Forum Discussion
tk298
Aug 08, 2021Copper Contributor
Microsoft Defender for Endpoint Device group question
I know Defender in general is extra user friendly but for the Defender for endpoint to work properly, do I need to put all devices in a machine group and set a remediation level? All the training vid...
tk298
Aug 10, 2021Copper Contributor
Hi Gary,
Thanks for confirming that and also the tip. For the customer that isn't using groups, are things working properly for their Defender..? Like alerts coming in, Defender handling alerts, etc.
Thanks!
Thanks for confirming that and also the tip. For the customer that isn't using groups, are things working properly for their Defender..? Like alerts coming in, Defender handling alerts, etc.
Thanks!
GaryCutri
Aug 10, 2021Copper Contributor
The two customers I just checked with who have no groups have reported all alerts stop at "Pending action".
- dakota_adminJan 19, 2022Copper Contributor
I know this post is a bit old but thought I would add that the link below does confirm that after August 2020 all new tenants were set to Full Automation by default even without device groups with AIR levels set.
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/automation-levels?view=o365-worldwide#important-points-about-automation-levels - GaryCutriAug 15, 2021Copper ContributorI found some updated guides and step one is outlined below, step two it recommends to setup device groups.
Turn on automated investigation and remediation
1. As a global administrator or security administrator, go to the Microsoft Defender Security Center (https://securitycenter.windows.com) and sign in.
2. In the navigation pane, choose Settings.
3. In the General section, select Advanced features.
4. Turn on both Automated Investigation and Automatically resolve alerts. - GaryCutriAug 15, 2021Copper ContributorBased on your feedback the default now is to auto remediate for all. Historically many investigations were stuck at "pending action" and the groups were setup to ensure automation (or partial is required). I would still consider groups for servers and desktops as we have had bad experiences with modern protection services on Windows Server. Even recently the Attack Surface Reduction rule "Block executable files from running unless they meet a prevalence, age, or trusted list criteria" killed an Azure AD Connect upgrade (Azure AD Connect health service uses an old installer) and the same happened during an Exchange 2019 upgrade. (As an FYI you really need ASRs rules to help protect against modern threats).
- tk298Aug 10, 2021Copper Contributor
Yeah that makes sense and I was expecting that to happen. The screenshot below is another environment that does not have device group set up. There is not device group or remediation level set up. Do you know why Defender might be remediating them automatically? Could it be because of a PUA policy? I didn't set that up btw.