Forum Widgets
Latest Discussions
SenseNdr.exe is slowly eating the memory
Hello, For a few days now, we have some Windows Server 2019 physical machines where almot all the memory is commited to sensendr.exe. If you terminate sensendr.exe, the process comes back after a few minutes. On one machine the problem came back after a little bit more than one day, on the others the problem has not come back (yet). All the machines are patches with the 2024-09 CU. Here is a view of the resource monitor : On another machine : Do you have any idea what could cause that and how to avoid it ? We can't find any error messages that could explain the problem. Thanks in advance for your answers MarcDefender for Server: Azure or License based?
Hello! In October of 2022, Microsoft took the Defender for Endpoint Server sku off the price file and replaced with with Defender for Endpoint plan 1 and plan 2 which are purchased through Azure. Our company started migrating customers from the old sku to the new azure model and all was well. For the last six months or more, Defender for Server is now showing up on our NCE price file once more. After Microsoft told me so start selling the consumption sku, I am now unsure what my next move should be. Are you selling both products? Is there a use case for each? Anyone had any experience wit this issue? Thanks in advance!
MDE disable or uninstall
Hello All, We have onboarded devices to MDE in a setup as follows, 1. Onboard devices to Entra as hybrid entra joined devices 2. Sync/Enroll devices to Intune from on-premise SCCM through co-management config. 3. Onboard devices to MDE from Intune through EDR policy. Once the device are onboarded, how can we do the following, 1. Disable DFE on a device (to disable protection while troubleshooting. Can we just stop the services?) 2. Uninstall DFE from a device (offboarding through a script would also remove all the policies applied to the device immediately?) Please guide.
Failed to create object ID in Intune for new onboarded device.
We are deploying Defender for Cloud with XDR onboarding. We are implementing Defender policy with Intune enforcement setting, everything is working for 98% of devices as well. But, for some devices like Arc enabled machines, after going through each step and Microsoft troubleshooting documentation. Some devices are not able to create the synthetic object in Intune to receive Defender XDR policies. No solution is provided in the documentation or in MDEclient parser. In the onboarding workflow, the synthetic object is normally created to apply the policy via Intune. But, when a device fails this process, we have no solution even after re-onboarding.Vulnerability Management - Baselines assessment
We are currently evaluating Vulnerability Management to report on our CIS 2.0 compliance. In a Domain Controller profile the Password Policy checks appear to be incorrect. For example: 1.1.5 - (L1) Ensure 'Password must meet complexity requirements' is set to 'Enabled' says "Not compliant", although we have it enabled in the "Default Domain Policy", which is the one controlling domain users password policy. What policy does it check? It is as if it checks the RSOP that affects the DCs. But DCs do not have local users. 🤔
Microsoft Defender for Endpoint -> Reports-> No data Available status
Hello All, Since few months I am able to see " No Data Available " status in Microsoft Defender for Endpoint (MDE) console under security.microsoft.com-> reports-> device health -> Microsoft defender antivirus health. Please see below screenshot. I have tried to troubleshoot with Microsoft support however as of now there is no any resolution since lot of months. Affected devices in no data available are combination of Windows 10, Windows 11, Linux, Win server 2019, 2016, 2012R2 as well as 2008R2. PS: - I have referred to Microsoft's public article below for this issue and have met all the requirements. https://learn.microsoft.com/en-us/defender-endpoint/machines-view-overview Any kind of solution would be much appreciated by the community! Regards,Defender Vulnerability Managment Baseline Assessment
Looking for some assistance, we have onboarded 2012 through to 2022 servers via MDE into Defender for Servers and the devices are all visible within the Device list on the security portal. Issue I'm have is that if we try and create a baseline assessment policy against any of the server groups, even with no filtering in place, it is only picking up a small handful of the devices. I'm extracted all the devices for all the OS versions and ran various pivots to try and get a match on numbers to see if there was any common ground as to what was being detected. Any suggestions as I don't want to just enable it without knowing what servers are being looked at.
Recovering Quarantined File without Restoring
Hello Microsoft Community, I have been exploring the Defender for Endpoint API and noticed that it mentions the ability to fetch copies of files associated with alerts using a LiveResponse request using (GetFile). However, I've observed that for some alerts, Microsoft Defender quarantines the associated files. Is there a way to obtain a copy of a quarantined file or get the file itself without restoring it? Additionally, is there a way to determine if a file associated with an alert has been quarantined through the API, rather than manually logging into the Microsoft Defender for Endpoint portal? I understand there are two common methods for restoring a file from quarantine: through the Microsoft Defender for Endpoint portal or via the command line. Both methods are detailed here: https://learn.microsoft.com/en-us/defender-endpoint/respond-file-alerts#restore-file-from-quarantine. My concern is that restoring the file will cause Defender to quarantine it again, resulting in a new alert for the same file. In summary, is there a way to retrieve a copy of a quarantined file or the file itself without restoring it? And how can I know whether or not has been quarantined, by using the Microsoft Defender For Endpoint API or other Microsoft based API. Thank you!
Review Defender Scan Results - Linux
Hi Team, Please advise how to review defender full scan results on linux endpoint and any detections identified. As per Microsoft - it should show up in MS 365 Defender>Alerts section however I have found nothing there. I have tried to browse through directory on endpoint - /var/opt/microsoft/mdatp/log/ however it doesn't exist. Do I have to enable logging to review scan results? Can these results be shipped to Sentinel so that we have logging enabled?
