Forum Discussion
2012R2 not Reporting Test Alerts (Eicar/Powershell)
Hi,
im currently running a POC for MS Defender for Endpoint on Servers
* Windows Server 2012R2, 2016,2019
* Outbound Communications
2019 uses a special proxy for Telemetry-Data
2012R2 and 2016 use an OMS gateway (no telemetry)
* 2012R2 have SCEP installed
* Updates are applied by WSUS
ISSUE:
When i create an eicar on a 2012R2 it´s detected and quarantined. I see the Filecreation in the timeline in the Security.microsoft.com but i get no alert and that it´s an Eicar.
With 2016 and 2019 it works as expected.
Any ideas why?
Had a MS Technical Specialists and a PFE on the phone today discusing the situation with our 2012R2 Servers. Thanks to you 2 😉
MAPS does not use Monitoring Agent over the OMS-Gateway to the securitycenter.
you definetly need a proxy to be configured in order to get MAPS working with security.microsoft.com.Sum Up:
- Server 2019 needs telemetry to be configured OMS Gateway won´t work
- Administrative Templates > Windows Components > Data Collection and Preview Builds > Configure Authenticated Proxy usage for the Connected User Experience and Telemetry Service
Set it to Enabled and select Disable Authenticated Proxy usage. - Administrative Templates > Windows Components > Data Collection and Preview Builds > Configure connected user experiences and telemetry:
Configure the proxy - If outbound Firewalling applies check what communicates
- Administrative Templates > Windows Components > Data Collection and Preview Builds > Configure Authenticated Proxy usage for the Connected User Experience and Telemetry Service
- Server 2016
- Configure Monitoring Agent with WorkspaceID and Workspacekey using OMS-Gateway as the Proxy (or the winhttp proxy)
- Windows Components\Windows Defender set winhttp proxy here that MAPS has full funtionality "Define proxy server for connecting to the network" in my case i got alerts even if i didn´t configure it but in order to test MAPS you should configure it.
- Test MAPS: https://demo.wd.microsoft.com/Page/CloudBlock
- Server 2012R2
- Install SCEP
- Configure Endpoint Protection with the following ADMX like Defender https://docs.microsoft.com/de-de/mem/configmgr/protect/deploy-use/endpoint-protection-group-policies
- Configure Monitoring Agent with WorkspaceID and Workspacekey using OMS-Gateway as the Proxy (or the winhttp proxy)
- Windows Components\Windows Defender set winhttp proxy here to get Alerts in the Security Center "Define proxy server for connecting to the network"
- Test MAPS: https://demo.wd.microsoft.com/Page/CloudBlock
- Connectivity Check: https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-proxy-internet?view=o365-worldwide#verify-client-connectivity-to-microsoft-defender-for-endpoint-service-urls
- Server 2019 needs telemetry to be configured OMS Gateway won´t work
- PeDeBrass Contributor
Had a MS Technical Specialists and a PFE on the phone today discusing the situation with our 2012R2 Servers. Thanks to you 2 😉
MAPS does not use Monitoring Agent over the OMS-Gateway to the securitycenter.
you definetly need a proxy to be configured in order to get MAPS working with security.microsoft.com.Sum Up:
- Server 2019 needs telemetry to be configured OMS Gateway won´t work
- Administrative Templates > Windows Components > Data Collection and Preview Builds > Configure Authenticated Proxy usage for the Connected User Experience and Telemetry Service
Set it to Enabled and select Disable Authenticated Proxy usage. - Administrative Templates > Windows Components > Data Collection and Preview Builds > Configure connected user experiences and telemetry:
Configure the proxy - If outbound Firewalling applies check what communicates
- Administrative Templates > Windows Components > Data Collection and Preview Builds > Configure Authenticated Proxy usage for the Connected User Experience and Telemetry Service
- Server 2016
- Configure Monitoring Agent with WorkspaceID and Workspacekey using OMS-Gateway as the Proxy (or the winhttp proxy)
- Windows Components\Windows Defender set winhttp proxy here that MAPS has full funtionality "Define proxy server for connecting to the network" in my case i got alerts even if i didn´t configure it but in order to test MAPS you should configure it.
- Test MAPS: https://demo.wd.microsoft.com/Page/CloudBlock
- Server 2012R2
- Install SCEP
- Configure Endpoint Protection with the following ADMX like Defender https://docs.microsoft.com/de-de/mem/configmgr/protect/deploy-use/endpoint-protection-group-policies
- Configure Monitoring Agent with WorkspaceID and Workspacekey using OMS-Gateway as the Proxy (or the winhttp proxy)
- Windows Components\Windows Defender set winhttp proxy here to get Alerts in the Security Center "Define proxy server for connecting to the network"
- Test MAPS: https://demo.wd.microsoft.com/Page/CloudBlock
- Connectivity Check: https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-proxy-internet?view=o365-worldwide#verify-client-connectivity-to-microsoft-defender-for-endpoint-service-urls
- Server 2019 needs telemetry to be configured OMS Gateway won´t work