Forum Widgets
Latest Discussions
Get-MpComputerStatus output is blank
Hello, We recently transitioned from ESET AV to a solution that uses the Microsoft Defender engine. However, we're encountering an issue where domain-joined VMs running Windows Server 2022 return no output when executing the following command: Get-MpComputerStatus | Select AntivirusEnabled The antivirus application (Heimdal Next-Gen Antivirus) relies on this output to verify that real-time scanning is enabled. We have tried several troubleshooting steps, including rebooting the machines, running the command D i s m /Online /Enable-Feature /FeatureName:Windows-Defender, and checking the registry to ensure that Defender is not in passive mode. However, the issue persists. Has anyone encountered a similar issue, or can anyone suggest additional steps to resolve this? Any help would be greatly appreciated!
How to Ensure No Missed Alerts Using alertReportedTime in Microsoft Defender for Endpoint?
I am developing an application that continuously searches for the latest alerts in Microsoft Defender for Endpoint by querying alerts from 2 minutes ago to 1 minute ago. My goal is to ensure that no alerts are missed, even if a device was offline and only reported the alert after coming back online. My question is: If I use `alertCreationTime` for my search, will it ensure that I do not miss any alerts, including those that were generated while the device was offline and reported later when the device came back online? Any insights or best practices on this approach would be greatly appreciated. Thank you!
MDE Linux config file is not applied
Hey guys, We have several Linux VMs in our Azure environment on which we have Defender for endpoint onboarded. We then subsequently distributed a configuration file to the machines to the following path: /etc/opt/microsoft/mdatp/managed/mdatp_managed.json We proceeded as described by Microsoft: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/linux-preferences?view=o365-worldwide#full-configuration-profile-example Unfortunately, the settings from the config file are not applied. mdatp health not showing the settings and "managed" suffix. Restarting the mdatp service or the virtual machine was also not successful. Is there anything else to consider? What needs to be done to ensure that the config file is applied correctly?Microsoft Defender VPN - Android Auto Communication error 21
Hi, Using Microsoft Defender for Endpoint VPN (com.microsoft.scmx) has caused connection issues with Android Auto, (See attached image) and users cannot get it to load. The only way it seems to get this to work is to turn off the VPN which we do not want to do as its an intuned corporate device which we want to have VPN always working on the device for security reasons. Has anyone got any solution? Users receive the following error: Communication error 21 - Being connected to a VPN may prevent Android Auto from starting. If you're using a VPN, turn it off and try reconnecting to Android Auto. Thanks, Mark
Cannot download Onboarding package
Hello, we're having problems when trying to download the Defender onboarding package. Tried different OS, different deploying methods but within a second of clicking Download onboarding package we get a popup saying "Client Error. Failed to get APK url from server" Anyone seen this before?What happened to being able to see who a file was shared with in Defender XDR?
We get a lot of alerts for "File shared with personal email addresses involving one user" and previously we would be able to select the file that was being shared which would take us to another page where we could see who it was shared with. Now, however, the ellipsis next to the file name is gone and there doesn't seem to be any other way to see who the file was shared with. This is a massive loss of functionality because even in Cloud App Security or using Kusto this data is missing so the only way to get it is to log into the SharePoint admin centre, find the user's OneDrive, give yourself access, find the file and see who it's shared with. This is many more steps and very inconvenient. The ellipsis used to be here: Is there another way for an admin to see who a file is shared with that we are missing? Why is it no longer bundled in this alert that is specifically meant to show you a problem with a file being shared? Thanks,
RTP Disabling Issue
Looking for insight with a Windows Defender issue. Client is using Microsoft Defender for Endpoint. The issue is that Real Time Protection is enabled on certain Servers where it should not be. They have a GPO that is supposed to disabled that function. I have included a picture to reference a server that has RTP enabled and one that has RTP disabled. I would appreciate any information on this as I have continuously scoured the interwebs for answer including forums. I do see TamperProtection and TamperProtectionSource keys under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Features with a value of 5 and 65 on a server that has RTP enabled, even with a GPO set to disable it: And from a server that has a GPO to disable RTP, and it is being disabled correctly:
What URLs are allowed when a device is in isolation?
I have a customer who's asking what URLs are allowed when a device has been set to "Isolated". I know there's full isolation (where the only thing allowed is the Defender ATP service) and selective isolation (for Windows devices which allows Outlook, Teams and Skype for Business). Per "Take response actions on a device in Microsoft Defender for Endpoint - Microsoft Defender for Endpoint", when isolating a device, "only certain processes and destinations are allowed." So: #1-is there a more detailed list of what's allowed? #2-is it configurable? Thanks!
