Blog Post

Microsoft Defender Vulnerability Management Blog
3 MIN READ

Unmanaged device protection capabilities are now generally available

Chris Hallum's avatar
Chris Hallum
Icon for Microsoft rankMicrosoft
Jun 22, 2021

Two months ago, we announced the public preview of a new set of capabilities that would give Microsoft Defender for Endpoint customers visibility over unmanaged devices running on their networks. It’s devices like these that introduce some of the greatest risks to an organization’s cybersecurity posture.

 

“The riskiest threat is the one you don’t know about. Unmanaged devices are literally one of your weakest links.

Smart attackers go there first.” - David Weston, Microsoft Director of Enterprise and OS Security

 

We are pleased to announce that starting today, these capabilities are generally available to all our customers worldwide!

 

With this release we deliver a rich set of new capabilities, including:

 

  • Discovery of endpoints and network devices connected to your corporate network

This capability provides Defender for Endpoint with the ability to discover unmanaged workstations, servers, and mobile endpoints (Windows, Linux, macOS, iOS, and Android) that haven’t been onboarded and secured. Additionally, network devices (e.g.: switches, routers, firewalls, WLAN controllers, VPN gateways and others) can be discovered and added to the device inventory using periodic authenticated scans of preconfigured network devices.

 

  • Onboard discovered devices and secure them using integrated workflows

Once discovered, unmanaged endpoint and network devices connected to your networks can be onboarded to Defender for Endpoint. Integrated new workflows and new security recommendations in the threat and vulnerability management experience make it easy to onboard and secure these devices.

 

  • Review assessments and address threats and vulnerabilities on newly discovered devices

Once endpoints and network devices have been discovered, assessments can be run using Defender for Endpoint’s threat and vulnerability management capabilities. These security recommendations can be used to address issues on devices helping to reduce an organization’s threat and risk exposure.

 

Now that these features have reached general availability, you will notice that endpoint discovery is already enabled on your tenant. This is indicated by a banner that appears in the Endpoints\Device inventory section of the Microsoft 365 Defender console.

 

Figure 1: Device inventory view listing "Can be onboarded" devices and option to enable Standard Mode discovery.

 

This banner will be available until July 19, 2021 which is when the default behavior for discovery will be switched from Basic to Standard. At this time, Standard discovery will enable the collection of a broader range of device related properties and it will also perform improved device classification. The switch to Standard mode was verified as having negligible network implications during the public preview. More information about the discovery and its two modes can be found in our previous blog.

 

We’re excited for you to take a look and start using these capabilities and we look forward to your feedback on them. If you have any questions or feedback feel free to leave them in the comment section below. For more information please review the device discovery and network discovery documentations on Microsoft Docs.

 

To read more about our new device discovery and assessment capabilities, check out:

 

Microsoft Defender for Endpoint is an industry-leading, cloud-powered endpoint security solution offering vulnerability management, endpoint protection, endpoint detection and response, and mobile threat defense. With our solution, threats are no match. If you are not yet taking advantage of Microsoft’s unrivaled threat optics and proven capabilities, sign up for a free trial of Microsoft Defender for Endpoint today.

 

 

 

 

 

 

 

 

Updated Jun 21, 2021
Version 1.0
  • ThoFord's avatar
    ThoFord
    Brass Contributor

    love the new feature, but 3 things comes to mind.

     

    1.  i would love to be able to add ipaddress as a column so its easier to see where it has been detected, saves time and clicks.

    2.  to be able to see the source "detector", so you can be able to link to same network as to which device found it, as endpoints seem to scan when devices are in "home" office aswell.

    2. I see a few devices that is registered as "can be onboarded", when they actually are already onboarded according to my "Intune", so not sure why they are showing there.

  • Quaywe's avatar
    Quaywe
    Copper Contributor

    Hey Chris,

     

    Love this new feature. Just a few questions:

    1. A device discovery function is often found in devices like IPS', Next Gen Firewalls, Vulnerability management tools (e.g. Nessus), and even CMDB software. What are the added benefits of doing device discovery using D4Ep instead of those?
    2. Can this function integrate with something like a CMDB to feed discovered device data to it?
    3. How will the discovery service behave when it's not on the corporate network; e.g. Starbucks Wifi, Home Wifi, guest WiFi at a customer site, etc. I would imagine none of those sites would want rogue device scanning going on in their networks. How configurable is this?
    4. If deployed on an enterprise network it's likely other security services/appliances might identify the scanning function as a malicious act and alert/quarantine/block the device doing the scanning. What needs to be configured on those appliances to white-list the D4Ep scanning activity?

    Thanks

  • Hi Thomas, thank you for the comment!

     

    Regarding #1 that seems like a good request. I'll make sure the product team receives the feedback. For #3 there can be cases where a device that is managed by Intune may not be onboarded with MDE. It's needs to be setup to make it automatic. This link may help get you headed in the right direction: Configure Microsoft Defender for Endpoint in Microsoft Intune - Azure | Microsoft Docs. Regarding #2 I'm going to tap in someone from the PG to weigh in on it. 

     

    Thanks,

    Chris Hallum

    Senior Product Marketing Manager

    Microsoft Security   

  • Hi ThoFord !

    Regarding #2 - That's a great feedback. As we differentiate between corporate networks and private networks (like home networks), we expect no "scans" will happen in the private network. We'll be happy to know about cases in which it does happen. Generally speaking, we hope to have an option that will help you identify the "source" device soon.

     

    We'll be happy to get more details about item number #3 - you can post a feedback through the "Give feedback" button in the security portal, while mentioning examples for device ids that are related to your feedback. Please select also "You can contact me about this feedback" and we will reach out for more info.

     

    Thanks!

    Ron

  • Hi Quaywe 

    Here are some answers to your great questions:

    1. The main benefit is the fact that the sensors are already in place. Device discovery requires zero configuration and control, and it happens all the time based on the network telemetry observes by the Defender for Endpoint sensors. Also - having those unmanaged devices listed in your device inventory can give you much more context for any security incident that involves both managed and unmanaged devices.

    2. Unfortunately that's not supported today, but we are definitely looking into that. Would you expect having MDE data flowing into CMDB, or in the opposite direction?

    3. Visit our public preview announcement blog, it has the information you are looking for under "Discovering the right devices" section. See FAQ and Monitored Networks Configuration for more info.

    4. Important to say that the Standard Discovery method has a very low footprint on the network, and our probing is usually targeted (not network-wide) and lightweight. We've tested this functionality with multiple security and network analysis tools. Usually, this activity is not considered to be anomalous. If it was detected as unusual, you can exclude the script path from being monitored by the security tools, or use the Exclusions or the Select devices for Standard discovery controls in the Device Discovery settings based on the types of monitoring tools available in your network.

     

    Thanks!
    Ron

  • Kural1104's avatar
    Kural1104
    Copper Contributor

    Hello All,

     

    I would like to know how MDVM manages for those products and software's that are not supported currently! Or is there a list of unsupported products & software's currently. This is generic since products used differs to each organization.

     

    Thanks