Recent Discussions
Schemas not visible in Defender in Advanced Hunting
We have defender for endpoint Plan 2 + Microsoft Business Premium + Entra ID P2 in our tenant. I need to hunt for a particular process or files across multiple devices. Also i need to hunt for device events. But i am not able to find the schemas in Advanced Hunting Section. The schemas not available in our tenant: DeviceEvents DeviceFileCertificateInfo DeviceFileEvents DeviceImageLoadEvents DeviceInfo DeviceLogonEvents DeviceNetworkEvents DeviceNetworkInfo DeviceProcessEvents . The mentioned schemas are not visible in advanced hunting section. Devices were onboarded using microsoft intune and at time of onboarding, there was already a third party antivirus tool installed on machines so Defender was working in EDR Block Mode. But now all third party antivirus are removed and defender is working as primary in active mode. Do i need to do any additional configuiration to get data in the mentioned schemas in advanced hunting section8Views0likes0CommentsDevice onboarded successfully, but alerts are not showing up in the portal
Hi! I am trying to setup a test tenant, where I have onboarded a few Windows 11 Pro VMs with the local script method to the Defender Portal. And everything seems to be working, except that if I create a test scenario on the device (e.g. create an EICAR file), then the local antivirus catches it, but nothing is showing up on the portal in the Incidents & Alerts menu. What is even more strange, that through the Reports menu -> Security Report, the incidents are visible in the reports, but with a 2-3 hour delay. I have tried the following things so far: On the Alerts listing page, there is no filter set, so everything should be visible In the Alert service settings I set 'All alerts' I have run the MDEClientAnalyzer script, it didn't find any suspicious thing I checked the local Event logs on the VM, and nothing suspicious there as well The devices are also enrolled to Intune, I created an Antivirus policy there with the default values and also a Security baseline Additional info that might be useful: The Windows VMs are untouched, there isn't any other third party antivirus software installed. The onboarding detection script provided on the portal is unsuccessful as well (No alerts show up) On the Defender portal, on the device's page, the result of Security scans are visible normally though The devices are enrolled to Intune with Windows Autopilot with the Hardware hash method. Regarding licensing, I am in a Microsoft 365 E5 developer tenant, and I have activated the Defender trials on the portal. What is strange though, is when I go to Settings -> Endpoints -> Advanced features -> Microsoft Intune connection, then it says "A Microsoft Intune license was not found.", so I am not able to connect the two. Even though if I am correct, Intune is included in the developer license, and practically speaking I am also being able to use it. Do you have any idea what am I missing? Alerts should work out of the box theoretically😅.. Thank you for your help in advance: Adam30Views0likes0CommentsSenseNdr.exe is slowly eating the memory
Hello, For a few days now, we have some Windows Server 2019 physical machines where almot all the memory is commited to sensendr.exe. If you terminate sensendr.exe, the process comes back after a few minutes. On one machine the problem came back after a little bit more than one day, on the others the problem has not come back (yet). All the machines are patches with the 2024-09 CU. Here is a view of the resource monitor : On another machine : Do you have any idea what could cause that and how to avoid it ? We can't find any error messages that could explain the problem. Thanks in advance for your answers Marc11KViews4likes53CommentsFailed to create object ID in Intune for new onboarded device.
We are deploying Defender for Cloud with XDR onboarding. We are implementing Defender policy with Intune enforcement setting, everything is working for 98% of devices as well. But, for some devices like Arc enabled machines, after going through each step and Microsoft troubleshooting documentation. Some devices are not able to create the synthetic object in Intune to receive Defender XDR policies. No solution is provided in the documentation or in MDEclient parser. In the onboarding workflow, the synthetic object is normally created to apply the policy via Intune. But, when a device fails this process, we have no solution even after re-onboarding.32Views0likes1CommentDevice logon user showing mismatch in Microsoft Defender for Cloud (Server)
Hello Team, We have onboarded Exchange server in Microsoft Defender for Cloud (Server). And this server successfully showing in Microsoft Defender for Endpoint Assets lists. When we view a single asset details, we found that in logon user details there have 417 users in user lists. They all are not directly login in this Server. Then why it is showing total 417 users in user lists? Thanks Noyon48Views1like1CommentIssue with MSSENSE.EXE scanning
We have been working with Microsoft on an issue and they asked that we exclude a couple folders from scanning. We've excluded the folders and Defender MSMPENG.exe isnt scanning them anymore, but MSSENSE.EXE still is, which is ATP / Defender for Endpoint How do I stop MSSENSE.EXE from scanning those folders? Thanks,28Views0likes1CommentMicrosoft Enable Programs and Features Settings in Windows 11
If you were a business or organization that was new to Purview, what advice would you give them to turn on or set up as their first steps with the product? On Windows 11, the Settings app lets you install additional features to extend the system's functionalities. You will need an internet connection to download these features since the components are not stored in the default installation. Bur Windows 11 Insider Preview 10.0.26120.2415 (ge_release_upr) fixes issue45Views0likes0CommentsVerify the device is connected to the network and has internet access to communicate with MDE.
