Forum Discussion
mekkelek
Dec 05, 2024Copper Contributor
Device onboarded successfully, but alerts are not showing up in the portal
Hi!
I am trying to setup a test tenant, where I have onboarded a few Windows 11 Pro VMs with the local script method to the Defender Portal.
And everything seems to be working, except that if I create a test scenario on the device (e.g. create an EICAR file), then the local antivirus catches it, but nothing is showing up on the portal in the Incidents & Alerts menu. What is even more strange, that through the Reports menu -> Security Report, the incidents are visible in the reports, but with a 2-3 hour delay.
I have tried the following things so far:
- On the Alerts listing page, there is no filter set, so everything should be visible
- In the Alert service settings I set 'All alerts'
- I have run the MDEClientAnalyzer script, it didn't find any suspicious thing
- I checked the local Event logs on the VM, and nothing suspicious there as well
- The devices are also enrolled to Intune, I created an Antivirus policy there with the default values and also a Security baseline
Additional info that might be useful:
- The Windows VMs are untouched, there isn't any other third party antivirus software installed.
- The onboarding detection script provided on the portal is unsuccessful as well (No alerts show up)
- On the Defender portal, on the device's page, the result of Security scans are visible normally though
- The devices are enrolled to Intune with Windows Autopilot with the Hardware hash method.
- Regarding licensing, I am in a Microsoft 365 E5 developer tenant, and I have activated the Defender trials on the portal. What is strange though, is when I go to Settings -> Endpoints -> Advanced features -> Microsoft Intune connection, then it says "A Microsoft Intune license was not found.", so I am not able to connect the two. Even though if I am correct, Intune is included in the developer license, and practically speaking I am also being able to use it.
Do you have any idea what am I missing? Alerts should work out of the box theoretically😅..
Thank you for your help in advance:
Adam
- ArthurS1790Copper Contributor
defender logs not complete and still opened, and botifcations happen on the desktops action center not linked to any users VM