User Profile
fatshark_2k
Brass Contributor
Joined 7 years ago
User Widgets
Recent Discussions
Non-persistent Server 2022 DFE issues
Current setup is as follows: - We have Defender for Endpoint P2 and Defender for Servers licenses. - Non-persistent (Citrix PVS) Server 2022 (September iso - build 20348.1006) - Downloaded the Server 2022 VDI onboard script for non-persistent - Created a GPO with Computer startup script Onboard-NonPersistentMachine.ps1 (we want single entry for each device) - Server 2022 servers have full internet access - allow all outbound and no proxy server - In Defender 365 Portal - Advanved Features we ENABLED (ON) Tamper Protection When we onboard the Server 2022 with the VDI non-persistent script (Onboard-NonPersistentMachine.ps1) for the first time and run the MDE Analyzer we get no warnings/errors. But when we reboot the Server 2022 server and the server get's re-onboarded with the VDI Onboard-NonPersistentMachine.ps1 script , and we run the MDE Analyzer we get error below: "121040 AntiSpoofingNotActive Device is anti-spoofing capable but is not yet registered with cloud. Please ensure connectivity to EDRCloud CnC URLs is not blocked. Contact Microsoft support if issue persits." When we offboard the server again and onboard with the 'WindowsDefenderATPOnboardingScript.cmd.' script and run the MDE Analyzer we get no antispoof warnings/errors, but this results in multiple devices that we not want. Nex to that we have a second issues , if we view the Tamper Protection setting on the Server 2022 server in Security Center the Tamper Protection status is OFF (and it says managed by organization). When we go look in the Defender 365 Portal and click the security recommendations for the Server 2022 server it also says 'turn on Tamper Protection' (although we have it ON in the advanced features).3.8KViews0likes0CommentsRe: Defender for Endpoint P1
AnuragSrivastava Thank for you answers but van you clarrify a bit more please? -so we are not allowed to open and use the TVM dashboard at all not even look into it? -EDR is not allowed so we can not set it in block mode? Side question, if we set it in block mode will it even work with a P1 license? -AIR is default Enabled in Full mode , does this mean we have to disable/Not configured mode for the Default Device Group? -What happens with settings in Security Baseline policy that are under the P2 flag? Will they be applied and just work or not applied? -1.5KViews0likes1CommentDefender for Endpoint P1
Defender for Endpoint P1 part of E3 has the following features @https://techcommunity.microsoft.com/t5/image/serverpage/image-id/339321i24826981F01F7385/image-dimensions/610x554?v=v2 My questions are - if we have E3 licenses we access to security.microsoft.com but according to the above P1 features we are NOT allowed to use the TVM dashboard/security recommendations/weakness etc? - we are not allowed to enable EDR in block mode? - the default in DFE is 'full automated remediation and repsonse' so do we have to create a device group and set AIR to not configured? - which settings in 'settings' are we not allowed to enable as per P1 license? - are we allowed to use the MEM/Intune Security Baseline for Defender for Endpoint for our clients cause some settings in this baseline are not P1? I'm totally confused cause we have access to all these features in DFE but are we allowed and how to use or not use there non P1 features.1.6KViews0likes3CommentsServer 2016 not onboarding
Hi all, I have a strange issue and cannot find what i am doing wrong, i must be doing something wrong 🙂 I have a M365 E5 tenant and licenses and thus DFE. On Server01 i install the new Unified DFE Agent and run the onboarding script and the machine appears in DFE Device Inventory, all is well. But to showcase the differences between the new Unified Agent and the legacy MMA Agent possibilities i also want to onboard Server02 with the legacy MMA Agent. So I created a Windows Server 2016 (gen1) VM in Azure (IaaS) and run WSUS to patch it to the latest patch level. Then in DFE i select "Windows Server 2008 R2 SP1, 2012 R2 and 2016 (using Microsoft Monitoring Agent)" and follow the instructions at the link below https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/onboard-downlevel?view=o365-worldwide#install-and-configure-microsoft-monitoring-agent-mma During the installation i enter the Workspace ID and Workspace Key and the MMA installs successful and has the green checkmark in the Monitoring Agent. But after waiting 24 hours the Server02 machine does not appear in DFE Is installing only the MMA Agent sufficient ? sc.exe query Windefend = Running sc.exe query sense = not installed as service Running the MDE Client Analyzer = SenseOms listener missing2.4KViews0likes0CommentsRe: Defender for Server
StanislavBelov, Thank you so much for your response and information, this will help me and customer to make a decission of which managment method we are going to PoC. Question that raises to my head is (4) 'Attack surface reduction' is not possible with the new MEM Security Management for MDE. How can we deploy such policies to Servers , does this mean we use GPO for ASR and we can use MEM policies for EDR and Defender AV ? And (5) is there a table or overview which policies can and cannot be deployed by MEM to Servers ? Like for example Controlled Folder Access , Exploit Protection, Network Protection ? And serious last question (6) for network protection we have switches 'AllowNetworkProtectionOnWinServer' and 'AllowNetworkProtectionDownLevel' what are those for and does 1 mean ENABLE and can we put there in AUDIT mode too and how?2.5KViews0likes3CommentsDefender for Endpoint
