Defender for Endpoint
24 TopicsAWS Chime based apps (Slack or 3CX) calls drop-out - Only on Intune enrolled MacOS 15 + MS Defender
Hi Intune_Support_Team, I have recently come across with an Issue. Issue: Call Dropout, Network freeze on AV Calls for Apps / Platforms Description: I have noticed this issue on only MacOS Devices enrolled on Intune; that are later updated to MacOS15 Sequioa using Intune policy Mac Update policy + MS Defender for Endpoint Enrolled, with MS Defender Network Filter added to the list, hangs / freezes AV calls for 2-3 seconds like a network glitch on Slack Huddles. This also happens on 3CX Telephone app in bit different way as 3CX agent's audio is not heard by far-end Customer. Both of these only happens on Device upgraded to MacOS 15 + Defender + Network Filter with just Slack and 3CX. Google Meet, Zoom, Teams works well. NOTE : Compared to a Device which is not on Intune /Defender with MacOS 15 Slack Huddle and 3CX is a Charm. I also tried initially to look into Apple MacOS bugs, didnt find much, then raised a request to Slack Support, In Response I got this Hi there Swapnil, Thanks for contacting Slack support. What is happening here is that users are losing media connectivity to the huddles server, causing them to drop and then be reconnected. This can happen for a number of reasons, but if you've recently updated to macOS 15 Sequoia, there is a macOS networking bug which is highly likely to be the cause in this case (https://support.apple.com/en-au/102281). The issue is as follows: Overall the connection may be completely fine. Suddenly the media connection to the huddles server stops completely (even if the rest of the internet connection is fine). After the huddles server detects a period of no data being sent/received, it forces the client to reconnect to the huddle. This can help for some time but it may eventually repeat again through each huddle. Unfortunately in each case we cannot help explain the exact underlying cause is as it occurs on the end of each users network environment. In your case however, if users are experiencing the issue after upgrading to macOS 15, the aforementioned networking bug is the most likely cause. Normally the causes of these kinds of issues are as follows: Firewall or other network configuration closing websockets media connections. The macOS Sequoia bug causes this specific kind of problem. Overzealous modem/router throttling media connections. ISP throttling media connections. On the another response they also mentioned about something is probably not right with MS Defender Network Filter blocking out traffic for AWS Chime Server. Hi Swapnil, Thanks for your reply. Because there are so many variables we aren't going to be tracking this on our side. One thing I would say is that you should just be sure that there are no third party dependencies in your macOS environment which might be in need of an update. I'll give you a random example: Organisations using the Zscaler client connector would have encountered a variation of this issue (https://help.zscaler.com/client-connector/firewall-posture-check-failure-macos-sequoia). The macOS updates alone would not have addressed it, Zscaler needed to issue an update to their client connector software. Until users were running the Zscaler client with the relevant fix, no amount of system updates would have prevented them from running into the compatibility issue. So all I am saying is that you should be keeping an eye out for updates to both macOS and any relevant 3rd party dependencies - it's possible you will need to take manual action in some way first. The public facing macOS updates tend to be quite vague, so it is probably best to start with MS Defender and any other relevant 3rd party configurations before waiting on a macOS update to ultimately fix the issue. You may also prefer to pre-emptively seek confirmation from their respective support services so you know exactly what your next steps are. I hope this gives you a better idea on how to approach the issue and plan for updates Swapnil, and apologies I couldn't provide more guidance. After reading about this I tried to dig little more and understood, 3CX is also using AWS Chime A/V Servers. My users are stuck and losing their Slack Huddles which is day to day quick AV. Any insightful info on this one will be helpful. Thanks Swapnil email address removed for privacy reasons181Views0likes0CommentsMacOS Defender and Full Disk Access
Working on deploying Defender on MacOS via intune...most of it is solid, however I noticed "Microsoft Defender Endpoint Security Extension" doesnt have full disk access and needs it...the native "Microsoft Defender" has it ok...its deployed as the option for Defender under MacOS and not a LOB...anyone else run into this?398Views0likes0CommentsDefender for Endpoint AMA: The next evolution of automatic attack disruption
