discovering options such as adding device groups in defender

Copper Contributor

Hello everyone, I'm just discovering options such as device groups, and I would like to learn how to set it up correctly. Let me know if I understand it correctly: the option is meant to separate important and less important devices. 

What are the recommendations for important like servers and for less important ones like  standard user workstations?

What level of remediation is there if it's not enabled? Does it need to be set up at all?

Thanks!

CyberKing_0-1689163534981.png

 

2 Replies

@CyberKing 

Device groups in Microsoft Defender allow you to group devices together based on a set of attributes such as their domains, computer names, or designated tags. This can help limit access to related alerts and data to specific Azure AD user groups with assigned RBAC roles, configure different auto-remediation settings for different sets of devices, assign specific remediation levels to apply during automated investigations, and filter the Devices list to specific device groups by using the Group filter during an investigation.

To create a device group in Defender, you can go to the Microsoft 365 Defender portal and sign in. In the navigation pane, select Settings > Endpoints > Permissions > Device groups. Click Add device group. Enter the group name and automation settings and specify the matching rule that determines which devices belong to the group¹. You can also assign the user groups that can access the device group you created. Device group creation is supported in Defender for Endpoint Plan 1 and Plan 2.

The recommendations for important devices like servers and less important ones like standard user workstations depend on the specific needs of your organization. However, some general recommendations are to group devices based on their function, importance, and sensitivity of the data they handle. For example, you can create a device group for servers that handle sensitive data and assign a higher level of remediation to apply during automated investigations. For less important devices like standard user workstations, you can assign a lower level of remediation or configure different auto-remediation settings. It's important to note that physical security measures should also be taken into account, such as securing printers, servers, and workstations that store important information in secure locations³. Ultimately, the best approach is to assess the specific needs and risks of your organization and configure device groups and remediation settings accordingly.

If remediation is not enabled, Microsoft Defender Antivirus will still attempt to remediate or remove threats that are detected during a scan. You can configure how Microsoft Defender Antivirus should address certain threats, whether a restore point should be created before remediating, and when threats should be removed. Every threat that is detected by Microsoft Defender Antivirus is assigned a threat level (low, medium, high, or severe). You can use this setting to define how all threats for each of the threat levels should be remediated (quarantined, removed, or ignored).

However, it is recommended to set up device groups and configure remediation settings to better protect your organization's devices. Device groups allow you to group devices together based on a set of attributes and assign specific remediation levels to apply during automated investigations. This can help ensure that important devices like servers are better protected and that less important devices like standard user workstations are not unnecessarily disrupted by remediation actions. Ultimately, the best approach is to assess the specific needs and risks of your organization and configure device groups and remediation settings accordingly.

@H2O 

 

looks like A.I generated, no answer for my question...

 

CyberKing_0-1689249862985.png