Jan 23 2023 01:20 AM
In our organization we are using Microsoft Defender 365 as our main AV and EDR solution.
Most of our machines are onboarded using SCCM/GPO but in some parts of organization those are managed manually and are onboarded using onboarding package.
We’ve recently noticed that during system distribution update, some machines are losing sync with Defender 365 portal and are listed as Onboarded and Can be onboarded at same time (the screenshot below shows same machine as viewed from search).
This leaves this machine without advanced capabilities like Live Response, Initiated scans etc (The machine that is onboarded is not responding to actions from M365 Defender portal).
We are looking for a way to “offboard previous record” and onboard new one. We’ve tried to offboard machine using offboarding package and onboard it again, but with no success (we left machine offboarded for more than 24h to ensure that data will sync with portal), after re-onboarding service is working correctly, but detection script is not generating alert.
Some of machines were re-imaged and onboarded again (and issue was by resolved), but we are wondering if there is a better and more efficient way to solve this issue?
Jan 25 2023 04:08 AM