Connect with experts and redefine what’s possible at work – join us at the Microsoft 365 Community Conference May 6-8. Learn more >
Recent DiscussionsMost RecentNewest TopicsMost LikesSolutionsTagged:TagRe: Large numbers of scheduled full scans being cancelled - what's the cause?Interesting - keep me posted. We are switching from Full to Quick scans only due to various other issues so hopefully the cancelled scans stop occurring as a result.Re: Large numbers of scheduled full scans being cancelled - what's the cause?How long are the scans running for before they get cancelled? Are they full scans or quick scans? Do you have both quick and full scans configured?Re: Large numbers of scheduled full scans being cancelled - what's the cause? Rahul_IT We found our issue was mainly caused by the behaviour outlined here: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/schedule-antivirus-scans?view=o365-worldwide#important-points-to-keep-in-mind If a device is unplugged and running on battery during a scheduled full scan, the scheduled scan stops with event 1002, which states that the scan stopped before completion. Microsoft Defender Antivirus runs a full scan at the next scheduled time. Re: Microsoft Defender for endpoint - device running in EDR block modeI worked with MDE for many years and never seen a server show EDR Block Mode in the portal and Get-MpComputerStatus shows AMRunningMode : Normal. That server is definitely not in EDR Block Mode regardless of what the portal says? Are you sure the device you are looking at in the portal is the same device you are looking at locally? Can you verify the Device ID in the portal matches the one in the servers registry?Re: Microsoft Defender for endpoint - device running in EDR block mode AV mode on Server OS is controlled manually by the registry and not auto detected like it is on W10/W11. Check this article and the associated reg key https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/switch-to-mde-troubleshooting?view=o365-worldwide#microsoft-defender-antivirus-seems-to-be-stuck-in-passive-mode Re: Defender in Passive mode managed by ConfigMgr- Policies Maz007 What OS are these devices - W10/W11/Server? You say you created a policy - where in the MDE portal or an AntiMalware policy in Config manager or an AV policy in Intune? Are these devices onboarded to Intune? Re: MDE URLs query - unitedkingdom.x.cp.wd.microsoft.com Vs. unitedkingdom.cp.wd.microsoft.com Fabian-7704 I'm afraid not - I heard nothing further on this Large numbers of scheduled full scans being cancelled - what's the cause? I am reviewing scan related Adv Hunting data for one of my clients and can see large numbers of events with an ActionType of "AntivirusScanCancelled" in the DeviceEvents table. These events coincide with their weekly scheduled full scan (Tuesdays at 1pm, and yes they are aware quick scans are recommended over fulls but they insisted on running weekly fulls). The operational event log for Windows Defender gives no info other than Event ID 1002 - An antimalware scan was stopped before it finished. I am keen to understand why and how the scans are being cancelled? Users are not admins on their devices and we have confirmed the scan cancellations are not being caused by users rebooting either. Anyone else experienced anything similar or had to ascertain reasons/causes for cancelled scans? Re: Troubleshooting MDE On-Boarding issues greeny909 How are you trying to onboard? GPO/SCCM?? Some good links here https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-server-endpoints?view=o365-worldwide#windows-server-2012-r2-and-windows-server-2016 This script is VERY useful - https://github.com/microsoft/mdefordownlevelserver Re: Onboard servers to Defender in Servers in passive mode using MDC?Do you have any link to documentation to back that up? I've never heard of this 2 stage approach for servers as you have outlined and have searched extensively. It sounds like you are describing passive/EDR block mode and Active mode using your own terminology?MDE URLs query - unitedkingdom.x.cp.wd.microsoft.com Vs. unitedkingdom.cp.wd.microsoft.com Can someone from the product group/network team confirm the regarding the following query relating to Defender for Endpoint network traffic? During testing I have seen traffic with a destination of unitedkingdom.cp.wd.microsoft.com being blocked by the proxy. We have whitelisted all the URLs in the spreadsheet published by Microsoft and the current list of URLs includes the following entry which is similar to the one we are seeing blocked: unitedkingdom.x.cp.wd.microsoft.com Whilst this is similar to the URL it’s not the same. Traffic from our devices is being sent to unitedkingdom.cp.wd.microsoft.com and not unitedkingdom.x.cp.wd.microsoft.com. So currently I believe we are correctly seeing traffic blocked based on the information in the spreadsheet. I can also see lots of references in the excel spreadsheet to other x.cp.wd.microsoft.com URLs and wondered if perhaps the use of the “x” character in those URLs is supposed to be considered as a wildcard (which is confusing as that is traditionally signified by the use of an asterisk)? As there are wildcard URLs in the spreadsheet signified by an actual asterisk. For example *.dm.microsoft.com, I would assume the presence of "x" in a URL is to be taken as a literal character. Additionally if I ping unitedkingdom.x.cp.wd.microsoft.com, it resolves to an IP address which confirms a DNS entry for that exact hostname exists. Anyone else seen this issue? Re: Enable Network Protection - Error "-2147467259" - Windows Server 2016Is Network Protection enabled in the server OS? Have you followed the instructions here - https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/network-protection?view=o365-worldwide#network-protection-for-windows-servers Re: Live Response URL's I've found an older version of the Defender URLs spreadsheet that has an entry for *.notify.windows.com The latest version of the spreadsheet doesnt contain this URL anymore and only lists the following requirements for Live Response: *.wns.windows.com login.live.com login.microsoftonline.com Interestingly in the ChangeLog tab on the latest version of the spreadsheet, it notes that *.notify.windows.com was removed on the 25/01/22. I have a version I downloaded in May this year with that URL present. Regardless of the above it looks like perhaps they havent updated the connectivity analyzer to remove the test to global.notify.windows.com. Live Response URL's Hoping to clarify URL requirements for Live Response in Defender for Endpoint. The URLs listed in the Defender URLs spreadsheet online that reference being required for Live Response are: *.wns.windows.com login.microsoftonline.com login.live.com When you run the client analyzer tool, the MDEClientAnalyzer.txt file contains a results section called ############# Connectivity Check for Live Response URL################ That section lists the following 2 URLs as being tested: Host: global.notify.windows.com on Port: 443 Host: client.wns.windows.com on Port: 443 I can see no reference to global.notify.windows.com (or *.windows.com) in the URL spreadsheet? In my testing I have been able to successfully connect via Live Response to servers that show failed connections to global.notify.windows in their MDEClientAnalyzer.txt files. Can anyone confirm if global.notify.windows.com is a required URL for Live Response? Thanks SolvedOnboard servers to Defender in Servers in passive mode using MDC? Is it possible to utilise the deployment of Defender for Servers in Defender for Cloud - (ie you enable Defender for Servers on the subscription level to trigger the deployment of the MDE.Windows extension), but have Defender for Endpoint go into Passive/EDR Block mode? I tested by manually adding the ForceDefenderPassiveMode reg value set to 1 on an Azure 2016 VM that wasnt onboarded to MDE (but had Defender AV feature installed). When the MDE.Windows extension installed via Defender for Cloud it overwrote the PassiveMode reg key and set it to 0 - i.e. put Defender in Active mode. I work with many large clients who wish to leverage passive mode first when migrating to Defender for Servers. Re: Audit/Alerting on the use of Live ResponseI'm afraid not - the auditing of Live Response use remains a gap for nowRe: Ninja Cat Giveaway: Episode 2 | Mastering email authentication and slashing overrides: Part 2 HeikeRitter Spotted Ninja cat abseiling down Paul and Heike's walls - that's one fearless feline! I learned of the existence of those awesome KQL queries to hunt out details of mail being delivered via existing overrides - great resource!!! Re: Ninja Cat Giveaway: Episode 4 | Defender Experts for Hunting Overview HeikeRitter - How would YOU explain/describe Defender Experts for Hunting to someone? Defender Experts for Hunting is Microsofts managed threat hunting service that runs 24/7 x 365 and proactively searches through the telemetry from your tenant (endpoints, emails, identity and cloud apps) to find evidence of threats to your organisation and notifies you of anything suspicious. - What is Threat hunting? Threat hunting is a proactive cybersecurity technique based on threat intelligence and is used to find evidence of undetected threats within your environment. Re: Ninja Cat Giveaway: Episode 3 | Sentinel integration Hey HeikeRitter I love the automation feature - opens up so many possibilities!! UEBA = User and Entity Behavior Analytics Re: Ninja Cat Giveaway: Episode 5 | Mobile Threat Defense HeikeRitter Another great episode guys - keep em coming! Most common attack vectors on mobile devices are Jailbroken/rooted devices Malicious Apps Phishing Device Vulnerabilities - out of date OS
Recent Blog ArticlesMost RecentMost LikesRe: Deploying Microsoft Defender for Identity Your screenshot showing adding the GMSA account seems to be missing the $ the docs state to use when adding a GMSA account to the portal? https://learn.microsoft.com/en-us/defender-for-identity/depl...Re: Introducing tamper protection for exclusions JoshBregman - The docs now seem to indicate that devices managed by Configuration Manager also now benefit from Tamper Protected Exclusions (Even though its buried in a document titled Manage tamper ...Re: Update to enrollment pre-requisites for Windows devices managed by Defender for Endpoint with In Intune_Support_Team - Does this mean we have a centralised mechanism for configuring non AD joined (ie workgroup) servers now too? Re: Update to enrollment pre-requisites for Windows devices managed by Defender for Endpoint with In BrandonBrown I can confirm DC's are still NOT supported despite the removal of HAADJ as a pre req. Re: Defender for Endpoint and disconnected environments. Which proxy configuration wins? aexlz - I tested last week and configured my test device to use accidentally use a static proxy it couldnt reach (blocked by firewall). The report showed that static proxy as the proxy method (as you...Re: Defender for Endpoint and disconnected environments. Which proxy configuration wins? aexlz the mdeclientanalyzer.txt file just shows the success or failure status for various methods - if multiple methods are in use ie NamedProxy and WPAD, I see both succeed (200). It doesnt tell...Re: Defender for Endpoint and disconnected environments. Which proxy configuration wins? If you have a WinHTTP proxy configured via NetSh (proxy A) , and also have WPAD in place (proxy B), which one does MDE then use? Re: Discovering internet-facing devices using Microsoft Defender for Endpoint NimrodRoimy This is a really useful capability so thought I'd kick the tyres and see whats what. Following the documentation here - https://learn.microsoft.com/en-us/microsoft-365/security/...Re: New device control capabilities to manage removable storage media access in Microsoft Intune Intune_Support_Team - DM Sent Re: New device control capabilities to manage removable storage media access in Microsoft Intune Intune_Support_Team - support have now confirmed to me this feature is in Preview (not stated anywhere in this article) and is back with engineering to fix with no ETA at present. Others are tryi...
