SOLVED

Missing Azure Defender GPO Policies missing

%3CLINGO-SUB%20id%3D%22lingo-sub-2527878%22%20slang%3D%22en-US%22%3EMissing%20Azure%20Defender%20GPO%20Policies%20missing%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2527878%22%20slang%3D%22en-US%22%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHi%20Community%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20a%20problem%20that%20I%20need%20your%20help%20with.%20I%20have%20deployed%20Azure%20Defender%20on%20Windows%20Server%202019%20servers%2C%20running%20on%20Microsoft%20Azure.%20Azure%20Security%20Center%20is%20enabled%20on%20subscription%20as%20also%20on%20the%20Log%20Analytics%20Workspace.%20After%20the%20installation%2C%20some%20GPO%20policies%20for%20the%20configuration%20of%20Attack%20Surface%20Reduction%20are%20missing%20from%20the%20Group%20Policy%20Management%20Editor%2C%20I'm%20missing%20these%20policies%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3COL%3E%3CLI%3EWindows%20Defender%20Antivirus%3C%2FLI%3E%3CLI%3EWindows%20Defender%20Application%20Guard%3C%2FLI%3E%3CLI%3EWindows%20Defender%20Exploitation%20Guard%3C%2FLI%3E%3CLI%3EWindows%20Defender%20Smartscreen%3C%2FLI%3E%3C%2FOL%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3ESituation%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3ENormally%20the%20deployment%20goes%20automatically%20from%20the%20Azure%20Security%20Center%2C%20after%20setting%20the%20status%20from%20the%20option%20%3CSTRONG%3E%3CSPAN%20class%3D%22ext-data-collection-base-column%20ext-displayName-column%22%3ELog%3C%2FSPAN%3E%3CSPAN%20class%3D%22ext-data-collection-base-column%20ext-displayName-column%22%3E%20Analytics%20agent%20for%20Azure%20VMs%20%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20class%3D%22ext-data-collection-base-column%20ext-displayName-column%22%3Eto%20%3CSTRONG%3EOn%3C%2FSTRONG%3E%20from%20the%20%3CSTRONG%3EAuto%20provisioning%3C%2FSTRONG%3E%20blade%20in%20the%20Azure%20Security%20Center.%20But%2C%20this%20implementation%20is%20slightly%20different%20because%20there%20are%20two%20virtual%20servers%20in%20this%20subscription%20that%20absolutely%20should%20not%20have%20Azure%20Defender%20installed%20on%20them.%20I%20have%20installed%20Azure%20Defender%20by%20using%20the%20'Using%20the%20Local%20Script'%20from%20the%20deployment%20method%20in%20Microsoft%20Defender%20on%20my%20Domain%20Controller.%20I%20have%20checked%20if%20Azure%20Defender%20is%20running%20and%20the%20alerts%20are%20showing%20up%20in%20my%20Microsoft%20Defender%20Portal.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22ext-data-collection-base-column%20ext-displayName-column%22%3EDo%20you%20know%20why%20I'm%20missing%20those%20policies%3F%20I%20want%20to%20configure%20Attack%20Surface%20Reduction%20rules%20in%20my%20Windows%20Server%202018%20environment%20but%20I'm%20not%20able%20to%20configure%20ASR%20due%20to%20the%20missing%20GPO%20policies.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22ext-data-collection-base-column%20ext-displayName-column%22%3EThanks%20in%20advance%20for%20your%20help!%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2527878%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Defender%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20Security%20Center%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2528074%22%20slang%3D%22en-US%22%3ERe%3A%20Missing%20Azure%20Defender%20GPO%20Policies%20missing%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2528074%22%20slang%3D%22en-US%22%3E%3CP%3EAs%20I%20continue%20to%20troubleshoot%2C%20I%20notice%20that%20my%20ForesMode%20is%20running%20on%26nbsp%3B%3CSTRONG%3EWindows2008Forest%3C%2FSTRONG%3E%20and%20that%20the%20Domain%20Functional%20Level%20is%20running%20on%26nbsp%3B%3CSTRONG%3EWindows%20Server%202008%3C%2FSTRONG%3E.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EForestMode%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22img1.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F294339i79293B28EC5E5D65%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22img1.png%22%20alt%3D%22img1.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EDomain%20Functional%20Level%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22img2.png%22%20style%3D%22width%3A%20768px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F294341i6170E20BD38C8408%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22img2.png%22%20alt%3D%22img2.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20think%20that%20this%20is%20maybe%20part%20of%20the%20problem%20because%20the%20missing%20policies%20are%20part%20of%20Windows%2010%20(and%20therefore%20Windows%20Server%202019).%20Hence%2C%20the%20Central%20Store%20from%20the%20Group%20Policy%20is%20missing%20the%20Windows%20Server%202019%20templates%2C%20could%20that%20be%20the%20cause%20of%20my%20problem%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

