Intune Compliance Policy: Device not compliant because of missing machine risk score: deactivated?
Dear all, I have this curious compliance issue for which I cannot find any information online or on docs.microsoft.com. Any help or suggestions are appreciated. We are testing Windows Defender ATP in combination with Intune compliance policies on a limited amount of devices. We had a first test group of three devices, and a second test group of four devices. So 7 in total. In Intune our 'second wave' of test devices is somehow marked as "non compliant" because a violation of our rule that "Require the device to be at or under the machine risk score = clean, low,...". However, these machines are onboarded in Windows Defender ATP and are showing to have no issues. In Intune the table in Device Compliance -> Device Compliance shows that for these machines the Device Threat Level is "Deactivated". (Our other test machines report "Secured", machines outside the test group are reporting "Unknown".) I cannot find any documentation where this state of "deactivated" is discussed. We identified three other differences between or first test group and the second test group: - License level was on Microsoft E3 for the non-compliant machines, instead of E5 - Windows version was 1803 for the non-compliant machines, instead of 1809 - The very first test group was onboarded in Windows Defender ATP using a script. The second non-comliant group was onboarded using a configuration policy in Intune. To test if any of these three differences could have caused the issue I did three separate tests: 1) I moved one user to Microsoft E5, as I understand for Windows Defender ATP this is required. 2) I had one other machine upgraded to Windows 10 1809 3) I ran the manual onboarding script once more on a third machine But none of these machines would be compliant afterwards. I onboarded the first test group to ATP using a script downloaded from ATP. They were active for a few weeks with just the ATP link. I then assigned both the compliance policy and the final ATP configuration at the same time to this first group. The second group was onboarded by the ATP configuration policy in Intune. I assigned the identical compliance policy a day later. I assume that the compliance check fails because the machines do not communicate their threat level (shown as "deactivated" in the Intune portal) properly. One widget in the device compliance screen does show 5 of the 7 devices to be clean: I do not understand why it counts 5 devices. What with the remaining two? And if these 5 are indeed clean, why do at least two of them (7 minus 5) report as having a threat level "deactivated" and "non-compliant"? Does anyone know why the Device Threat Level of the second test group is "deactivated"? What causes this? How can I solve this? Thanks for your help! Best regards, Wim
Windows Defender ATP API - ingest all alert details into Splunk / Splunk Phantom
We are trying to ingest all the alert details into Splunk, and Splunk Phantom, but we cannot get the last part that allows us to view all the information contained in the alert. (see screenshot for reference) Any guidance on what API call(s) to use would be greatly appreciated. API call we are using https://api-eu.securitycenter.windows.com/api/alerts/da637590078447561363_2087728736 See Screenshot. Evidence Includes Evidence Entry 1 "title": "Connection to a custom network indicator", "description": "An endpoint has connected to a URL or domain in your list of custom indicators.", Evidence Entry 2 "entityType": "Url", "evidenceCreationTime": "2021-06-11T11:30:44.82Z", "sha1": null, .... "url": "https://testgvbgjbhjb.com/", However, I cannot seem to figure out how to retrieve this entry via the API, we can only view it in the GUI --- Network Filter Lookup Service blocked chrome.exe from accessing https://testgvbgjbhjb.com
How create the policy for web content filter
Hi Everyone, I have created web content filter policy for windows defender ATP. This policy apply only Microsoft edge browser only. how to apply for any windows browsers (google chrome, firefox,) How to add the application or how to create the policy. Thanks.How create the policy for web content filter
Hi Everyone, I have created web content filter policy for windows defender ATP. This policy apply only Microsoft edge browser only. how to apply for any windows browsers (google chrome, firefox,) How to add the application or how to create the policy. Thanks.Defender ATP with McAfee
I have some questions regarding Defender ATP/Defender AV. We currently have policies set via GPO to everyone. We have ring 1 that are on-boarded, McAfee removed, and we are getting full scan scheduled. Ring 2 however, are on-boarded but for some reason still getting the full scan policy. We thought that Defender would be 'asleep' until McAfee is removed. Is this the case here? or the GPO that is applied to everyone is allowing Defender to be full on active? MsMpEng.exe is running constantly, We've reimaged a device with out on-boarding and process is not even running or eating Memory and CPU.
