Forum Widgets
Latest Discussions
No Automated Investigation Triggered for High Severity Incident
Hi Community, I’ve noticed an issue where no Automated Investigation and Response (AIR) was invoked for a high-severity incident and alert on a device that belongs to a device group configured with full AIR. This behavior contradicts the expected principle of AIR, as outlined in the documentation: How Automated Investigation Starts. Details: The device is part of a group with full AIR enabled. A high-severity alert/incident occurred but did not trigger any automated investigation. Manual actions were required to address the threat, despite AIR being enabled. Questions: Has anyone experienced similar behavior where AIR is not triggered for eligible devices/incidents? Are there known scenarios or conditions that might prevent AIR from starting, even in fully configured groups? What steps can I take to troubleshoot or escalate this to ensure consistent AIR functionality? Your insights and suggestions would be greatly appreciated! Thank you.Linux (Ubuntu 22.04) Discovered Vulnerabilities/Missing Security Updates
Hello we have Defender for endpoint P2 server is reporting correctly enrolled. Everything MDE is updated Full and quick scan are completed Inventory software is complete No weaknesses / no vulnerable components reported No discovered vulnerabilities No missing security update Licence issue/installation issue...any hints where i could look ? Thanks
MPScanSkip error codes
From the MPScanSkip log file, does anyone know what these error codes are C:\ProgramData\Microsoft\Windows Defender\Support\MPScanSkip-xxxxxxxx-xxxxxx.log OnDemandScan skipped or partial scan for [filepath]. Reason [Scan Error]. Error Code [80500021] OnDemandScan skipped or partial scan for [pid:xx]. Reason [Scan Error]. Error Code [8050012b] OnDemandScan skipped or partial scan for [process]. Reason [Scan Error]. Error Code [8050007b]
Device Heath Status
We have recently been onboarding Server 2019 into Defender. We are using the standard WindowsDefenderATPOnboardingScript.bat file that is available to perform the onboarding. When running the .bat file, reports back ran succesfullly. After a few hours the servers showed up on the MDE site. However, they are not showing green health check marks fo for the following options in MDE under overview > Device health status Security intelligence, Engine, and Platform are all greyed out. I have ran the MDE analyzer tool on multiple servers reporting like this and the report returns successful results. Powershell commands also confirm devices are updating. Why do I have some devices that have all "green" vs "greyed out" states"? Sensor status for each of these are healthy also. This also applies to persisent servers and our Citrix application servers. For Citrix application servers we do not onboard the golden image and we are using the standard PS onboarding implementation there.
Microsoft Defender for Endpoint Security (STIG) Microsoft Challenge' of Debugging WinForms Designer
Microsoft Defender for Endpoint Security Technical Implementation Guide (STIG) for review Microsoft Defender for Endpoint Security Technical Implementation Guide (STIG) for review as per: Daily intelligence Brief p802 (Final) Microsoft Plugs Away at 'Huge Technical Challenge' of Creating Debugging WinForms Designer on .NET Core its very basic for me, like kindergarden stuff, hey get me on international microsoft advertisement commercial enterprise or something? Common, my 20 year National security assignment is nearly over, lunch anyone, & im as rich as Bill Gates say Hi to Avi for me, Presadi has a long history of being a big **bleep**discovering options such as adding device groups in defender
Hello everyone, I'm just discovering options such as device groups, and I would like to learn how to set it up correctly. Let me know if I understand it correctly: the option is meant to separate important and less important devices. What are the recommendations for important like servers and for less important ones like standard user workstations? What level of remediation is there if it's not enabled? Does it need to be set up at all? Thanks!Duplicate alerts generated when unsanctioned app is accessed
We use defender for endpoint and also sanction/unsanction cloud applications in defender. When unsanctioned application is blocked we get two alerts generated for it. One titled "Connection to a custom network indicator" and second "Unsanctioned cloud app access was blocked" We expect and want only one of these alerts, but can't seem to find correct area to edit policy for "Unsanctioned cloud app access was blocked" and editing "Connection to a custom network indicator" seems to require editing alert settings for each indicator. Maybe there is better way for latter one. Connection to a custom network indicator When application is unsanctioned, it creates a custom indicator which is further vieweable at Defender > System > Settings > Endpoints > Rules > Indicators URLs/Domains. Application column is displaying cloud app which was sanctioned and alert with title "Unsanctioned cloud app access was blocked" for each indicator can be furter edited from this area. This would be one place we can turn off these alerts, but hoping there is bulk edit or a global setting to not create these alerts when cloud app is unsanctioned. This is the alert policy/rule we would like to turn off and not have created automatically for each unsanctioned cloud app. Is there a setting to disable autoamtic creating of these alerts with each new unsanctioned cloud app? Unsanctioned cloud app access was blocked Only severity can be changed for these alerts as far as I can find under Settings > Cloud apps > Cloud Discovery > Microsoft Defender for Endpoint. That is okay as this is the preffered alert that would like to retainCan't Access Defender Because I Haven't Activated Defender
Company portal tells me I need to install and activate MS Defender. I've installed it, but when I open Defender and sign in, it just tells me I need to "Install and activate Microsoft Defender for Endpoint to protect your devices," which is exactly what the company portal tells me and doesn't help me at all. I've tried clearing the app cache and data and restarting the device, but it doesn't change anything. I think it's not considered active because I haven't granted it all the required permissions, but I'm not sure what it's missing without the walkthrough that defender is supposed to give me for adding all perms. I've added a few of the ones it needs manually (file access, display over other apps, notifications), but that hasn't fixed the issue. I believe there's some VM setup required, which I haven't been able to do manually. Tried asking on the Microsoft Community but was redirected here.
