Forum Widgets
Latest Discussions
- ThirisanpttApr 29, 2025Copper Contributor4Views0likes0Comments
Segreation of views for different sub-companies
I am in a group of companies and due to various legal reasons they are not allowed to see each others data, but we are all part of the same azure tenant and active directories. So i want to use the idnetity sensor, and it to feed data into dfi, but i want to give the it teams from the different companies access to ONLY their own data and also allow them to do investations on only their own users. How can i do this segregation within defender?DunfieldMarkApr 27, 2025Copper Contributor35Views0likes1CommentDefender for Identity Certificate Requirements
One of the required certificates for the MDI sensor to run is this certificate: Subject : CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE Issuer : CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE Thumbprint : D4DE20D05E66FC53FE1A50882C78DB2852CAE474 FriendlyName : DigiCert Baltimore Root NotBefore : 5/12/2000 11:46:00 AM NotAfter : 5/12/2025 4:59:00 PM Extensions : {System.Security.Cryptography.Oid, System.Security.Cryptography.Oid, System.Security.Cryptography.Oid} It expires in a little over 2 weeks. I still see it listed as required here: https://learn.microsoft.com/en-us/defender-for-identity/troubleshooting-known-issues Does anyone know if that requirement will be going away and/or will the certificate be updated before this one expires? I haven't been able to find anything related to its replacement through my various searches so I apologize if this has been covered already. Thanks.I_triedApr 25, 2025Copper Contributor36Views0likes0CommentsSecure Score "this account is sensitive and cannot be delegated"
Hi In Microsoft Secure Score when selecting the recommended action Ensure that all privileged accounts have the configuration flag "this account is sensitive and cannot be delegated" and in the Exposed entities tab I only see computer accounts. In the Implementation instructions they only mention user accounts. How do I complete this recommended action and get rid of the computer accounts detected?starman2hevenApr 15, 2025Brass Contributor2.2KViews0likes29CommentsKQL query to check tri.sensor for MDI
I was looking for a query to run to check that all the deployed MDI sensor's are running successfully. I have reviewed the 3 Identity tables listed within the Monitor > Logs table schema but unable to find the right query. Please let me know if any other information is needed. Cheers, SergeSergioT1228Apr 14, 2025Brass Contributor2KViews0likes3CommentsATP sensor fails to start since yesterday
Hi there, we run the ATP sensor with a gMSA account on all domain controllers. Yesterday we restarted all machines because of January patch day and now the ATP sensor will get stuck while starting. Funny: there are more than 40 DC's. The service is still starting on exactly one (!) DC. It can be restarted on this DC without any issues. All others show this error. Rebooting the machines will not help. 2024-01-24 16:24:50.9788 Info RemoteImpersonationManager CreateImpersonatorInternalAsync started [UserName=mdiuser$ Domain=domain.local IsGroupManagedServiceAccount=True] 2024-01-24 16:24:51.4632 Info RemoteImpersonationManager GetGroupManagedServiceAccountTokenAsync finished [UserName=mdiuser$ Domain=domain.local IsSuccess=False] 2024-01-24 16:24:51.4632 Info RemoteImpersonationManager CreateImpersonatorInternalAsync finished [UserName=mdiuser$ Domain=domain.local] 2024-01-24 16:24:51.4632 Warn DirectoryServicesClient CreateLdapConnectionAsync failed to retrieve group managed service account password. [DomainControllerDnsName=dc03.domain.local Domain=domain.local UserName=mdiuser$ ] We have not changed anything regarding sensors or the gMSA account for months, so this configuration was running without issues until yesterday. Running Test-ADServiceAccount -Identity "mdiuser" on the affected machines gives "True", so the machine can successfully retrieve the gMSA password. I have checked that the mdiuser account is part of the GPO that allows logon as service on all machines. Now I am running out of ideas. The system tells me, it can access the gMSA password, the agent tells me it can't. Whats wrong? Best regards, Ingoingo-boettcherMar 28, 2025Copper Contributor2.6KViews0likes13CommentsMDI Activation vs. Manual/Scripted Install.
Hi, we recently noticed the new ‘Activation’ feature MDI added with MDE in our portal (https://learn.microsoft.com/en-us/defender-for-identity/deploy/activate-capabilities), and we’re very interested in the capabilities, but concerned about one thing the documentation states. In the documentation, it says that the activation is just the ‘core’ protections, while the installer package is a more robust defense. I was wondering if there were key differences, like losing out on some stuff, or if both installations would cover the same activities, etc. before we go through with preferring one method to the other. Thanks!Solveddhorne25Mar 18, 2025Copper Contributor127Views0likes2CommentsATP Sensor will not install on Windows 2016
Environment: Windows Server Standard 2016, vSphere 7x, Hardware requirements met, .Net Framework 4.8. We have 4 Windows Server 2016 Domain Controllers that all experience the exact same error that prevents us from installing the download classic sensor. I have tried rebooting, run as admin, upgrading .Net framework (from 4.7 to 4.8), etc. This occurs on all 4 DCs that are 2016. We have successfully installed on the 2019 DCs. I have searched online for this error but all suggested fixes are Visual Studio related and I dont think it applies to our situation. "Error DeploymentManager ShowErrorMessage System.IO.FileLoadException: Could not load file or assembly 'System.ValueTuple, Version=4.0.2.0, Culture=neutral, PublicKeyToken=cc7b13ffcd2ddd51' or one of its dependencies. The located assembly's manifest definition does not match the assembly reference. (Exception from HRESULT: 0x80131040)" error.ChristianTMar 17, 2025Copper Contributor172Views0likes10CommentsUser + Server exclusions
Following a recent deployment of Advanced Threat Analytics (ATA) my client is getting "Remote execution attempt detected" alerts for their Veeam backup service account against several servers. This is a known service account and they would like to exclude the alert for this activity for just this user account. However ATA only provides an option to exclude the server. Do we know if providing the ability to exclude both a specfic user and server is on the ATA roadmap?Rob KennedyMar 11, 2025Copper Contributor1.3KViews0likes1CommentBlocking TCP 3389 - issues?
There is a strong push here to block RDP over part of our network. MSDI uses 3389 for name resolution. What order does MSDI use the three available methods for name resolution - TCP 135 (NTLM), UDP 137 (NetBIOS) and TCP 3389 (RDP)? We are currently seeing a lot of 3389 network traffic from the MSDI sensors to clients. TIA.tonywvincentMar 07, 2025Copper Contributor94Views0likes2Comments
Resources
Tags
- Sensor46 Topics
- microsoft 365 defender42 Topics
- identity protection34 Topics
- alerts17 Topics
- security posture16 Topics
- logging12 Topics
- azure active directory11 Topics
- updates10 Topics
- requirements8 Topics
- Investigations8 Topics