Consistent language for description of permissions
Is there any reference that describes the permissions that can be granted in Defender XDR, and how those permissions can be granted using Entra ID roles, Defender XDR Unified RBAC roles, or through the individual Defender point products that have been integrated into XDR, usingconsistent, standardized language? The documentation for Entra ID describes permissions in this format: microsoft.directory/provisioningLogs/allProperties/read The documentation for Defender XDR describes them in this format: Security operations \ Security data \ Email advanced actions (manage) I'm basically looking for something that says "permissions to don functionis granted byx role in Entra ID,y role in Defender XDR, or z role in Defender for Office 365." Is this something that's not possible at a company of Microsoft's size and complexity? Kind of like how this is the Microsoft Defender XDR community forum, but there's no "Microsoft Defender XDR" label for the mandatory labeling of posts?Unified RBAC and Entra PIM
I'm interested in any experiences people have had with activating custom Unified RBAC roles using Entra ID PIM. We are currently doing something similar with a custom role in Defender for Office 365 (using these instructions: https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/pim-in-mdo-configure?view=o365-worldwide) , and my experience has been that it takes up to 50 minutes, after activating the Entra ID PIM group, for the permissions to be applied to Defender. Microsoft support can't decide whether this problem should be addressed by the Entra ID division or the Defender XDR division, and therefore it's not getting addressed. Has anyone configured an Entra ID PIM group with a custom Defender RBAC role (using these instructions:https://techcommunity.microsoft.com/t5/security-compliance-and-identity/configure-just-in-time-access-to-m365-defender/ba-p/3764564) and if so, how well is it working. Thanks in advance!Device Un isolation Issue
We have some issues with endpoints that when they are put into isolation and then trying to remove them isolation it will fail or just be in a pending state. Trying the force unisolation script does not work on these devices as we get a error message "unisolation failed with exit code 2". Has anyone run into these issues? Another thing that I have noticed is when a device is put into isolation it enrolls that device again and shows the same device twice in device inventory.Unable to apply ASR rules for Windows servers (2012R2,2016, 2019 and 2022) via SCCM
Hi, I have onboarded servers 2012 R2, 2016, 2019 and 2022 into the Microsoft Defender for Endpoint via a unified solution (I am not using MMA or AMA), All statuses are Active and onboarded in the www.security.microsoft.comconsole. These servers are managing through the SCCM and I could deploy the Antimalware policy for all servers. Still, I am unable to deploy ASR rules for the onboarded servers, I have tried manually configure rules into the servers. Still, when I runGet-MpPreference powershell command there are blank fields for ASR components. Any solution for this? Note: These servers are not joined AAD.
Failed to remove Windows Defender Advanced Threat Protection ETW autologger. Failure code: 0xD000012
Hello, When I run the 365 Defender "offboarding" script, it shows that it has been successfully removed and the Defender dashboard is active. When I examine the Windows Event Log, I get the error "Failed to remove Windows Defender Advanced Threat Protection ETW auto-logger. Error code: 0xD0000121".
Deploying Defender - devices take hours to show in Device Inventory.
We are new Defender customers with A5 and are onboarding lots of clients each day. We are noticing that clients are taking a very long time to show in the "Device Inventory" in the cloud console. I don't think we were having this issue during our PoC phase - clients that ran the onboard script would show almost immediately. Now it can take several hours or overnight for a client to show up after being onboarded with CM. I am not sure if this is expected or if I am doing something wrong. When I look in Device Inventory and sort by "last device update" there haven't been any new updates in about 7 hours (0730AM) - but when I check tomorrow, Device Inventory will show many last device updates occurred between 730AM and now - they just dont show in the console until the next day. It is pretty frustrating during the rollout phase to try tracking progress of the rollout without being able to find and verify the devices in "Device Inventory" I have done some reading on this topic to troubleshoot. I can see in the registry that the client is marking that it has been successfully enrolled. It seems like the only problem is that it takes a very long time for the console in Azure to reflect the current state.
