Endpoint security settings (EDR, ASR etc.) applied to computer without group membership

%3CLINGO-SUB%20id%3D%22lingo-sub-1450753%22%20slang%3D%22en-US%22%3EEndpoint%20security%20settings%20(EDR%2C%20ASR%20etc.)%20applied%20to%20computer%20without%20group%20membership%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1450753%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%3CBR%20%2F%3Ewe%20have%20an%20Azure%20AD%20group%20with%20a%20dynamic%20group%20membership.%20The%20filter%20were%20modified%20and%20because%20of%20this%20all%20except%20one%20computer%20were%20removed%20from%20the%20group.%20After%20that%20the%20group%20was%20linked%20to%20endpoint%20security%20policies.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENow%20we%20can%20see%20two%20computer%2C%20which%20were%20in%20the%20group%20and%20are%20now%20no%20longer%20member%20of%20the%20group%2C%20getting%20configuration%20settings%20for%20Defender%20ATP.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDoes%20anyone%20know%20this%20problem%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1450753%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3Edefender%20atp%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Eendpoint%20security%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1451967%22%20slang%3D%22en-US%22%3ERe%3A%20Endpoint%20security%20settings%20(EDR%2C%20ASR%20etc.)%20applied%20to%20computer%20without%20group%20membership%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1451967%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F407711%22%20target%3D%22_blank%22%3E%40cfrielingsdorf2%3C%2FA%3E%2C%20I%20think%20the%20new%20EDR%20policies%20automatically%20onboard%20machines%20to%20Defender%20ATP%2C%20if%20it%20is%20set%20up.%20I%20saw%20that%20when%20I%20was%20testing%20it.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1469699%22%20slang%3D%22en-US%22%3ERe%3A%20Endpoint%20security%20settings%20(EDR%2C%20ASR%20etc.)%20applied%20to%20computer%20without%20group%20membership%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1469699%22%20slang%3D%22en-US%22%3E%3CP%3EHej%20Matthias%2C%3CBR%20%2F%3E%3CBR%20%2F%3EI%20have%20created%20a%20new%20group%20and%20linked%20it%20to%20the%20EDR-Policy.%20With%20this%20group%20the%20situation%20is%20as%20expected.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

Hello,
we have an Azure AD group with a dynamic group membership. The filter were modified and because of this all except one computer were removed from the group. After that the group was linked to endpoint security policies.

 

Now we can see two computer, which were in the group and are now no longer member of the group, getting configuration settings for Defender ATP.

 

Does anyone know this problem?

2 Replies
Highlighted

@cfrielingsdorf2, I think the new EDR policies automatically onboard machines to Defender ATP, if it is set up. I saw that when I was testing it.

Highlighted

Hej Matthias,

I have created a new group and linked it to the EDR-Policy. With this group the situation is as expected.