Forum Widgets
Latest Discussions
Device Control blocking Network Print Jobs???
Suddenly I'm seeing my InTune test group getting print failures to network printers with: "The current print job was rejected due to Device Control Print Restrictions. Rejection Reason: Print blocked by Defender rule..." (Event IDs 372 and 871) I have 1 Device Control policy that allows our Encrypted USB drives (no printer option checked) and blocks all other USB drives (no printer option checked). I have no Defender rules that explicitly block print jobs... I've edited local group policy to disable Point and Print Restrictions I've edited local group policy to disable Enable Device Control Print Restrictions I've created a custom InTune configuration policy to disable both of the above, yet this issue persists... Why is Device Control suddenly blocking printing to network printers? I've been troubleshooting this for over a week and it's completely maddening! Has anyone else run into this? It's preventing us from rolling out Defender org-wide.
Incorrect Identification of Local Admin in Defender for Endpoint
Hello everyone, I am facing an issue with Microsoft Defender for Endpoint where a user is incorrectly identified as having local admin rights. In the Devices menu of the workstation in Defender, the user is tagged as a local admin. This is also confirmed when searching in Advanced Hunting with the following query: DeviceLogonEvents | where LogonType == "Interactive" and IsLocalAdmin == true and AdditionalFields contains "\"IsLocalLogon\":true" However, after checking the user's workstation, I found that the user is not part of the local or domain administrator group. The user cannot perform privilege escalation. It is worth noting that the user has another domain account with admin rights. Additionally, the user's workstation has been AAD joined with his account, so he may have had admin rights on the computer at one time, but not anymore. Has anyone encountered a similar issue or have any suggestions on how to resolve this? Thank you!
ASR Device Control policy update registry conflict
Hi, I'm working with a customer who's rolling out DfE Device Control and we have come across some strange behaviour when changes to the groups and rules are made from the Intune ASR page. Reviewing the PolicyGroups and PolicyRules REG_SZ keys under Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager shows that changes are appended to both keys, not replaced, creating a XML stream of legacy policies and groups. Is this expected behaviour? This creates new policy GUIDs each update which isn't obvious to know if the new policy is active or not and from testing does lead to long delays in devices becoming denied/allowed despite the changes pulled down to these keys. Is there some way to determine the active policy GUID? The customer will need to semi-frequently add new USB drives to the allow group/policy which from testing seems to work more reliably if you delete the 2 registry keys, run a sync, and try access the drive than waiting for it to append the updated group and policy XML code-block. Are changes to device groups via Intune meant to automatically update on the machines and follow policy rules? NB: They are hybrid machines using co-management with only Endpoint Protection workload moved over so far. Machines also onboarded into Defender for Endpoint. Thanks :)MDE On boarded Linux Devices not visible in Intune or Entra ID
We recently started on boarding our Linux Servers and endpoints to MDE, and so far we have onboarded a couple of them through manual deployment with installer script. We have also enabled Endpoint Security Management to scope to Linux devices and have enabled the same in Intune as well so MDE can act as sensor to apply policies. It's been over a couple of days but we are not seeing those devices in Intune or Entra as Microsoft's documentation states. For context, the versions are 20.04, and 22.04. Even though the health state of sensor is healthy, and mdatp is not in passive mode, we are still not seeing the devices in either Intune or Entra. Any help would be appreciated since we are pressed down to resolve this as quickly as possible.
Alerts doesn't works? - EDR source
Hi, I'm new to Defender and I want to understand a couple of things. I deployed Defender P2 on a windows host and I tried to attack it with rdp brute force. The Timeline show me that the technique used is T1110:BruteForce but I don't see any alert in the console. Is normal? There is a way to tell to defender that it must create an alert when it see a brute force attack? Even worse with a couple of tests on a linux host. I'm sure that the EDR is engaged because I tested the alert with the default scripts. Even with the execution of a rootkit.. Thanks
Defender of Endpoint on Comanaged Laptop
We are testing device control feature of Microsoft Defender for Endpoint (MDE). Onboarded a laptop to MDE only (not enrolled to Intune) - created two policies in Defender portal Attack Surface reduction - Device Control - this policy could never be successfully applied on the machine (Reason - Learn about using Intune to manage Microsoft Defender settings on devices that aren't enrolled with Intune | Microsoft Learn suggests that Device Control profile is visible in the Defender portal but isn't supported for devices managed only by Microsoft Defender through the Microsoft Defender security settings management scenario. This profile is supported only for devices managed by Intune.) AV - this policy successfully deployed and I could see the deployed config on the machine Onboarded to MDE and co-managed (Intune, SCCM) - Configured Endpoint protection workload to be managed by Intune. Created Attack surface reduction Device control policy in Intune portal - policy deployed successfully on the laptop. Connected the USB on the device it showed the following Left the device connected, after few hours, I could see the capacity, used storage of the USB, clicking continue and entering admin credentials also wont allow the access of the USB. Left the device connected overnight, and next Morning, I could double click on the drive and access the content, it directly allowed me the read-write access of the USB. Unplugged and re-plugged the USB, then it shows USB is not accessible I am not able to understand this inconsistent behaviour, please suggest if I am doing something wrong. Also, instead of Access is denied messaged, can we display a message like "As per the corporate policy, you cant access the removable devices." when the user tries to access a USB. Please help.Cannot download Onboarding package
Hello, we're having problems when trying to download the Defender onboarding package. Tried different OS, different deploying methods but within a second of clicking Download onboarding package we get a popup saying "Client Error. Failed to get APK url from server" Anyone seen this before?Deployment and licensing in an air gapped environment
Hi there, We're considering Microsoft Defender for Endpoint for an industrial site with about 120 Linux hosts. None of the hosts are allowed to connect to the Internet, ever. We can only use USB drives to upload changes to the hosts. 1. Installation of Microsoft Defender for Endpoint is not an issue, we can just deploy the packages and install. 2. We found recent documentation that suggests we can maintain and refresh virus definitions in an offline network too: https://learn.microsoft.com/en-us/defender-endpoint/linux-support-offline-security-intelligence-update 3. The only question we are left with is: if we purchase licenses, can we 'redeploy' them to that site without any Internet access? So, I think the short question is "we want to onboard an offline host?" Thanks!
MDE configuration for Linux via managed JSON
Per this Microsoft article, a JSON file is being used to configure basic MDE settings on Debian 11 servers: { "antivirusEngine":{ "enforcementLevel":"real_time", "threatTypeSettings":[ { "key":"potentially_unwanted_application", "value":"block" }, { "key":"archive_bomb", "value":"audit" } ] }, "cloudService":{ "automaticDefinitionUpdateEnabled":true, "automaticSampleSubmissionConsent":"safe", "enabled":true } } Despite the setting to configure PUA protection in block mode, the Defender portal shows a security recommendation which states: "Turn on Microsoft Defender Antivirus PUA protection in block mode for Linux". The server has been rebooted and mdatp health has been confirmed. Why might Defender still think that PUA protection isn't on?
