Nov 20 2019 09:54 AM
Hi all,
I'm looking for a way to alert on clients which stop responding to mdatp from an EDR point of view. Health state in this case changes to "no sensor data" but cannot figure out how to set an alert (custom detection) on that, as I can't find a way to query for... tried a couple of queries using TVM but could not get to a working one.
Even device compliance policy still considers the affected device as compliant (mdatp compliance policy)
any help appreciated
thank you
thomas
Dec 11 2019 09:30 AM
Microsoft addressed this gap :)
right now you can utilize security recommendations in order to understand whether your clients are reporting successfully to mdatp.
Seams a little bit of adjustment is still necessary to differentiate even better between offline/inactive and unhealthy sensor