I'm getting a bit confused around the Defender for Cloud, Server, Endpoint situation 🙂 So hope someone can shed some light on this. We are on the verge of starting a PoC with Defender for Server. I know of this wel written blog but this blog raises some questions (https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/microsoft-defender-for-cloud-poc...) (1) For starter we have 100 Microsoft Defender for Endpoint Server licenses. So if we enable Defender for Server via Defender for Cloud Plan we are going to pay double, via the license and the 15$ per server/month. I presume this is not the way to deploy Defender for Server right ? (2) What is nowadays the best approach to onboard on-premises server to Defender for Server; - is it via the (legacy) MMA agent and onboard package - or via the (new) unified agent and onboard package - or can we onboard the on-premises server to Azure Arc and let the unified agent be auto-deployed via Defender for Cloud but NOT enabling Defender for Server switch to ON (so enable Defender for Cloud Plan but not enable the Defender for Server toggle to ON) (3) What is todays best apprach for configuring defender for server policies (EDR, ASR etc) , via Intune or via GPO ?4.6KViews1like1CommentDefender for Server
We are on the verge of starting a PoC with Defender for Server. I know of this wel written blog but this blog raises some questions (https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/microsoft-defender-for-cloud-poc-series-defender-for-servers/ba-p/2767508) (1) For starter we have 100 Microsoft Defender for Endpoint Server licenses. So if we enable Defender for Server via Defender for Cloud Plan we are going to pay double, via the license and the 15$ per server/month. I presume this is not the way to deploy Defender for Server right ? (2) What is nowadays the best approach to onboard on-premises server to Defender for Server; - is it via the (legacy) MMA agent and onboard package - or via the (new) unified agent and onboard package - or can we onboard the on-premises server to Azure Arc and let the unified agent be auto-deployed via Defender for Cloud but NOT enabling Defender for Server switch to ON (so enable Defender for Cloud Plan but not enable the Defender for Server toggle to ON) (3) What is todays best apprach for configuring defender for server policies (EDR, ASR etc) , via Intune or via GPO ?2.6KViews0likes5CommentsS4B on-premises to Teams
Yes sorry another question about upgrading S4B to Teams 🙂 I know there is a lot of content on docs.technet and blog post about upgrading but I have a question I could not find. Is it possible to do a cutover Teams migration without creating a hybrid S4B environment? I know that in a cutover migration contact data and meetings data will not be migrated but if the organization accepts this can we not just flip the switch? With this I mean is it supported/possible/does it work if we; - do not create hybrid S4B - set Teams mode to Teams Only - decomission S4B on-premises Or is a hybrid S4B always a requirement? reference cutover https://www.cloudpartner.fi/?p=570Exchange Online (hybrid) permissions
When in hybrid Exchange and syncing on-prem AD (mail enabled) groups to O365. What is best approach to set Send As permissions on a Shared Mailbox in Exchange Online these days? Can the Send As permissions given to the synced group and if i add a new user to the synced group and sync the change to O365 , will the new user get the Send As permission? A 1+ year ago this did work for the initial grouo members but when a new user was added to the group it did not receive the permission. So then the advice to give the permission to the individual users instead of the group.1.4KViews0likes2CommentsTeams is ready notification
Hi all, We use Microsoft Teams in a non-persistent environment. Further we also use Fslogix Office container and redirect Teams into the container. Problem we encounter: When we log in for a first time with a new user no profile, Teams is started and autmatically logged in and we receive a notification in thebottom right corner like 'All ready, enjoy teams' (sorry i have to translate from Dutch). When we log out and log in again and we start Teams we get the same notification 'All ready, enjoy teams'. How can we supress this (looks like first time setup?) notification ?1.7KViews0likes0CommentsRe: Teams Calendar Button missing - exchange 2010 + Exchange 2016 hybrid on-prem
Rigs33 , I tested with following. I have Exchange 2010 and Exchange 2016 in 1 organization. CAS namespace points to Exhange 2016 (autodiscover/webmail). Hybrid and Oauth configured on Exchange 2016. When a mailbox is on Exchange 2010 then the user has no calendar app/button in Teams. When i move the same mailbox to Exchange 2016 the user has the calendar app/button in Teams. Also stated in your article in the matrix is states 'User's mailbox is hosted in' and then for on-prem the requirement is Exchange 2016 Cu3+ so the mailbox has to be hosted in Exchange 2016 cu3+13KViews0likes0CommentsTeams meeting link formatting
We have a strange issue; When we use Outlook with the Teams add-in and create a New Teams Meeting and send this out the meeting mail format is just fine with the clickable Join Microsoft Teams Meeting link. But when we use the Teams application and use Calendar and schedule a new meeting and send it out the meeting mail format is getting wrong. Everybody receives something like; Join Microsoft Teams Meeting Link (plain text) with a URL appended <https://teams.microsoft.com/l/meetup-join/19%3ameeting_GUID40thread.v2/0?context=%GUID> I found this post that describes the same problem but we have the problem sending from Teams instead of Outlook https://ucmart.uk/2019/01/14/microsoft-teams-outlook-meeting-add-in-formatting-issue/ I also analyzed the message headers and both headers are the same and travel the same mail path. Also Outlook is configured for HTML formatting.47KViews0likes6CommentsDevice in Include and Exclude group
When we have a config/update policy1 with assignment: inlclude=Group1 exclude=Group2 And we have device1 that is member of Group1 and Group2 what would be the result ? https://docs.microsoft.com/nl-nl/intune/configuration/device-profile-assign Is it so that exclude wins over include ?Solved26KViews0likes2CommentsRequire MFA on Azure AD joined devices
I have Azure AD joined devices that are managed with Intune. We have setup conditional access with conditions; - App=SharePoint Online - Control=Require MFA What we observe is that users on Azure AD joined devices are not getting prompted for MFA when they go to SharePoint. Is there a way to enforce MFA everytime a user goes to SharePoint on Azure AD joined devices?Solved25KViews0likes3Comments
Recent Blog Articles
No content to show