I know Defender in general is extra user friendly but for the Defender for endpoint to work properly, do I need to put all devices in a machine group and set a remediation level? All the training videos I have watched tells me I have to put the devices in a Device group in settings and set a remediation level. I didn't set it up and it still seems to quarantine unwanted software or malicious software. Can someone why the device group and remediation level are necessary?

Hi,In our scenario we started with Desktops & Server groups with full auto remediation on Desktops and only partial on Servers. Then due to deleted devices being stuck in Defender for at least 30 days we created a Deleted Tag and Group so I could filter them out of our security score and vulnerability exposure score.Over time we ended up splitting the server groups into two so Critical Services and Non-Critical services had different remediation options. This was just done as a precaution as we wanted to removed the risk of an automatic remediation causing any issues (critical servers are set as "Semi - Require approval for core folders")

Hey thanks for responding. So does that mean if I don't put machines into a device group, Defender won't automatically take actions on alerts? Do you know what would happen if I deploy Defender to machines but not put them in a device group? Just trying to understand the difference between setting up a device group & setting remediation level and leaving Defender as it is after deploying.Thanks

All devices land in the "undefined" group by default (i.e. without any other grouping rules) so if you ensure that group is set to "no automated response" it does nothing. Alternatively you can set undefined to your preferred automation level.If you decide to create Groups its up to you to define a filter and set the automation response (e.g. none, 2x semi option or full).

GaryCutri Hey thanks again for responding and I appreciate the help. The device group "1" in the screenshot below is the device group I made and I added most devices in there. The group below that got created after i created "1".The screenshot below is a different environment with different devices. I did not create any device group there. I do not see a default "undefined" group though. Is it supposed to be like this and the devices are in the undefined group by default without automated response turned on?

From your feedback the undefined/ungrouped is only created now when the first custom group is added. I just double checked another customer who isn't using groups and I can confirm the same state as your second screenshot. I added groups back when the feature was first made so either the process has changed slightly or my memory is fading.I do recall the reason I started using groups was detections went into a pending action state and I needed selected devices to automatically action threats.As per my first post I believe you should at minimum define desktops and servers. We used a "Deleted" tag to add removed devices into a separate group so when looking at the security score or threat management dashboard we can filter out deleted devices. In short using tags is an easy way to add devices to custom device groups but please note these group rules need to be above groups that are defined by OS/bud etc only.

Microsoft Defender for Endpoint Device group question

11 Replies

GaryCutri
Copper Contributor
Aug 08, 2021
Hi,

In our scenario we started with Desktops & Server groups with full auto remediation on Desktops and only partial on Servers. Then due to deleted devices being stuck in Defender for at least 30 days we created a Deleted Tag and Group so I could filter them out of our security score and vulnerability exposure score.

Over time we ended up splitting the server groups into two so Critical Services and Non-Critical services had different remediation options. This was just done as a precaution as we wanted to removed the risk of an automatic remediation causing any issues (critical servers are set as "Semi - Require approval for core folders")
- tk298
  Copper Contributor
  Aug 08, 2021
  Hey thanks for responding. So does that mean if I don't put machines into a device group, Defender won't automatically take actions on alerts? Do you know what would happen if I deploy Defender to machines but not put them in a device group? Just trying to understand the difference between setting up a device group & setting remediation level and leaving Defender as it is after deploying.
  
  Thanks
  - GaryCutri
    Copper Contributor
    Aug 08, 2021
    All devices land in the "undefined" group by default (i.e. without any other grouping rules) so if you ensure that group is set to "no automated response" it does nothing. Alternatively you can set undefined to your preferred automation level.
    
    If you decide to create Groups its up to you to define a filter and set the automation response (e.g. none, 2x semi option or full).

Forum Discussion

Microsoft Defender for Endpoint Device group question

11 Replies

Resources