When onboarding a device using the DFE (Device Functionality Enhancement) onboarding script, it is expected that the device will be properly enrolled in Microsoft Defender for Endpoint (MDE) and reflect its status as "Managed" in the Defender portal. However, if the device is showing as "Managed by Unknown" and the "MDE Enrollment status" is displayed as "N/A," it indicates that the device has not successfully registered or communicated with the MDE service. This issue can occur for several reasons, including incorrect configuration of the DFE onboarding script, connectivity issues between the device and Defender for Endpoint services, or issues with permissions or policies applied during the enrollment process. It may also be a result of the device not receiving the required Defender for Endpoint agent or its enrollment being interrupted during the onboarding process. To resolve this issue, try the following steps: Verify the device is connected to the network and has internet access to communicate with MDE. Ensure that the onboarding script is correctly executed with the appropriate permissions and settings. Confirm that the correct version of the Defender for Endpoint agent is installed on the device. Review the Defender for Endpoint portal for any alerts or errors related to the device enrollment. Restart the device and check the enrollment status again. If the issue persists, re-running the onboarding script or re-enrolling the device may be necessary.67Views0likes1CommentSuspicious attachment opened with no detection technology or VT matches
We received the alert “Suspicious attachment opened” for an Excel file, but it’s unclear why it was flagged. Here’s what I found: No detection technology triggered. No VT matches. File wasn’t detonated in the Microsoft sandbox. Deep analysis is unavailable (not a PE). I reviewed the file and, apart from generic terms like “invoice” or “file” in the name, I see no clear indicators of suspicion or ways to adjust this in XDR. Any tips for better understanding or fine-tuning the verdict?28Views1like0CommentsGuidance Needed: Excluding Non-Corporate Devices from Vulnerability Management
We are encountering an issue where non-corporate devices are appearing in our Vulnerability Management and reporting. This is causing inconsistencies in our reports across the tenant and potentially impacting our overall security posture. Hoping to get some guidance in resolving this issue.27Views0likes1CommentMDE for Linux with ARM processors?
Is MDE supported on Linux server distributions with ARM processors. The minimum requirements outlined states only x64 (AMD64/EM64T) and x86_64 versions are supported. https://learn.microsoft.com/en-us/defender-endpoint/microsoft-defender-endpoint-linux#system-requirements If yes, is there any additional setup needed.41Views0likes0CommentsMDE disable settings
Hello All, As devices are onboarded to Microsoft Defender for Endpoint and policies are enforced, it’s crucial to establish prompt troubleshooting mechanisms. Kindly provide insights on the following steps: 1. Disabling Tamper Protection and Real-Time Protection: How can these settings, enforced by policy, be turned off on a device in the shortest time frame? 2. Offboarding Devices and Policy Removal: - Does offboarding a device immediately remove all applied policies? - If not, how long does it typically take for policies to clear from the device after offboarding? 3. Uninstalling Defender: What is the recommended process for completely uninstalling Microsoft Defender from a device? Your guidance on executing these actions efficiently would be highly valuable. Regards,46Views0likes1CommentNeed help to finalize the approach and deployment plan for one of the case study
Planning the deployment of Microsoft Defender for Server in a Diverse Server Landscape Planning and deploying Microsoft Defender for Server for a customer with a complex server environment consisting of: 10 Windows Servers (both on-premise and hosted with Azure) 10 Linux Servers (both on-premise and hosted with Azure) 5 Windows Servers hosted on AWS 5 Linux Servers hosted on AWS A subset of Linux servers without internet connectivity Scenario: The customer's primary concern is ensuring comprehensive protection across all environments while minimizing disruption to their business operations. They aim to implement Microsoft Defender for Server as their unified security solution replacing their existing Trellix. The customer requires insights into the capabilities, considerations, limitations, and steps involved in successfully deploying the solution across this diverse landscape. Your plan should detail the capabilities and limitations of Defender for Server in addressing the security needs of these