Apr 22 2024 09:49 AM
Hello Everyone,
We're currently in the process of onboarding MDE via scripts on several Windows 10 and 11 PCs. These PCs have proxies configured in Settings > Network & internet > Proxy > Manual proxy setup. Additionally, they have a 3rd party EDR solution active.
While the onboarding scripts run without errors, the devices aren't appearing online in the defender portal under Assets. Upon running the Analyzer tool, we identified communication errors. Unfortunately, we couldn't utilize PSExec due to restrictions imposed by the 3rd party EDR.
Here are the areas where we need guidance:
1. Is the proxy configuration method correct? Does it ensure that all traffic initiated from the PC passes through the proxy, including Defender for Endpoint traffic?
2. What's the ideal proxy configuration method for Windows?
3. Since we can't use Powershell or PSExec, is there an alternative method to check Defender version and service status?
4. Should we exempt the path "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection" and allow Powershell scripts from this location?
5. Will allowing all the URLs provided by Microsoft in the Excel file ensure full functionality of MDE? Can we allow based on IP with Proxy setup instead of URLs?
6. Is it necessary to exempt the processes used by MDE in Windows 10 and 11 from the 3rd party EDR?
Awaiting your valuable insights and assistance on these queries.
Thanks in advance.
Apr 22 2024 10:05 AM
Apr 22 2024 09:31 PM
Thank you for the response.
If i understand correctly, apart from configuring the proxy through Windows Settings, I will have to configure the proxy through either of the following as well,
Registry-based configuration
WinHTTP configured using netsh command: Suitable only for desktops in a stable topology (for example: a desktop in a corporate network behind the same proxy)
Reference link: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-proxy-internet?...
Please guide if i am not correct or confirm.
Thanks,
Apr 22 2024 11:19 PM
Apr 23 2024 09:29 PM
Apr 23 2024 10:00 PM
Hello. I have been trying o onboard but having issues. Can you help me? Thank you @drivesafely
Apr 23 2024 10:51 PM
Apr 23 2024 11:10 PM
Apr 23 2024 11:37 PM
Apr 24 2024 08:07 AM
Apr 24 2024 10:23 AM
Thanks for your responses.
We have onboarded devices in workgroup through script. The device status displays the info like versions as 0.0.0.0 and status is unknown. I have a doubt on applying security policy to the added device. Like i have created ASR, AV and Device policies. At the option to assign the policy, there is option to assign it to group only. I created a group through Intune, then added one of the device to it, then applied this group to the ASR and Device policy. The issue is that when i click on the Applied devices tab, i do see any devices applied although assigning the policy to the group to which the device is added.
How to we assign policies to such devices that are in workgroup ?
Please guide. Thanks,
Apr 24 2024 10:30 AM
Apr 24 2024 12:15 PM
Apr 24 2024 02:02 PM
Apr 24 2024 09:25 PM - edited Apr 24 2024 09:25 PM
@rahuljindal-MVP
Since there is no option to create group and add devices to it through "security.microsoft.com" portal page, i created the group through intune.
Further i followed the below guide and after many hours, i can see devices under the Applied devices tab in the policy.
https://blog.mindcore.dk/2022/06/how-to-target-security-policies-to-devices-not-enrolled-into-intune...
The primary AV is not the Defender. The other EDR is the primary AV solution.
Since Defender is in passive mode, does any of the policies will take effect on devices?
Thanks for your time and guidance,
Apr 24 2024 11:19 PM
Apr 25 2024 02:11 AM
@rahuljindal-MVP it has been hard trying to configure my computer. I have a Mac and not sure if I was supposed to get a PC. Also, I am being asked to create an email with EDA. There has been communication that I don't have access to. Can you help me? Thank you.