works on older devices, but we recently discovered that newly enrolled Windows devices can still access those URLs — even though they show as compliant in Microsoft Defender for Endpoint. Has anyone encountered this issue before? The PC Enroll many day ago ,Report is not populating in real time on Defender for Endpoint portal
Latest signature/security intel update are done on device, however Microsoft Defender for Endpoint not showing Realtime report. Please suggest how to get Realtime report. Provide Microsoft article state telemetry data report population time interval.Web content filtering and indicator aren't working on third party browser
Hi, we have just noticed that web content filtering and customized indicators are not working on third party browsers after upgraded defender for endpoint to 4.18.23050.3, the issue has happened to both Win10 and Win11 machines. Has anyone else got the same issue?Can Microsoft Defender XDR operate in a passive mode alongside Palo Alto Cortex XDR?
Our organization is planning to transition from Microsoft Defender to Cortex XDR, primarily because Cortex offers 24 hours SOC analyst support. However, we would still like to retain Defender XDR as we have business premium license which have defender for business. Can we continue to collect and query logs using KQL (via Microsoft 365 Defender portal) even if Defender is no longer the primary active endpoint protectionHow to get/set defender settings with API
Does anyone know if it is possible to retrieve my Defender settings using the API? For example, I need to access: Microsoft Defender -> Settings -> Endpoints -> General -> Advanced Features I noticed that the portal uses 'apiproxy/mtp/k8s/mgmt/TenantContext?realTime=true' to obtain all information, and I could see that the API URL being used for it is 'k8s': 'https://wdatpprd-eus3.securitycenter.windows.com/api'. However, the documentation for the Defender API (https://api.securitycenter.windows.com) does not contain any information regarding settings. Is it possible to connect to this API (https://wdatpprd-eus3.securitycenter.windows.com/api) from my application? How should I set up API permissions in my Azure tenant (add any scopes or anything else)? Is there any documentation available on how to achieve this?Intune Website Block Policy Not Working on Newly Enrolled Devices
We configured URL blocking for multiple cloud storage services via Microsoft 365 Defender portal at https://security.microsoft.com > Settings > Endpoints > Indicators. The policy works on older devices, but we recently discovered that newly enrolled Windows devices can still access those URLs — even though they show as compliant in Microsoft Defender for Endpoint. Has anyone encountered this issue before? The PC Enroll 2day agoPassword reuse limitations
I have been doing some testing of using Windows Defender to detect password re-use. I have found that if you have the username and password fields together then password re-use detection works well. However if you have a site like chat gpt that has a form for your username and then the password box only appears after you have hit enter then the password re-use detection does not work.
MS Defender User Journey Areas for Improvement
Hi Team, We are currently working toward utilising MS Defender for our Training and Awareness. User Journey planning related to the migration from our current provider to MS Defender found some undesirable features of the Defender portal. As these concerns are currently unavoidable, a ticket will be logged with Microsoft and a forum post made attempting to prompt MS to resolve these issues. Issues include: - Left hand side navigation panel with more content than desired (ie. buttons such as threat intelligence, trials, more resources, etc.) - Inability to customise the home page of the MS Defender portal - Inability to return to the designated training page when you have clicked away from it - '?' help button which is not obvious in that it contact MS Support, not IDS @ Flinders - Other minor desirable customisation options to improve user experience Whilst all are issues within the Defender portal, the primary cause for concern is that left hand side navigation panel which has potential to be confusing for non-privileged staff. Does anyone know of a way to remove these additional tabs for non-privileged staff or know of a workaround? Thank you for any help,
Defender for Endpoint on EFLOW?
Hi, I have several deployments of EFLOW on a Windows Host, and on those EFLOW VM's i want to run Defender for endpoint. Documentation is however very sparse. Basically only the Set-EflowVmFeature to enable Defender here: https://learn.microsoft.com/en-us/azure/iot-edge/reference-iot-edge-for-linux-on-windows-functions#set-eflowvmfeature Is that all there is to it to Install, configure and run Defender within EFLOW? Any ways to check / validate locally on the VM or centrally?
API - Vulnerabilities.read.all and Score.Read.All
Trying to leverage defender metrics for management reporting (things like ExposureScore, SecureScore, etc. I'm interested in absolutely everything to get the right PowerBI dashboard) When assigning (for example) Vulnerabilities.read.all and Score.Read.All and granting admin consent, these aren't actually getting pulled through to the jwt token. And then using Postman combined with jwt.ms to view the token So what gives? Where did those permissions go? I thought it might be propogation so I have now given it 5 days in total. Is it that these APIs just aren't accessible despite the Microsoft documentation like: https://learn.microsoft.com/en-us/defender-endpoint/api/get-all-vulnerabilities I am fully licensed (albeit trials). It seems that Graph API (e.g.) https://graph.microsoft.com/v1.0/security/secureScores is very friendly to my needs where as https://api.security.microsoft.com/api/exposureScore does not allow my app registration access even when permissions are there...Removing attack surface reduction rules not possible
Hi We have implemented attack surface reduction rules in my company on all windows 10 pc's. We audited for a few months and created exclusions which worked well. Now we have a new program that is being blocked by the MacroWin32ApiCall rule, and even using exclusions we cannot get the program to stop being blocked. So we simply want to remove this MacroWin32 ASR rule from a machine. We enabled it through SCCM with a big policy containing all PC's. When we remove this particular PC from the policy, and create a new policy putting the rule in audit mode / disable, and push the policy out to the machine, nothing happens, it is still stuck as enabled. When we add exclusions to this policy, they are recognized by the PC. So the policy is being implemented, the rule is just not being changed from enabled to audit or disable (we tried both). Does anyone have any experience with this?Cannot download Onboarding package
Hello, we're having problems when trying to download the Defender onboarding package. Tried different OS, different deploying methods but within a second of clicking Download onboarding package we get a popup saying "Client Error. Failed to get APK url from server" Anyone seen this before?Deny-Option in quarantined Emails grayed out
Hi, We check daily the Emails in Quarantines of MS Defender in a Teams. Is there any Probability to move the reviewed Mails in other List or remark it anyway? So that my next Colleague in Teams could go on reviewing the next Mails in Quarantine, but not double review the Mails again which I checked last time? Otherwise I see the Deny-Option is always grayed out. How could we enable it? Thanks for your Support!how do i contact comcast about email problems
We’re deploying Microsoft Defender for Endpoint and aligning it with PCI-DSS v4.0 compliance for our UPI-first fintech brand UPYUGO Technologies. Our focus: Shield transactional emails (KYC, OTP, payment alerts) Lock down phishing/spam with custom quarantine logic Implement Defender strict policy + advanced anti-spam (MDO) Would love feedback on: Best practices for Defender ATP in regulated environments DMARC, SPF, DKIM recommendations Log forwarding to Sentinel or Azure Monitor Cheers, email address removed for privacy reasons
Recent Blogs
- Microsoft has a long-standing relationship with MITRE and holds deep respect for the unique role that the organization plays within the security ecosystem. MITRE ATT&CK® Evaluations have been instru...Jun 13, 2025
- 3 MIN READEnhancing macOS security with behavior monitoring As attackers become more sophisticated in today’s rapidly evolving threat landscape, security strategies must continue to innovate to keep pace. F...Jun 10, 2025
