Forum Discussion

mekkelek's avatar
mekkelek
Copper Contributor
Dec 05, 2024

Device onboarded successfully, but alerts are not showing up in the portal

Hi!

I am trying to setup a test tenant, where I have onboarded a few Windows 11 Pro VMs with the local script method to the Defender Portal.

And everything seems to be working, except that if I create a test scenario on the device (e.g. create an EICAR file), then the local antivirus catches it, but nothing is showing up on the portal in the Incidents & Alerts menu. What is even more strange, that through the Reports menu -> Security Report, the incidents are visible in the reports, but with a 2-3 hour delay.

I have tried the following things so far:

  • On the Alerts listing page, there is no filter set, so everything should be visible
  • In the Alert service settings I set 'All alerts'
  • I have run the MDEClientAnalyzer script, it didn't find any suspicious thing
  • I checked the local Event logs on the VM, and nothing suspicious there as well
  • The devices are also enrolled to Intune, I created an Antivirus policy there with the default values and also a Security baseline

Additional info that might be useful:

  • The Windows VMs are untouched, there isn't any other third party antivirus software installed.
  • The onboarding detection script provided on the portal is unsuccessful as well (No alerts show up)
  • On the Defender portal, on the device's page, the result of Security scans are visible normally though
  • The devices are enrolled to Intune with Windows Autopilot with the Hardware hash method.
  • Regarding licensing, I am in a Microsoft 365 E5 developer tenant, and I have activated the Defender trials on the portal. What is strange though, is when I go to Settings -> Endpoints -> Advanced features -> Microsoft Intune connection, then it says "A Microsoft Intune license was not found.", so I am not able to connect the two. Even though if I am correct, Intune is included in the developer license, and practically speaking I am also being able to use it.

Do you have any idea what am I missing? Alerts should work out of the box theoretically😅..
Thank you for your help in advance:
Adam

  • ArthurS1790's avatar
    ArthurS1790
    Copper Contributor

    defender logs not complete and still opened, and botifcations happen on the desktops action center not linked to any users VM

Resources