Forum Discussion
tk298
Aug 08, 2021Copper Contributor
Microsoft Defender for Endpoint Device group question
I know Defender in general is extra user friendly but for the Defender for endpoint to work properly, do I need to put all devices in a machine group and set a remediation level? All the training vid...
tk298
Aug 08, 2021Copper Contributor
Hey thanks again for responding and I appreciate the help. The device group "1" in the screenshot below is the device group I made and I added most devices in there. The group below that got created after i created "1".
The screenshot below is a different environment with different devices. I did not create any device group there. I do not see a default "undefined" group though. Is it supposed to be like this and the devices are in the undefined group by default without automated response turned on?
GaryCutri
Aug 09, 2021Copper Contributor
From your feedback the undefined/ungrouped is only created now when the first custom group is added. I just double checked another customer who isn't using groups and I can confirm the same state as your second screenshot. I added groups back when the feature was first made so either the process has changed slightly or my memory is fading.
I do recall the reason I started using groups was detections went into a pending action state and I needed selected devices to automatically action threats.
As per my first post I believe you should at minimum define desktops and servers. We used a "Deleted" tag to add removed devices into a separate group so when looking at the security score or threat management dashboard we can filter out deleted devices. In short using tags is an easy way to add devices to custom device groups but please note these group rules need to be above groups that are defined by OS/bud etc only.
I do recall the reason I started using groups was detections went into a pending action state and I needed selected devices to automatically action threats.
As per my first post I believe you should at minimum define desktops and servers. We used a "Deleted" tag to add removed devices into a separate group so when looking at the security score or threat management dashboard we can filter out deleted devices. In short using tags is an easy way to add devices to custom device groups but please note these group rules need to be above groups that are defined by OS/bud etc only.
- tk298Aug 10, 2021Copper ContributorHi Gary,
Thanks for confirming that and also the tip. For the customer that isn't using groups, are things working properly for their Defender..? Like alerts coming in, Defender handling alerts, etc.
Thanks!- GaryCutriAug 10, 2021Copper ContributorThe two customers I just checked with who have no groups have reported all alerts stop at "Pending action".
- tk298Aug 10, 2021Copper Contributor
Yeah that makes sense and I was expecting that to happen. The screenshot below is another environment that does not have device group set up. There is not device group or remediation level set up. Do you know why Defender might be remediating them automatically? Could it be because of a PUA policy? I didn't set that up btw.