environments. Key considerations include ensuring unified security coverage across all platforms, overcoming connectivity challenges, and addressing the limitations of AWS-hosted servers. The approach should involve defining prerequisites, Commercials impact, minimizing business impact, coordinating team participation from the customer’s side, and establishing a realistic time frame for onboarding all 30 servers. The goal is to deliver a comprehensive, strategic plan that ensures minimal disruption and optimal security for the customer’s infrastructure. Additionally wants to know how to address the below challenges customer encountered during earlier POC: In the event of troubleshooting where we need to narrow down issue is not happening due to Defender policies, what is the approach to be taken to disable for the policies till troubleshooting completes How to ensure that any newly build custom applications are not considered as PUA/PUP by Defender How to Ensure that full scan/ scheduled scan doesn’t impact the performance How to monitor for any activities being blocked by Smartscreen policies33Views0likes1CommentUSB type C storage device restriction
Hi All, I am new to Defender for Endpoint, I need to understand. Can all features of Defender for Endpoint be used without Intune? Can Defender for Endpoint restrict/block USB type C storage devices? Can Defender for Endpoint Allow a machine to access any USB device based on Vendor ID/Hardware ID? Can Defender for Endpoint Allow a USB device to be accessible from any machine or a group of machine?17Views0likes0CommentsEndpoint security policies not applicable
Hello, We've started to rollout Windows Defender for our customers. Some of our customers devices are not Intune enrolled users login with local profiles. The devices are showing as managed by MDE. In the security portal we've enabled, Use MDE to enforce security configuration settings from Intune. In the Intune portal we created AV, Firewall and Attack Surface Reduction policies but some of the policies are reporting as not applicable and not applying to the devices. We created an ASR rule to block child processes but it's reporting as not applicable for all devices. We are also testing a block usb access policy and this is showing as not applicable on that test device. Same with an AV rule we have one created to control security center UI. The policies are being applied to a dynamic security group that targets OStype Windows. When I view the report to check why it's not applicable it doesn't show me anything. Can someone tell why the policy would be reporting as not applicable?606Views1like3CommentsOn-prem, Server2022, onboarded via GPO, not visible in Portal..?
Per Title, this affects just one server (AFAIK). Additional info: Onboarding GPO configured as per docs (and identically to other AOK machines in this Domain) Application Log, EventID 20: "Successfully onboarded machine to Microsoft Defender for Endpoint" as expected MDE Client Analyzer Results correct OrgID is shown DeviceID is shown One error (MDECloud cert pinning: "Certificate pinning validation for https://ecs.office.com/config/v1/MicrosoftWindowsDefenderClient/1.0.0.0 has failed. The test has failed because an error occured when fetching the root CA in the cert chain. The certificate issuer that was fetched from the URL was: CN=DigiCert Cloud Services CA-1, O=DigiCert Inc, C=US") But FW logs show successful connections to ecs.office.com, no drops/denies manual navigation to that URL from affected box returns some JSON, inc StatusCode: 200 (which I assume is "OK") Using old connectivity mode/method (not streamlined) Unlike all other devices, this one cannot be found in the Portal, by name, DeviceID, account logins, etc. No trace at all... Could this be explained by the Certificate Pinning issue? What are best steps to troubleshoot this box's non-appearance in Portal?66Views0likes2CommentsWeb content filtering and indicator aren't working on third party browser
Hi, we have just noticed that web content filtering and customized indicators are not working on third party browsers after upgraded defender for endpoint to 4.18.23050.3, the issue has happened to both Win10 and Win11 machines. Has anyone else got the same issue?27KViews3likes76Comments
Events
Recent Blogs
- 2 MIN READNow in public preview, Microsoft Defender for Endpoint expands Security Settings Management support to push ASR rules on managed devices.Dec 09, 202420KViews1like11Comments
- This article is a follow-up to a previous one discussing conflicting proxy configurations and how Microsoft Defender for Endpoint behaves in these situations. The first article can be found in he...Nov 26, 202419KViews9likes13Comments
Resources
Tags
No tags to show