MDE
3 TopicsIntune / MDE device control policy audit events
I find that this feature is inconsistent on outputting the audit events to advanced hunting. I have not had an issue making the policies block devices including allowing specific ones, however it seems to be finicky on when it will output the RemovableStoragePolicyTriggered events. If I reboot the device it seems to emit the audit events briefly. The Windows Toast notifications are also inconsistent, but I suspect that is due to some function of Windows that limits the number of notifications that can occur. Is there some trick to make the audit events show up in advanced hunting consistently? My configuration is targeting USB/WPD/CDROM each one denying "File Write/File Execute" with an audit allowed + audit denied for everything but print. I tried explicitly "allowing" read/write/execute/fileread but it had no effect other than changing the policy label from "DefaultAllow" to the policy name when it did happen to emit a RemovableStoragePolicyTriggered event. I "clean" the registry keys associated with the policies prior to testing to get rid of duplicate data from policy updates. HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager (PolicyRules/PolicyGroups)245Views0likes0CommentsAdding Windows and Linux servers to Intune?
Hi all, Quick question here. We are helping a customer with some work and wanted to ask whether it's possible to add Windows and Linux server to Intune for MDE purposes. If it's possible is there a cost involved? ($X/month per server)? I've had a search but was not able to fine a definitive answer. Many thanks.804Views0likes2CommentsHow to remove MDE managed devices in MEM?
Hi, I had two windows server VMs with MDE(Microsoft Defender for Endpoint) onboarded. For test purpose, I turned on thesecurity settings management in MDE to let MEM deploy some security policies to them. It worked fine. I got corresponding device entries in AAD and MEM and was able to manage the VMs like other Intune managed devices. After I deleted the VMs, I found the device entries are somehow lingering. For MDE, I knew there is a data retention time which is 30 days in my case. I waited for a month and the VMs do disappear from MDE. But I can still see them in AAD and MEM till now. I can't do anything to them in MEM, while I can temporarily delete them in AAD and see them respawn next day. According to the doc, there is a way to solve this problem, but I can't see how. Use Intune to manage Microsoft Defender for Endpoint Security on devices not enrolled with Microsoft Intune | Microsoft Learn Does anyone know what "be removed from the scope of Configuration Management in the Security Center" means and how to perform it? Thanks for reading this post.Solved7.4KViews0likes2Comments