Forum Discussion

XPaulo's avatar
XPaulo
Copper Contributor
Dec 17, 2020
Solved

Microsoft Defender for Endpoint for Server isolation capability

Hello, I've been struggling to find this information and decided to post this here. Microsoft Defender for Endpoint (formerly MDATP) has the capability to isolate registered devices via a click in...
  • XPaulo's avatar
    XPaulo
    Dec 17, 2020

    shoando Thanks for your input. OK, so 2016 needs the agent but for 2019 would it work, since AFAIU, it is native in the OS. Am I correct?

shoando's avatar
shoando
Brass Contributor
Dec 17, 2020

For operating systems that use the Microsoft Monitoring Agent, isolation is not available.XPaulo 

  • XPaulo's avatar
    XPaulo
    Copper Contributor
    Jan 16, 2021

    shoando So after some tests, you're right

    I'm able to isolate 2019 Servers just as Windows 10. There is no need to install an agent

    For Windows 2016, you need the MAM agent to get the events in your tenant.

    Even though the GUI gives you the possibility to isolate a device or run an AV scan, it does not do anything. You see the actions pending in the action center and can't even undo them (as such they remain greyed out after you clicked on them for that specific server)

     

    • daviddevosstars's avatar
      daviddevosstars
      MCT
      Apr 13, 2021

      XPauloI provided the same feedback already. The interface shows "start automated investigation" for all the supported operating systems, while it only works for the latest W10/W2019 releases. They should remove that action for unsupported devices to avoid confusion.

      The next thing you see is that a suspicious investigation was noticed in the alert list ... 🙂

    • Gurdev Singh's avatar
      Gurdev Singh
      Iron Contributor
      Apr 12, 2021

      This is good information as I am struggling to find a single official Microsoft doc that states that explicitly. All Microsoft documentation talks about how EDR is possible for older server platforms 2008/2012/2016 using the MMA agent. They should really clarify that it's only Threat Detection not full EDR as no response actions possible in MMA agent.

      That would save people like us few hours of wasted time and frustration.

  • XPaulo's avatar
    XPaulo
    Copper Contributor
    Dec 17, 2020

    shoando Thanks for your input. OK, so 2016 needs the agent but for 2019 would it work, since AFAIU, it is native in the OS. Am I correct?

      • XPaulo's avatar
        XPaulo
        Copper Contributor
        Dec 18, 2020

        daviddevosstars Thanks for your reply. Yes I saw the article but it is quite old and it does not mention anything about isolation. If I scroll down to the EDR functionality, which I would believe device isolation would be part of, then it does say that 2016 requires an agent. But then it's not clear what agent (MAM?) since I kind of understand that the MAM agent it a simple monitoring agent... so still not clear to me. And I'm not able to PoC or test this in any way.. 😞