Forum Discussion
tk298
Aug 08, 2021Copper Contributor
Microsoft Defender for Endpoint Device group question
I know Defender in general is extra user friendly but for the Defender for endpoint to work properly, do I need to put all devices in a machine group and set a remediation level? All the training vid...
GaryCutri
Aug 08, 2021Copper Contributor
Hi,
In our scenario we started with Desktops & Server groups with full auto remediation on Desktops and only partial on Servers. Then due to deleted devices being stuck in Defender for at least 30 days we created a Deleted Tag and Group so I could filter them out of our security score and vulnerability exposure score.
Over time we ended up splitting the server groups into two so Critical Services and Non-Critical services had different remediation options. This was just done as a precaution as we wanted to removed the risk of an automatic remediation causing any issues (critical servers are set as "Semi - Require approval for core folders")
In our scenario we started with Desktops & Server groups with full auto remediation on Desktops and only partial on Servers. Then due to deleted devices being stuck in Defender for at least 30 days we created a Deleted Tag and Group so I could filter them out of our security score and vulnerability exposure score.
Over time we ended up splitting the server groups into two so Critical Services and Non-Critical services had different remediation options. This was just done as a precaution as we wanted to removed the risk of an automatic remediation causing any issues (critical servers are set as "Semi - Require approval for core folders")
- tk298Aug 08, 2021Copper ContributorHey thanks for responding. So does that mean if I don't put machines into a device group, Defender won't automatically take actions on alerts? Do you know what would happen if I deploy Defender to machines but not put them in a device group? Just trying to understand the difference between setting up a device group & setting remediation level and leaving Defender as it is after deploying.
Thanks- GaryCutriAug 08, 2021Copper ContributorAll devices land in the "undefined" group by default (i.e. without any other grouping rules) so if you ensure that group is set to "no automated response" it does nothing. Alternatively you can set undefined to your preferred automation level.
If you decide to create Groups its up to you to define a filter and set the automation response (e.g. none, 2x semi option or full).- tk298Aug 08, 2021Copper Contributor
Hey thanks again for responding and I appreciate the help. The device group "1" in the screenshot below is the device group I made and I added most devices in there. The group below that got created after i created "1".
The screenshot below is a different environment with different devices. I did not create any device group there. I do not see a default "undefined" group though. Is it supposed to be like this and the devices are in the undefined group by default without automated response turned on?