On April 6th we announced the public preview of Endpoint Discovery which enables Microsoft Defender for Endpoint to discover unmanaged workstations, servers and mobile devices, (Windows, Linux, macOS, iOS, and Android) on their business networks. Based on customer feedback we are switching the discovery functionality from a passive to active mode on Monday May 10th. This will enable Endpoint Discovery to automatically discover a more complete inventory of unmanaged endpoints.
With this change there are two matters that public preview customers may experience. The first is related to the discovery of a potentially much larger inventory of unmanaged endpoints. Those who are trialing Defender for Endpoint will notice this the most and are likely to see their Device Inventory grow from a small handful of unmanaged endpoints to 1000s or more depending on the size of their organization. A new Onboarding status column has been added to the Device Inventory view to help them differentiate between unmanaged and managed devices. Also filtering capabilities have been added if they wish to hide unmanaged devices from view.
The second issue customers may experience is when 3rd party threat detection and response systems (e.g.: EDR, NDR) are being used in concert with Defender for Endpoint. The active mode scanning may generate alerts in those systems. To prevent Defender for Endpoint’s active scanning from being detected as a threat customers can implement exclusions in any applicable 3rd party systems to ignore the scanning which has been carefully tuned to have negligible network impact. Information on how to configure the exclusion can be found here.
Thank you for your participation in the Defender for Endpoint pubic preview. More information about Endpoint Discovery can be found in the following resources: