Forum Discussion
Solved
2012R2 not Reporting Test Alerts (Eicar/Powershell)
Hi, im currently running a POC for MS Defender for Endpoint on Servers * Windows Server 2012R2, 2016,2019 * Outbound Communications 2019 uses a special proxy for Telemetry-Data 2012R2 and ...
Had a MS Technical Specialists and a PFE on the phone today discusing the situation with our 2012R2 Servers. Thanks to you 2 😉
MAPS does not use Monitoring Agent over the OMS-Gateway to the securitycenter.
you definetly need a proxy to be configured in order to get MAPS working with security.microsoft.com.Sum Up:
- Server 2019 needs telemetry to be configured OMS Gateway won´t work
- Administrative Templates > Windows Components > Data Collection and Preview Builds > Configure Authenticated Proxy usage for the Connected User Experience and Telemetry Service
Set it to Enabled and select Disable Authenticated Proxy usage. - Administrative Templates > Windows Components > Data Collection and Preview Builds > Configure connected user experiences and telemetry:
Configure the proxy - If outbound Firewalling applies check what communicates
- Administrative Templates > Windows Components > Data Collection and Preview Builds > Configure Authenticated Proxy usage for the Connected User Experience and Telemetry Service
- Server 2016
- Configure Monitoring Agent with WorkspaceID and Workspacekey using OMS-Gateway as the Proxy (or the winhttp proxy)
- Windows Components\Windows Defender set winhttp proxy here that MAPS has full funtionality "Define proxy server for connecting to the network" in my case i got alerts even if i didn´t configure it but in order to test MAPS you should configure it.
- Test MAPS: https://demo.wd.microsoft.com/Page/CloudBlock
- Server 2012R2
- Install SCEP
- Configure Endpoint Protection with the following ADMX like Defender https://docs.microsoft.com/de-de/mem/configmgr/protect/deploy-use/endpoint-protection-group-policies
- Configure Monitoring Agent with WorkspaceID and Workspacekey using OMS-Gateway as the Proxy (or the winhttp proxy)
- Windows Components\Windows Defender set winhttp proxy here to get Alerts in the Security Center "Define proxy server for connecting to the network"
- Test MAPS: https://demo.wd.microsoft.com/Page/CloudBlock
- Connectivity Check: https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-proxy-internet?view=o365-worldwide#verify-client-connectivity-to-microsoft-defender-for-endpoint-service-urls
- Server 2019 needs telemetry to be configured OMS Gateway won´t work
Had a MS Technical Specialists and a PFE on the phone today discusing the situation with our 2012R2 Servers. Thanks to you 2 😉
MAPS does not use Monitoring Agent over the OMS-Gateway to the securitycenter.
you definetly need a proxy to be configured in order to get MAPS working with security.microsoft.com.
Sum Up:
- Server 2019 needs telemetry to be configured OMS Gateway won´t work
- Administrative Templates > Windows Components > Data Collection and Preview Builds > Configure Authenticated Proxy usage for the Connected User Experience and Telemetry Service
Set it to Enabled and select Disable Authenticated Proxy usage. - Administrative Templates > Windows Components > Data Collection and Preview Builds > Configure connected user experiences and telemetry:
Configure the proxy - If outbound Firewalling applies check what communicates
- Administrative Templates > Windows Components > Data Collection and Preview Builds > Configure Authenticated Proxy usage for the Connected User Experience and Telemetry Service
- Server 2016
- Configure Monitoring Agent with WorkspaceID and Workspacekey using OMS-Gateway as the Proxy (or the winhttp proxy)
- Windows Components\Windows Defender set winhttp proxy here that MAPS has full funtionality "Define proxy server for connecting to the network" in my case i got alerts even if i didn´t configure it but in order to test MAPS you should configure it.
- Test MAPS: https://demo.wd.microsoft.com/Page/CloudBlock
- Server 2012R2
- Install SCEP
- Configure Endpoint Protection with the following ADMX like Defender https://docs.microsoft.com/de-de/mem/configmgr/protect/deploy-use/endpoint-protection-group-policies
- Configure Monitoring Agent with WorkspaceID and Workspacekey using OMS-Gateway as the Proxy (or the winhttp proxy)
- Windows Components\Windows Defender set winhttp proxy here to get Alerts in the Security Center "Define proxy server for connecting to the network"
- Test MAPS: https://demo.wd.microsoft.com/Page/CloudBlock
- Connectivity Check: https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-proxy-internet?view=o365-worldwide#verify-client-connectivity-to-microsoft-defender-for-endpoint-service-urls