 

Hi Community,

 

I have a problem that I need your help with. I have deployed Azure Defender on Windows Server 2019 servers, running on Microsoft Azure. Azure Security Center is enabled on subscription as also on the Log Analytics Workspace. After the installation, some GPO policies for the configuration of Attack Surface Reduction are missing from the Group Policy Management Editor, I'm missing these policies:

 

  1. Windows Defender Antivirus
  2. Windows Defender Application Guard
  3. Windows Defender Exploitation Guard
  4. Windows Defender Smartscreen

 

Situation

Normally the deployment goes automatically from the Azure Security Center, after setting the status from the option Log Analytics agent for Azure VMs to On from the Auto provisioning blade in the Azure Security Center. But, this implementation is slightly different because there are two virtual servers in this subscription that absolutely should not have Azure Defender installed on them. I have installed Azure Defender by using the 'Using the Local Script' from the deployment method in Microsoft Defender on my Domain Controller. I have checked if Azure Defender is running and the alerts are showing up in my Microsoft Defender Portal.

 

  • Azure Defender Plan is Enabled on subscription level.
  • Azure Defender for Servers is Enabled on the subscription level.
  • Azure Defender Plan is Enabled on the Log Analytics Workspace.
  • Azure Defender for Servers is Enabled on the Log Analytics Workspace.
  • The Microsoft.Azure.AzureDefenderForServers.MDE.Windows extension is added to the Virtual Machines.
  • The Microsoft.EnterpriseCloud.Monitoring.MicrosoftMonitoringAgent extension is added to the Virtual Machines.
  • The integration with Microsoft Defender for Endpoint and Cloud App Security is Enabled.
  • In the Inventory blad in the Azure Security Center, I can see that the Virtual Machines are in the Monitored state and that Azure Defender is showing as On.

 

Do you know why I'm missing those policies? I want to configure Attack Surface Reduction rules in my Windows Server 2018 environment but I'm not able to configure ASR due to the missing GPO policies.

 

Thanks in advance for your help!

3 Replies

As I continue to troubleshoot, I notice that my ForesMode is running on Windows2008Forest and that the Domain Functional Level is running on Windows Server 2008.

 

ForestMode

 

img1.png

 

Domain Functional Level

 

img2.png

 

I think that this is maybe part of the problem because the missing policies are part of Windows 10 (and therefore Windows Server 2019). Hence, the Central Store from the Group Policy is missing the Windows Server 2019 templates, could that be the cause of my problem?

I have tried to copy the WindowsDefender.admx and WindowsSecurityCenter.admx from a working environment to the this environment, but no GPO policies are being added to the GPO. I have also downloaded the Windows 10/Windows Server 2019 admx files from the docs.microsoft.com and copied the same admx (and of course the language files) into the SYSVOL\Policies\PolicyDefenitions, but the same outcome; No new policies are visible in the Central Store.

Someone an idea?
best response confirmed by Tiennes (New Contributor)
Solution

Hi Community!

 

Meanwhile, I managed to fix this problem. For some reason, the proper admx/adml files were not placed in the SYSVOL\Policies\PolicyDefenitions folder. Maybe it's because of the template we have chosen from the Azure Marketplace or because the Domain- and Forest functional level is still on Windows Server 2008?

 

My solution

I have fixed this problem by downloadding the Administrative Templates (.admx) for Windows 10 1809 (since 1809 is for Windows Server 2019) and placed the following files in the Central Store (SYSVOL\Policies\PolicyDefenitions):

 

  • WindowsDefender.admx
  • WindowsSecurityCenter.admx
  • SmartScreen.admx
  • AppHVSI.admx

I have of course placed the language (.adml) files in the SYSVOL\Policies\PolicyDefenitions\en-US folder. After reopening the GPMC I've got the right policies in place.

 

If you are running into this problem, you now know a possible fix.