Microsoft Defender for Endpoint | Microsoft Community Hub

Connect with experts and redefine what’s possible at work – join us at the Microsoft 365 Community Conference May 6-8. Learn more >

Forum Widgets

Latest Discussions

Automate bulk-import of file with IP-adresses to block
We use SOAR to bulid a block-file containing IP-adresses we want to block. We can place this file on a network share, sftp, or "whereever". Is it possible for us to instruct Defender to read this file automatically, instead of Some User (tm) having to upload it manually in the security center?
Solved
CommanderNorton
Copper Contributor
Mar 05, 2025
16Views
0likes
1Comment
Understanding Advanced hunting results
Is anyone able to breakdown the source SourceApp values in detail? In particular what is "ms-fluid_component"? I have a Form that a user created but they're not sure how. I run it through Advanced hunter in Microsoft Defender & it returns "SourceApp":"ms-fluid_component". What is this? Thanks
Solved
JRodwell
Copper Contributor
Feb 14, 2025
49Views
0likes
3Comments
Blocking in Vulnerability Management triggers full scan in Defender.
Over that last couple of weeks our users have been complaining about their computers being slow as molasses - we observed Defender was running a full scan after every reboot. Reviewing event logs we were eventually able to pin down the root cause - a while back we introduced a Block remediation for a vulnerable version of 7-Zip. It turned out that the driver updates delivered via Dell Command Update are internally using an older version of 7-Zip for the file extraction, and were being blocked every time the driver installation retry attempt occurred (which seems to be at every reboot...) Removing the block remediation in Vulnerability Management resolved the issue. While having our driver updates being blocked is somewhat of a nuisance, the repeated full scans had a severe impact on our productivity. Does it even make sense for Defender to do a full scan for a detected "Enterprise Unwanted Software"? Are there options to tweak this (apparently) default behavior to skip the (full) scan for certain categories?
Solved
Vibbers
Brass Contributor
Feb 04, 2025
81Views
0likes
3Comments
Failed to create object ID in Intune for new onboarded device.
We are deploying Defender for Cloud with XDR onboarding. We are implementing Defender policy with Intune enforcement setting, everything is working for 98% of devices as well. But, for some devices like Arc enabled machines, after going through each step and Microsoft troubleshooting documentation. Some devices are not able to create the synthetic object in Intune to receive Defender XDR policies. No solution is provided in the documentation or in MDEclient parser. In the onboarding workflow, the synthetic object is normally created to apply the policy via Intune. But, when a device fails this process, we have no solution even after re-onboarding.
Solved
EtienneFiset
Brass Contributor
Nov 07, 2024
73Views
0likes
2Comments
MDE disable or uninstall
Hello All, We have onboarded devices to MDE in a setup as follows, 1. Onboard devices to Entra as hybrid entra joined devices 2. Sync/Enroll devices to Intune from on-premise SCCM through co-management config. 3. Onboard devices to MDE from Intune through EDR policy. Once the device are onboarded, how can we do the following, 1. Disable DFE on a device (to disable protection while troubleshooting. Can we just stop the services?) 2. Uninstall DFE from a device (offboarding through a script would also remove all the policies applied to the device immediately?) Please guide.
Solved
drivesafely
Brass Contributor
Nov 02, 2024
2.2KViews
0likes
4Comments
Anyone else not able to download cloud-delivered test file ?
The test file for cloud-delivered protection seems to not be accessible anymore: https://aka.ms/ioavtest ref: https://learn.microsoft.com/en-us/defender-endpoint/defender-endpoint-demonstration-cloud-delivered-protection#scenario Is someone able to confirm this (and report the issue to MSFT) ?
Solved
Marnik
Brass Contributor
Oct 24, 2024
217Views
0likes
1Comment
Recommendations for MDE for small organization?
Hello. I'm investigating how we might best roll-out MS Defender for Endpoint to our small organization of about 30 people. Environment: 30 users with O365(A3) and MDE(P2) licenses distributed, unmanaged, self-supported, mixed OS (Win, Mac) machines - effectively BYOD using Word, Outlook, Sharepoint, etc. no Azure/Entra Premium nor Intune licenses (devices are all "registered" or "joined" in Entra, but cannot create dynamic device groups) After much reading, it sounds as though if we do not have an Azure/Entra P1/P2 license we cannot take advantage of automated MDE onboarding through Intune. It seems as though the only practical way of deploying MDE in our current, unstructured, mixed environment is by using the manual, locally-installed, onboarding script, which is not recommended for more than 10 machines. To sum up the issue, our users have O365 for the productivity tools, but their machines are not actively organized or managed using the MS domain/AD infrastructure. I'd like make their machines more secure and have more visibility into what's happening from a security point-of-view using MDE. Any thoughts on the best way forward for our small organization (with an even smaller IT department)? Should we get Azure/Entra license and build some more AD/Domain structure? Should we not bother with MDE if we're not going to move to managed machines for everyone? Are there better MDE onboarding options for small orgs? I've done a lot of searching for documentation on similar scenarios, but haven't found much. Any pointers to docs/case studies would be much appreciated! Thanks! Dave
Solved
dshaykewich
Copper Contributor
Oct 21, 2024
194Views
0likes
1Comment
Microsoft Defender for Business - incidents automatically created
Good afternoon, I wonder if someone can answer whether incidents are automatically created for alerts in the Defender portal for Defender for Business for identities and risky users? Thank you in advance.
Solved
stade1655
Copper Contributor
Oct 18, 2024
217Views
0likes
2Comments
non-MS AV Product
If MDE status is Passive, what device events can I expect in Advanced hunting table in Defender Advanced Hunting? Looking to see if specific events like CredGuard,DeviceGuard,LSA and other wide array of security events will be captured in passive mode? Or do I need to switch over to MS AV to get these events from endpoints?
Solved
logger2115
Brass Contributor
Oct 09, 2024
1KViews
0likes
9Comments
Microsoft defender for endpoint
Hi I would like to know is there any possibility to have defender for endpoint on premise installation, means without internet connectivity. One of our site have this special requirement to install Microsoft defender for endpoint completely isolated system. If possible what licenses should i have to order. Thanks in advance.
Solved
Azu1976
Copper Contributor
Oct 01, 2024
806Views
0likes
2Comments

Resources

Tags

Defender14 Topics
Defender for Endpoint13 Topics
MDATP13 Topics
ATP10 Topics
defender atp10 Topics
security7 Topics
microsoft defender for endpoint6 Topics
Defender Advanced Threat Protection6 Topics
MDE5 Topics
Microsoft Defender ATP5 Topics

Share