Forum Discussion
Network Protection status in Advanced Hunting
Hi all,
We've been working through our server estate ensuring all devices are fully onboarded into MDE and using MDE Client Analyser + Advanced Hunting to get a "clean bill of health" across all the components making up the MDE configuration.
Using the DeviceTvmSecureConfigurationAssessmentKB schema I've added a couple of extra columns to the Endpoint Agent Health Status Report so it also shows the status of the Network Protection module.
What I've noticed though is different reporting status dependent on whether OS is downlevel or 2019+ and wondering if that's expected behaviour? In both cases MDE reports Network Protection Service and Driver as running plus it's configured in Block Mode.
- 2019 onwards reports as GOOD
- 2016 or 2012 R2 reports as N\A
On the downlevel OS I've been ensuring that these are set:
AllowNetworkProtectionDownLevel 1
AllowNetworkProtectionOnWinServer 1
EnableNetworkProtection 1
If you could confirm it'd be much appreciated so I can tick these off as done 🙂
2 Replies
- Does Windows 2012r2/2016 onboarded using new unified agent instead of MMA(Microsoft Monitoring Agent) way of onboarding?
mohamedalishahul I did remove the original install on many of the servers in question as MDE was reporting some components not functioning (used the mdedownlevel script ./Install.ps1 -Uninstall to do it)
I do see MMA still present in Add \ Remove Programs which I believe is normal, do you think removing it would help resolve the reporting?
