User Profile
PJR_CDF
Iron Contributor
Joined 6 years ago
User Widgets
Recent Discussions
Re: Large numbers of scheduled full scans being cancelled - what's the cause?
Rahul_IT We found our issue was mainly caused by the behaviour outlined here: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/schedule-antivirus-scans?view=o365-worldwide#important-points-to-keep-in-mind If a device is unplugged and running on battery during a scheduled full scan, the scheduled scan stops with event 1002, which states that the scan stopped before completion. Microsoft Defender Antivirus runs a full scan at the next scheduled time.2.8KViews0likes4CommentsRe: Microsoft Defender for endpoint - device running in EDR block mode
I worked with MDE for many years and never seen a server show EDR Block Mode in the portal and Get-MpComputerStatus shows AMRunningMode : Normal. That server is definitely not in EDR Block Mode regardless of what the portal says? Are you sure the device you are looking at in the portal is the same device you are looking at locally? Can you verify the Device ID in the portal matches the one in the servers registry?4.5KViews1like1CommentRe: Microsoft Defender for endpoint - device running in EDR block mode
AV mode on Server OS is controlled manually by the registry and not auto detected like it is on W10/W11. Check this article and the associated reg key https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/switch-to-mde-troubleshooting?view=o365-worldwide#microsoft-defender-antivirus-seems-to-be-stuck-in-passive-mode4.7KViews0likes3CommentsLarge numbers of scheduled full scans being cancelled - what's the cause?
I am reviewing scan related Adv Hunting data for one of my clients and can see large numbers of events with an ActionType of "AntivirusScanCancelled" in the DeviceEvents table. These events coincide with their weekly scheduled full scan (Tuesdays at 1pm, and yes they are aware quick scans are recommended over fulls but they insisted on running weekly fulls). The operational event log for Windows Defender gives no info other than Event ID 1002 - An antimalware scan was stopped before it finished. I am keen to understand why and how the scans are being cancelled? Users are not admins on their devices and we have confirmed the scan cancellations are not being caused by users rebooting either. Anyone else experienced anything similar or had to ascertain reasons/causes for cancelled scans?3.2KViews0likes6CommentsRe: Troubleshooting MDE On-Boarding issues
greeny909 How are you trying to onboard? GPO/SCCM?? Some good links here https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-server-endpoints?view=o365-worldwide#windows-server-2012-r2-and-windows-server-2016 This script is VERY useful -https://github.com/microsoft/mdefordownlevelserver3.5KViews0likes0CommentsRe: Onboard servers to Defender in Servers in passive mode using MDC?
Do you have any link to documentation to back that up? I've never heard of this 2 stage approach for servers as you have outlined and have searched extensively. It sounds like you are describing passive/EDR block mode and Active mode using your own terminology?1.5KViews0likes1CommentMDE URLs query - unitedkingdom.x.cp.wd.microsoft.com Vs. unitedkingdom.cp.wd.microsoft.com
Can someone from the product group/network team confirm the regarding the following query relating to Defender for Endpoint network traffic? During testing I have seen traffic with a destination of unitedkingdom.cp.wd.microsoft.com being blocked by the proxy. We have whitelisted all the URLs in the spreadsheet published by Microsoft and the current list of URLs includes the following entry which is similar to the one we are seeing blocked: unitedkingdom.x.cp.wd.microsoft.com Whilst this is similar to the URL it’s not the same. Traffic from our devices is being sent to unitedkingdom.cp.wd.microsoft.com and not unitedkingdom.x.cp.wd.microsoft.com. So currently I believe we are correctly seeing traffic blocked based on the information in the spreadsheet. I can also see lots of references in the excel spreadsheet to other x.cp.wd.microsoft.com URLs and wondered if perhaps the use of the “x” character in those URLs is supposed to be considered as a wildcard (which is confusing as that is traditionally signified by the use of an asterisk)? As there are wildcard URLs in the spreadsheet signified by an actual asterisk. For example *.dm.microsoft.com, I would assume the presence of "x" in a URL is to be taken as a literal character. Additionally ifI ping unitedkingdom.x.cp.wd.microsoft.com, it resolves to an IP address which confirms a DNS entry for that exact hostname exists. Anyone else seen this issue?1.9KViews0likes2CommentsRe: Enable Network Protection - Error "-2147467259" - Windows Server 2016
Is Network Protection enabled in the server OS? Have you followed the instructions here - https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/network-protection?view=o365-worldwide#network-protection-for-windows-servers2KViews0likes1CommentRe: Live Response URL's
I've found an older version of the Defender URLs spreadsheet that has an entry for *.notify.windows.com The latest version of the spreadsheet doesnt contain this URL anymore and only lists the following requirements for Live Response: *.wns.windows.com login.live.com login.microsoftonline.com Interestingly in the ChangeLog tab on the latest version of the spreadsheet, it notes that*.notify.windows.com was removed on the 25/01/22. I have a version I downloaded in May this year with that URL present. Regardless of the above it looks like perhaps they havent updated the connectivity analyzer to remove the test to global.notify.windows.com.1.3KViews0likes0CommentsLive Response URL's
Hoping to clarify URL requirements for Live Response in Defender for Endpoint. The URLs listed in the Defender URLs spreadsheet online that reference being required for Live Response are: *.wns.windows.com login.microsoftonline.com login.live.com When you run the client analyzer tool, the MDEClientAnalyzer.txt file contains a results section called ############# Connectivity Check for Live Response URL################ That section lists the following 2 URLs as being tested: Host: global.notify.windows.com on Port: 443 Host: client.wns.windows.com on Port: 443 I can see no reference to global.notify.windows.com (or *.windows.com) in the URL spreadsheet? In my testing I have been able to successfully connect via Live Response to servers that show failed connections to global.notify.windows in their MDEClientAnalyzer.txt files. Can anyone confirm if global.notify.windows.com is a required URL for Live Response? ThanksSolved1.4KViews0likes3CommentsOnboard servers to Defender in Servers in passive mode using MDC?
Is it possible to utilise the deployment of Defender for Servers in Defender for Cloud - (ie you enable Defender for Servers on the subscription level to trigger the deployment of the MDE.Windows extension), but have Defender for Endpoint go into Passive/EDR Block mode? I tested by manually adding the ForceDefenderPassiveMode reg value set to 1 on an Azure 2016 VM that wasnt onboarded to MDE (but had Defender AV feature installed). When the MDE.Windows extension installed via Defender for Cloud it overwrote the PassiveMode reg key and set it to 0 - i.e. put Defender in Active mode. I work with many large clients who wish to leverage passive mode first when migrating to Defender for Servers.1.8KViews0likes4CommentsRe: Ninja Cat Giveaway: Episode 2 | Mastering email authentication and slashing overrides: Part 2
HeikeRitter Spotted Ninja cat abseiling down Paul and Heike's walls - that's one fearless feline! I learned of the existence of those awesome KQL queries to hunt out details of mail being delivered via existing overrides - great resource!!!1.6KViews1like0CommentsRe: Ninja Cat Giveaway: Episode 4 | Defender Experts for Hunting Overview
HeikeRitter - How would YOU explain/describe Defender Experts for Hunting to someone? Defender Experts for Hunting is Microsofts managed threat hunting service that runs 24/7 x 365 and proactively searches through the telemetry from your tenant (endpoints, emails, identity and cloud apps) to find evidence of threats to your organisation and notifies you of anything suspicious. - What is Threat hunting? Threat hunting is a proactive cybersecurity technique based on threat intelligence and is used to find evidence of undetected threats within your environment.50KViews1like0Comments