Microsoft Defender for Endpoint Device group question

Copper Contributor

I know Defender in general is extra user friendly but for the Defender for endpoint to work properly, do I need to put all devices in a machine group and set a remediation level? All the training videos I have watched tells me I have to put the devices in a Device group in settings and set a remediation level. I didn't set it up and it still seems to quarantine unwanted software or malicious software. Can someone why the device group and remediation level are necessary?

11 Replies
Hi,

In our scenario we started with Desktops & Server groups with full auto remediation on Desktops and only partial on Servers. Then due to deleted devices being stuck in Defender for at least 30 days we created a Deleted Tag and Group so I could filter them out of our security score and vulnerability exposure score.

Over time we ended up splitting the server groups into two so Critical Services and Non-Critical services had different remediation options. This was just done as a precaution as we wanted to removed the risk of an automatic remediation causing any issues (critical servers are set as "Semi - Require approval for core folders")
Hey thanks for responding. So does that mean if I don't put machines into a device group, Defender won't automatically take actions on alerts? Do you know what would happen if I deploy Defender to machines but not put them in a device group? Just trying to understand the difference between setting up a device group & setting remediation level and leaving Defender as it is after deploying.

Thanks
All devices land in the "undefined" group by default (i.e. without any other grouping rules) so if you ensure that group is set to "no automated response" it does nothing. Alternatively you can set undefined to your preferred automation level.

If you decide to create Groups its up to you to define a filter and set the automation response (e.g. none, 2x semi option or full).

@GaryCutri 

 

Hey thanks again for responding and I appreciate the help. The device group "1" in the screenshot below is the device group I made and I added most devices in there. The group below that got created after i created "1".

tk298_0-1628457531660.png

The screenshot below is a different environment with different devices. I did not create any device group there. I do not see a default "undefined" group though. Is it supposed to be like this and the devices are in the undefined group by default without automated response turned on?

tk298_1-1628457640960.png

 

From your feedback the undefined/ungrouped is only created now when the first custom group is added. I just double checked another customer who isn't using groups and I can confirm the same state as your second screenshot. I added groups back when the feature was first made so either the process has changed slightly or my memory is fading.

I do recall the reason I started using groups was detections went into a pending action state and I needed selected devices to automatically action threats.

As per my first post I believe you should at minimum define desktops and servers. We used a "Deleted" tag to add removed devices into a separate group so when looking at the security score or threat management dashboard we can filter out deleted devices. In short using tags is an easy way to add devices to custom device groups but please note these group rules need to be above groups that are defined by OS/bud etc only.



Hi Gary,

Thanks for confirming that and also the tip. For the customer that isn't using groups, are things working properly for their Defender..? Like alerts coming in, Defender handling alerts, etc.

Thanks!
The two customers I just checked with who have no groups have reported all alerts stop at "Pending action".

@GaryCutri 

Yeah that makes sense and I was expecting that to happen. The screenshot below is another environment that does not have device group set up. There is not device group or remediation level set up. Do you know why Defender might be remediating them automatically? Could it be because of a PUA policy? I didn't set that up btw.

 

tk298_0-1628615703999.png

 

Based on your feedback the default now is to auto remediate for all. Historically many investigations were stuck at "pending action" and the groups were setup to ensure automation (or partial is required). I would still consider groups for servers and desktops as we have had bad experiences with modern protection services on Windows Server. Even recently the Attack Surface Reduction rule "Block executable files from running unless they meet a prevalence, age, or trusted list criteria" killed an Azure AD Connect upgrade (Azure AD Connect health service uses an old installer) and the same happened during an Exchange 2019 upgrade. (As an FYI you really need ASRs rules to help protect against modern threats).
I found some updated guides and step one is outlined below, step two it recommends to setup device groups.

Turn on automated investigation and remediation
1. As a global administrator or security administrator, go to the Microsoft Defender Security Center (https://securitycenter.windows.com) and sign in.
2. In the navigation pane, choose Settings.
3. In the General section, select Advanced features.
4. Turn on both Automated Investigation and Automatically resolve alerts.

@GaryCutri 

I know this post is a bit old but thought I would add that the link below does confirm that after August 2020 all new tenants were set to Full Automation by default even without device groups with AIR levels set.
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/automation-levels?view=o36...