Forum Widgets
Latest Discussions
ASR Device Control policy update registry conflict
Hi, I'm working with a customer who's rolling out DfE Device Control and we have come across some strange behaviour when changes to the groups and rules are made from the Intune ASR page. Reviewing the PolicyGroups and PolicyRules REG_SZ keys under Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager shows that changes are appended to both keys, not replaced, creating a XML stream of legacy policies and groups. Is this expected behaviour? This creates new policy GUIDs each update which isn't obvious to know if the new policy is active or not and from testing does lead to long delays in devices becoming denied/allowed despite the changes pulled down to these keys. Is there some way to determine the active policy GUID? The customer will need to semi-frequently add new USB drives to the allow group/policy which from testing seems to work more reliably if you delete the 2 registry keys, run a sync, and try access the drive than waiting for it to append the updated group and policy XML code-block. Are changes to device groups via Intune meant to automatically update on the machines and follow policy rules? NB: They are hybrid machines using co-management with only Endpoint Protection workload moved over so far. Machines also onboarded into Defender for Endpoint. Thanks :)Deployment and licensing in an air gapped environment
Hi there, We're considering Microsoft Defender for Endpoint for an industrial site with about 120 Linux hosts. None of the hosts are allowed to connect to the Internet, ever. We can only use USB drives to upload changes to the hosts. 1. Installation of Microsoft Defender for Endpoint is not an issue, we can just deploy the packages and install. 2. We found recent documentation that suggests we can maintain and refresh virus definitions in an offline network too: https://learn.microsoft.com/en-us/defender-endpoint/linux-support-offline-security-intelligence-update 3. The only question we are left with is: if we purchase licenses, can we 'redeploy' them to that site without any Internet access? So, I think the short question is "we want to onboard an offline host?" Thanks!
Device control with Defender for Endpoint
Dear all, I need some help on an issue I have been experiencing with my device control policy recently. This policy was configured under attack surface reduction rules in Intune and has been working fine until recently. This policy is used to block all USB ports of corporate machines by default unless they are explicitly allowed. As already mentioned, it works perfectly by blocking all USB ports and we have the option to unblock some if needed. Now, here is the problem I am recently experiencing: We have like twenty-five branches located in different countries, and there is only one policy in Intune in place for all the countries, including the head office. If I exclude a device and allow it to be used in the head office using its serial number, it works fine, but if the same USB stick is connected to a branch office computer, it is blocked again, and there is no conditional access policy configured to warrant such behavior. I appreciate any help that will lead to solving this issue. Best regards Alieu Here are some screen shots of my policy in Intune: 1. 2. 3 4.
RTP Disabling Issue
Looking for insight with a Windows Defender issue. Client is using Microsoft Defender for Endpoint. The issue is that Real Time Protection is enabled on certain Servers where it should not be. They have a GPO that is supposed to disabled that function. I have included a picture to reference a server that has RTP enabled and one that has RTP disabled. I would appreciate any information on this as I have continuously scoured the interwebs for answer including forums. I do see TamperProtection and TamperProtectionSource keys under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Features with a value of 5 and 65 on a server that has RTP enabled, even with a GPO set to disable it: And from a server that has a GPO to disable RTP, and it is being disabled correctly:
MDA Passive Telemetry
Does anyone know where log (LSA,Device,CredGuard) are stored in query table for MDA in Passive mode? I found these signals but don't recall where. Please advise I have several tables as follows: //DeviceEvents //DeviceFileCertificateInfo //DeviceImageLoadEvents //DeviceFileEvents //DeviceImageLoadEvents //Deviceinfo ...MS Defender for Endpoint - List machines API
Is it possible to use below API to retrieve Machines with Onboarding status as 'Can be onboarded' ? We are hitting this API from ServiceNow & it seems that it is only returning Onboarded machines. https://api.security.microsoft.com/api/machines Reference: https://learn.microsoft.com/en-us/defender-endpoint/api/get-machines
sasValidHours parameter is not being applied in files import and SAS token is expiring in 1 hour
In Software vulnerabilities via files import machines/SoftwareVulnerabilitiesExport?$sasValidHours=5 , I set sasValidHours parameter to an integer and I see that the generated files still have 1 hour expiry time (checking from 'st' and 've' values in the generated file link). Additionally, the documentation says that 'The download URLs are only valid for 3 hours; otherwise, you can use the parameter', however they are not even available for 3 hours, just 1 hour.
Microsoft Enable Programs and Features Settings in Windows 11
If you were a business or organization that was new to Purview, what advice would you give them to turn on or set up as their first steps with the product? On Windows 11, the Settings app lets you install additional features to extend the system's functionalities. You will need an internet connection to download these features since the components are not stored in the default installation. Bur Windows 11 Insider Preview 10.0.26120.2415 (ge_release_upr) fixes issueSuspicious attachment opened with no detection technology or VT matches
We received the alert “Suspicious attachment opened” for an Excel file, but it’s unclear why it was flagged. Here’s what I found: No detection technology triggered. No VT matches. File wasn’t detonated in the Microsoft sandbox. Deep analysis is unavailable (not a PE). I reviewed the file and, apart from generic terms like “invoice” or “file” in the name, I see no clear indicators of suspicion or ways to adjust this in XDR. Any tips for better understanding or fine-tuning the verdict?
