Forum Widgets
Latest Discussions
Device onboarded successfully, but alerts are not showing up in the portal
Hi! I am trying to setup a test tenant, where I have onboarded a few Windows 11 Pro VMs with the local script method to the Defender Portal. And everything seems to be working, except that if I create a test scenario on the device (e.g. create an EICAR file), then the local antivirus catches it, but nothing is showing up on the portal in the Incidents & Alerts menu. What is even more strange, that through the Reports menu -> Security Report, the incidents are visible in the reports, but with a 2-3 hour delay. I have tried the following things so far: On the Alerts listing page, there is no filter set, so everything should be visible In the Alert service settings I set 'All alerts' I have run the MDEClientAnalyzer script, it didn't find any suspicious thing I checked the local Event logs on the VM, and nothing suspicious there as well The devices are also enrolled to Intune, I created an Antivirus policy there with the default values and also a Security baseline Additional info that might be useful: The Windows VMs are untouched, there isn't any other third party antivirus software installed. The onboarding detection script provided on the portal is unsuccessful as well (No alerts show up) On the Defender portal, on the device's page, the result of Security scans are visible normally though The devices are enrolled to Intune with Windows Autopilot with the Hardware hash method. Regarding licensing, I am in a Microsoft 365 E5 developer tenant, and I have activated the Defender trials on the portal. What is strange though, is when I go to Settings -> Endpoints -> Advanced features -> Microsoft Intune connection, then it says "A Microsoft Intune license was not found.", so I am not able to connect the two. Even though if I am correct, Intune is included in the developer license, and practically speaking I am also being able to use it. Do you have any idea what am I missing? Alerts should work out of the box theoreticallyš .. Thank you for your help in advance: AdammekkelekDec 05, 2024Occasional Reader17Views0likes0CommentsSenseNdr.exe is slowly eating the memory
Hello, For a few days now, we have some Windows Server 2019 physical machines where almot all the memory is commited to sensendr.exe. If you terminate sensendr.exe, the process comes back after a few minutes. On one machine the problem came back after a little bit more than one day, on the others the problem has not come back (yet). All the machines are patches with the 2024-09 CU. Here is a view of the resource monitor : ā On another machine : ā Do you have any idea what could cause that and how to avoid it ? We can't find any error messages that could explain the problem. Thanks in advance for your answers MarcMarcVDHDec 05, 2024Iron Contributor11KViews4likes53CommentsFailed to create object ID in Intune for new onboarded device.
We are deploying Defender for Cloud with XDR onboarding. We are implementing Defender policy with Intune enforcement setting, everything is working for 98% of devices as well. But, for some devices like Arc enabled machines, after going through each step and Microsoft troubleshooting documentation. Some devices are not able to create the synthetic object in Intune to receive Defender XDR policies. No solution is provided in the documentation or in MDEclient parser. In the onboarding workflow, the synthetic object is normally created to apply the policy via Intune. But, when a device fails this process, we have no solution even after re-onboarding.EtienneFisetDec 02, 2024Brass Contributor26Views0likes1CommentDevice logon user showing mismatch in Microsoft Defender for Cloud (Server)
Hello Team, We have onboarded Exchange server in Microsoft Defender for Cloud (Server). And this server successfully showing in Microsoft Defender for Endpoint Assets lists. When we view a single asset details, we found that in logon user details there have 417 users in user lists. They all are not directly login in this Server. Then why it is showing total 417 users in user lists? Thanks NoyonnoyondasDec 02, 2024Copper Contributor35Views1like1CommentIssue with MSSENSE.EXE scanning
We have been working with Microsoft on an issue and they asked that we exclude a couple folders from scanning. We've excluded the folders and Defender MSMPENG.exe isnt scanning them anymore, but MSSENSE.EXE still is, which is ATP / Defender for Endpoint How do I stop MSSENSE.EXE from scanning those folders? Thanks,BrianPittDec 02, 2024Brass Contributor16Views0likes1CommentMicrosoft Enable Programs and Features Settings in Windows 11
If you were a business or organization that was new to Purview, what advice would you give them to turn on or set up as their first steps with the product? On Windows 11, the Settings app lets you install additional features to extend the system's functionalities. You will need an internet connection to download these features since the components are not stored in the default installation. Bur Windows 11 Insider Preview 10.0.26120.2415 (ge_release_upr) fixes issueRayhanDec 02, 2024Copper Contributor26Views0likes0CommentsVerify the device is connected to the network and has internet access to communicate with MDE.
When onboarding a device using the DFE (Device Functionality Enhancement) onboarding script, it is expected that the device will be properly enrolled in Microsoft Defender for Endpoint (MDE) and reflect its status as "Managed" in the Defender portal. However, if the device is showing as "Managed by Unknown" and the "MDE Enrollment status" is displayed as "N/A," it indicates that the device has not successfully registered or communicated with the MDE service. This issue can occur for several reasons, including incorrect configuration of the DFE onboarding script, connectivity issues between the device and Defender for Endpoint services, or issues with permissions or policies applied during the enrollment process. It may also be a result of the device not receiving the required Defender for Endpoint agent or its enrollment being interrupted during the onboarding process. To resolve this issue, try the following steps: Verify the device is connected to the network and has internet access to communicate with MDE. Ensure that the onboarding script is correctly executed with the appropriate permissions and settings. Confirm that the correct version of the Defender for Endpoint agent is installed on the device. Review the Defender for Endpoint portal for any alerts or errors related to the device enrollment. Restart the device and check the enrollment status again. If the issue persists, re-running the onboarding script or re-enrolling the device may be necessary.thomidwiNov 30, 2024Copper Contributor53Views0likes1CommentSuspicious attachment opened with no detection technology or VT matches
We received the alert āSuspicious attachment openedā for an Excel file, but itās unclear why it was flagged. Hereās what I found: No detection technology triggered. No VT matches. File wasnāt detonated in the Microsoft sandbox. Deep analysis is unavailable (not a PE). I reviewed the file and, apart from generic terms like āinvoiceā or āfileā in the name, I see no clear indicators of suspicion or ways to adjust this in XDR. Any tips for better understanding or fine-tuning the verdict?MarnikNov 26, 2024Brass Contributor25Views1like0CommentsGuidance Needed: Excluding Non-Corporate Devices from Vulnerability Management
We are encountering an issue where non-corporate devices are appearing in our Vulnerability Management and reporting. This is causing inconsistencies in our reports across the tenant and potentially impacting our overall security posture. Hoping to get some guidance in resolving this issue.OluseyiTJNov 26, 2024Copper Contributor25Views0likes1Comment
Resources
Tags
- Defender14 Topics
- Defender for Endpoint13 Topics
- MDATP13 Topics
- defender atp10 Topics
- ATP10 Topics
- security7 Topics
- microsoft defender for endpoint6 Topics
- MDE5 Topics
- Microsoft Defender ATP5 Topics