Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Microsoft Defender onboarding issues

Copper Contributor

In our organization we are using Microsoft Defender 365 as our main AV and EDR solution.
Most of our machines are onboarded using SCCM/GPO but in some parts of organization those are managed manually and are onboarded using onboarding package.
We’ve recently noticed that during system distribution update, some machines are losing sync with Defender 365 portal and are listed as Onboarded and Can be onboarded at same time (the screenshot below shows same machine as viewed from search).

Konrad_P630_6-1674465529113.png
This leaves this machine without advanced capabilities like Live Response, Initiated scans etc (The machine that is onboarded is not responding to actions from M365 Defender portal).
We are looking for a way to “offboard previous record” and onboard new one. We’ve tried to offboard machine using offboarding package and onboard it again, but with no success (we left machine offboarded for more than 24h to ensure that data will sync with portal), after re-onboarding service is working correctly, but detection script is not generating alert.
Some of machines were re-imaged and onboarded again (and issue was by resolved), but we are wondering if there is a better and more efficient way to solve this issue?

1 Reply
@Konrad_P630 on the 'manual' onboarding environment, please make sure that you delete all the current 'onboarding packages'. Why? CVE-2022-23278 (March 8th, 2022)
And then share the new (as of March 2022) 'onboarding package' to the folks doing the 'manual' onboarding.
Also, make sure that the image (e.g. sysprep or sccm task sequence) is not onboarding MDE before the image is sealed.
If this symptom still persists, please grab a aka.ms/MDEClientAnalyzer and open a MSFT Security MDE support ticket.
Thanks,
Yong Rhee - MSFT