Defenders need every edge they can get in the fight against ransomware. We're excited to share that Microsoft Defender for Endpoint customers will now be able automatically to disrupt human-operated attacks like ransomware early in the kill chain without needing to deploy any other capabilities. Join our AMA to ask questions on how you can use automatic attack disruption to stop a sophisticated attack early in the kill chain and how your organization can leverage unique protective capabilities offered exclusively by Microsoft 365 Defender. An AMA is a live text-based online event similar to an "Ask Me Anything," on Reddit. This AMA gives you the opportunity to connect with members of the Defender for Endpoint product group who will be on hand to answer your questions and listen to feedback. Feel free to post your questions about Defender for Endpoint anytime in the comments before the event starts, although the team will only be answering questions during the live hour.Defender Antivirus and Microsoft Defender for Endpoint (ATP) for Servers
Hi All, Our company is looking into migrating our antivirus solution for our server estate from Sophos to Microsoft Defender Antivirus and Microsoft Defender for Endpoint (ATP). Was hoping to get some advice on the best way to approach this. I have listed some points below which I was hoping to get some clarity on. - Servers that are considered as “down-level devices” that do not have MS Defender preinstalled by default i.e. 2008R2, 2012 and 2012R2 what would the best Microsoft solution to provide security. Have been looking at Microsoft’s System Center Endpoint Protection (SCEP) as a solution. Is there any services that can be used from Azure to protect on-prem servers? - We have a Hybrid Azure AD setup. None of our on-premise servers are HAADJ. Do we need to have server as a Azure resource for us to manage Defender AV and ATP (Server 2016 +). We currently manage our W10 workstation using the MEM - Microsoft Defender for Endpoint Baseline. - Majority of our servers do not have any internet access. To tighten the firewall rule, is there a list of IPs and URLs that are associated with Defender ATP so the servers can only communicate to these IPs etc. - Is there any pre-req work needed for servers such as 2008R2, 2012 and 2012R2 before on-boarding to ATP. Install updates, telemetry services updates etc - Anyone that is using defender ATP for servers that are on-prem. What type of setup do you have and any recommendations. Thank you Mo3.4KViews1like2CommentsIntune Android Enterprise Fully Managed Defender for Endpoint activation
Hi All, Scenario: Intune > Android > Fully Managed profile > Defender for Endpoint deployment Is there any way to reach a zero-touch / silent method for activating Defender for Endpoint on Android devices ? Users currently need to run through a series of questions to activate it and until they do it does not show up in the Security portal Inventory. We are using a Compliance policy based on machine risk score to identify devices which haven't activated Defender - this marks them non-compliant until they do. I'd rather use a deployment/policy to activate Defender silently without any user intervention. As it is a security product on Android Enterprise Fully Managed devices it seems I must be missing a trick here to manage them without user involvement and blocking the user via a non-compliant conditional access policy seems an inefficient way to resolve the issue for everyone. Is it possible ? Many thanks Jas.1.3KViews0likes2CommentsMicrosoft Defender for Endpoint for BYOD Devices
Hi, I work in academia, students bring BYOD devices to access network resources. These BYOD devices are not domain joined computers however they connect to network (wired and WiFi) to access network resources. I am exploring if Defender for endpoint is a suitable solution for BYOD endpoint security/ EDR solution. Please guide if Defender for Endpoint can be used for BYOD security and provide information how I can implement Defender for Endpoint on BYOD.10KViews0likes3CommentsDefender for Endpoint Onboardingprofile Conflicts
I have the problem that some newly installed clients do not onboard in Defender. The onboarding is done via the Intune. For this purpose, a device configuration profile was created and set in the Intune Defender settings under the EDR Settings Tab. As far as I can see, the settings are duplicated here. Is it correct that these settings can only be set in the device configuration profile and under EDR to "not configured"? What is the right way? ThanksSolved26KViews0likes3Comments