Forum Widgets
Latest Discussions
ASR Device Control policy update registry conflict
Hi, I'm working with a customer who's rolling out DfE Device Control and we have come across some strange behaviour when changes to the groups and rules are made from the Intune ASR page. Reviewing the PolicyGroups and PolicyRules REG_SZ keys under Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager shows that changes are appended to both keys, not replaced, creating a XML stream of legacy policies and groups. Is this expected behaviour? This creates new policy GUIDs each update which isn't obvious to know if the new policy is active or not and from testing does lead to long delays in devices becoming denied/allowed despite the changes pulled down to these keys. Is there some way to determine the active policy GUID? The customer will need to semi-frequently add new USB drives to the allow group/policy which from testing seems to work more reliably if you delete the 2 registry keys, run a sync, and try access the drive than waiting for it to append the updated group and policy XML code-block. Are changes to device groups via Intune meant to automatically update on the machines and follow policy rules? NB: They are hybrid machines using co-management with only Endpoint Protection workload moved over so far. Machines also onboarded into Defender for Endpoint. Thanks :)
MDE On boarded Linux Devices not visible in Intune or Entra ID
We recently started on boarding our Linux Servers and endpoints to MDE, and so far we have onboarded a couple of them through manual deployment with installer script. We have also enabled Endpoint Security Management to scope to Linux devices and have enabled the same in Intune as well so MDE can act as sensor to apply policies. It's been over a couple of days but we are not seeing those devices in Intune or Entra as Microsoft's documentation states. For context, the versions are 20.04, and 22.04. Even though the health state of sensor is healthy, and mdatp is not in passive mode, we are still not seeing the devices in either Intune or Entra. Any help would be appreciated since we are pressed down to resolve this as quickly as possible.
Alerts doesn't works? - EDR source
Hi, I'm new to Defender and I want to understand a couple of things. I deployed Defender P2 on a windows host and I tried to attack it with rdp brute force. The Timeline show me that the technique used is T1110:BruteForce but I don't see any alert in the console. Is normal? There is a way to tell to defender that it must create an alert when it see a brute force attack? Even worse with a couple of tests on a linux host. I'm sure that the EDR is engaged because I tested the alert with the default scripts. Even with the execution of a rootkit.. Thanks
Defender of Endpoint on Comanaged Laptop
We are testing device control feature of Microsoft Defender for Endpoint (MDE). Onboarded a laptop to MDE only (not enrolled to Intune) - created two policies in Defender portal Attack Surface reduction - Device Control - this policy could never be successfully applied on the machine (Reason - Learn about using Intune to manage Microsoft Defender settings on devices that aren't enrolled with Intune | Microsoft Learn suggests that Device Control profile is visible in the Defender portal but isn't supported for devices managed only by Microsoft Defender through the Microsoft Defender security settings management scenario. This profile is supported only for devices managed by Intune.) AV - this policy successfully deployed and I could see the deployed config on the machine Onboarded to MDE and co-managed (Intune, SCCM) - Configured Endpoint protection workload to be managed by Intune. Created Attack surface reduction Device control policy in Intune portal - policy deployed successfully on the laptop. Connected the USB on the device it showed the following Left the device connected, after few hours, I could see the capacity, used storage of the USB, clicking continue and entering admin credentials also wont allow the access of the USB. Left the device connected overnight, and next Morning, I could double click on the drive and access the content, it directly allowed me the read-write access of the USB. Unplugged and re-plugged the USB, then it shows USB is not accessible I am not able to understand this inconsistent behaviour, please suggest if I am doing something wrong. Also, instead of Access is denied messaged, can we display a message like "As per the corporate policy, you cant access the removable devices." when the user tries to access a USB. Please help.Cannot download Onboarding package
Hello, we're having problems when trying to download the Defender onboarding package. Tried different OS, different deploying methods but within a second of clicking Download onboarding package we get a popup saying "Client Error. Failed to get APK url from server" Anyone seen this before?Deployment and licensing in an air gapped environment
Hi there, We're considering Microsoft Defender for Endpoint for an industrial site with about 120 Linux hosts. None of the hosts are allowed to connect to the Internet, ever. We can only use USB drives to upload changes to the hosts. 1. Installation of Microsoft Defender for Endpoint is not an issue, we can just deploy the packages and install. 2. We found recent documentation that suggests we can maintain and refresh virus definitions in an offline network too: https://learn.microsoft.com/en-us/defender-endpoint/linux-support-offline-security-intelligence-update 3. The only question we are left with is: if we purchase licenses, can we 'redeploy' them to that site without any Internet access? So, I think the short question is "we want to onboard an offline host?" Thanks!
MDE configuration for Linux via managed JSON
Per this Microsoft article, a JSON file is being used to configure basic MDE settings on Debian 11 servers: { "antivirusEngine":{ "enforcementLevel":"real_time", "threatTypeSettings":[ { "key":"potentially_unwanted_application", "value":"block" }, { "key":"archive_bomb", "value":"audit" } ] }, "cloudService":{ "automaticDefinitionUpdateEnabled":true, "automaticSampleSubmissionConsent":"safe", "enabled":true } } Despite the setting to configure PUA protection in block mode, the Defender portal shows a security recommendation which states: "Turn on Microsoft Defender Antivirus PUA protection in block mode for Linux". The server has been rebooted and mdatp health has been confirmed. Why might Defender still think that PUA protection isn't on?
Unable to enable tamper protection using MDM
I’m working on implementing Tamper Protection for Windows devices using a custom MDM solution with the Defender CSP, but I’ve run into some issues and could use your help. A couple of questions: What specific data needs to be sent with the Defender CSP to enable or disable Tamper Protection? I’ve tried using the Defender, but I’m not sure about the correct value to set. Are there any permissions or enforcement scope settings that need to be adjusted for a custom MDM to manage Tamper Protection? I tested Intune on some devices, and Tamper Protection couldn’t be enabled there either. Could there be a specific hierarchy or prerequisite settings in the Microsoft Defender for Endpoint portal that I’m missing? If anyone has experience with this or has any insights, I’d really appreciate the help. Thanks in advance!Automate bulk-import of file with IP-adresses to block
We use SOAR to bulid a block-file containing IP-adresses we want to block. We can place this file on a network share, sftp, or "whereever". Is it possible for us to instruct Defender to read this file automatically, instead of Some User (tm) having to upload it manually in the security center?
