Forum Widgets
Latest Discussions
Understanding Advanced hunting results
Is anyone able to breakdown the source SourceApp values in detail? In particular what is "ms-fluid_component"? I have a Form that a user created but they're not sure how. I run it through Advanced hunter in Microsoft Defender & it returns "SourceApp":"ms-fluid_component". What is this? ThanksJRodwellFeb 18, 2025Copper Contributor31Views0likes3CommentsHow to Ensure No Missed Alerts Using alertReportedTime in Microsoft Defender for Endpoint?
I am developing an application that continuously searches for the latest alerts in Microsoft Defender for Endpoint by querying alerts from 2 minutes ago to 1 minute ago. My goal is to ensure that no alerts are missed, even if a device was offline and only reported the alert after coming back online. My question is: If I use `alertCreationTime` for my search, will it ensure that I do not miss any alerts, including those that were generated while the device was offline and reported later when the device came back online? Any insights or best practices on this approach would be greatly appreciated. Thank you!tomokonFeb 18, 2025Copper Contributor47Views0likes3CommentsMDE Linux config file is not applied
Hey guys, We have several Linux VMs in our Azure environment on which we have Defender for endpoint onboarded. We then subsequently distributed a configuration file to the machines to the following path: /etc/opt/microsoft/mdatp/managed/mdatp_managed.json We proceeded as described by Microsoft: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/linux-preferences?view=o365-worldwide#full-configuration-profile-example Unfortunately, the settings from the config file are not applied. mdatp health not showing the settings and "managed" suffix. Restarting the mdatp service or the virtual machine was also not successful. Is there anything else to consider? What needs to be done to ensure that the config file is applied correctly?DomXDRFeb 18, 2025Copper Contributor620Views0likes1CommentMicrosoft Defender VPN - Android Auto Communication error 21
Hi, Using Microsoft Defender for Endpoint VPN (com.microsoft.scmx) has caused connection issues with Android Auto, (See attached image) and users cannot get it to load. The only way it seems to get this to work is to turn off the VPN which we do not want to do as its an intuned corporate device which we want to have VPN always working on the device for security reasons. Has anyone got any solution? Users receive the following error: Communication error 21 - Being connected to a VPN may prevent Android Auto from starting. If you're using a VPN, turn it off and try reconnecting to Android Auto. Thanks, MarkMondasFeb 17, 2025Iron Contributor8.3KViews0likes3CommentsCannot download Onboarding package
Hello, we're having problems when trying to download the Defender onboarding package. Tried different OS, different deploying methods but within a second of clicking Download onboarding package we get a popup saying "Client Error. Failed to get APK url from server" Anyone seen this before?LokaalinFeb 17, 2025Copper Contributor13KViews1like12CommentsWhat happened to being able to see who a file was shared with in Defender XDR?
We get a lot of alerts for "File shared with personal email addresses involving one user" and previously we would be able to select the file that was being shared which would take us to another page where we could see who it was shared with. Now, however, the ellipsis next to the file name is gone and there doesn't seem to be any other way to see who the file was shared with. This is a massive loss of functionality because even in Cloud App Security or using Kusto this data is missing so the only way to get it is to log into the SharePoint admin centre, find the user's OneDrive, give yourself access, find the file and see who it's shared with. This is many more steps and very inconvenient. The ellipsis used to be here: Is there another way for an admin to see who a file is shared with that we are missing? Why is it no longer bundled in this alert that is specifically meant to show you a problem with a file being shared? Thanks,LewkirSGFeb 14, 2025Copper Contributor19Views0likes0CommentsRTP Disabling Issue
Looking for insight with a Windows Defender issue. Client is using Microsoft Defender for Endpoint. The issue is that Real Time Protection is enabled on certain Servers where it should not be. They have a GPO that is supposed to disabled that function. I have included a picture to reference a server that has RTP enabled and one that has RTP disabled. I would appreciate any information on this as I have continuously scoured the interwebs for answer including forums. I do see TamperProtection and TamperProtectionSource keys under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Features with a value of 5 and 65 on a server that has RTP enabled, even with a GPO set to disable it: And from a server that has a GPO to disable RTP, and it is being disabled correctly:Arrakis_1145Feb 13, 2025Copper Contributor18Views0likes0CommentsWhat URLs are allowed when a device is in isolation?
I have a customer who's asking what URLs are allowed when a device has been set to "Isolated". I know there's full isolation (where the only thing allowed is the Defender ATP service) and selective isolation (for Windows devices which allows Outlook, Teams and Skype for Business). Per "Take response actions on a device in Microsoft Defender for Endpoint - Microsoft Defender for Endpoint", when isolating a device, "only certain processes and destinations are allowed." So: #1-is there a more detailed list of what's allowed? #2-is it configurable? Thanks!HansDoerrFeb 12, 2025Microsoft996Views1like2CommentsBaseline Assesment Auditing Status Unknown
Hi I am working with Microsoft Defender Vulnerability Management with the feature called Baseline Assessment. I created a Baseline Profile with CIS compliant configurations and It was applied to 10 devices for testing. Checking the compliant status I can observe that the Auditing Configurations are showed as Unknow. Someone has experimented this situation? Any recomendation? Thanks for any comments.Carlos_ValenciaFeb 12, 2025Copper Contributor59Views0likes3CommentsDomain controller
Hi. Do you know if we can install MDE on Active directory servers ( on prem and Azure servers) OS version of server are 2016 and 2022. Which Microsoft defender product is best suited for Active Directory server ? Please let me know with MS KB article link.Solvedsubhashv1986Feb 12, 2025Copper Contributor2KViews0likes6Comments
Resources
Tags
- Defender14 Topics
- Defender for Endpoint13 Topics
- MDATP13 Topics
- ATP10 Topics
- defender atp10 Topics
- security7 Topics
- microsoft defender for endpoint6 Topics
- MDE5 Topics
- Microsoft Defender ATP5 Topics