Forum Widgets
Latest Discussions
Incorrect Identification of Local Admin in Defender for Endpoint
Hello everyone, I am facing an issue with Microsoft Defender for Endpoint where a user is incorrectly identified as having local admin rights. In the Devices menu of the workstation in Defender, the user is tagged as a local admin. This is also confirmed when searching in Advanced Hunting with the following query: DeviceLogonEvents | where LogonType == "Interactive" and IsLocalAdmin == true and AdditionalFields contains "\"IsLocalLogon\":true" However, after checking the user's workstation, I found that the user is not part of the local or domain administrator group. The user cannot perform privilege escalation. It is worth noting that the user has another domain account with admin rights. Additionally, the user's workstation has been AAD joined with his account, so he may have had admin rights on the computer at one time, but not anymore. Has anyone encountered a similar issue or have any suggestions on how to resolve this? Thank you!
ASR Device Control policy update registry conflict
Hi, I'm working with a customer who's rolling out DfE Device Control and we have come across some strange behaviour when changes to the groups and rules are made from the Intune ASR page. Reviewing the PolicyGroups and PolicyRules REG_SZ keys under Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager shows that changes are appended to both keys, not replaced, creating a XML stream of legacy policies and groups. Is this expected behaviour? This creates new policy GUIDs each update which isn't obvious to know if the new policy is active or not and from testing does lead to long delays in devices becoming denied/allowed despite the changes pulled down to these keys. Is there some way to determine the active policy GUID? The customer will need to semi-frequently add new USB drives to the allow group/policy which from testing seems to work more reliably if you delete the 2 registry keys, run a sync, and try access the drive than waiting for it to append the updated group and policy XML code-block. Are changes to device groups via Intune meant to automatically update on the machines and follow policy rules? NB: They are hybrid machines using co-management with only Endpoint Protection workload moved over so far. Machines also onboarded into Defender for Endpoint. Thanks :)
Alerts doesn't works? - EDR source
Hi, I'm new to Defender and I want to understand a couple of things. I deployed Defender P2 on a windows host and I tried to attack it with rdp brute force. The Timeline show me that the technique used is T1110:BruteForce but I don't see any alert in the console. Is normal? There is a way to tell to defender that it must create an alert when it see a brute force attack? Even worse with a couple of tests on a linux host. I'm sure that the EDR is engaged because I tested the alert with the default scripts. Even with the execution of a rootkit.. ThanksDeployment and licensing in an air gapped environment
Hi there, We're considering Microsoft Defender for Endpoint for an industrial site with about 120 Linux hosts. None of the hosts are allowed to connect to the Internet, ever. We can only use USB drives to upload changes to the hosts. 1. Installation of Microsoft Defender for Endpoint is not an issue, we can just deploy the packages and install. 2. We found recent documentation that suggests we can maintain and refresh virus definitions in an offline network too: https://learn.microsoft.com/en-us/defender-endpoint/linux-support-offline-security-intelligence-update 3. The only question we are left with is: if we purchase licenses, can we 'redeploy' them to that site without any Internet access? So, I think the short question is "we want to onboard an offline host?" Thanks!MDE On boarded Linux Devices not visible in Intune or Entra ID
We recently started on boarding our Linux Servers and endpoints to MDE, and so far we have onboarded a couple of them through manual deployment with installer script. We have also enabled Endpoint Security Management to scope to Linux devices and have enabled the same in Intune as well so MDE can act as sensor to apply policies. It's been over a couple of days but we are not seeing those devices in Intune or Entra as Microsoft's documentation states. For context, the versions are 20.04, and 22.04. Even though the health state of sensor is healthy, and mdatp is not in passive mode, we are still not seeing the devices in either Intune or Entra. Any help would be appreciated since we are pressed down to resolve this as quickly as possible.
Device control with Defender for Endpoint
Dear all, I need some help on an issue I have been experiencing with my device control policy recently. This policy was configured under attack surface reduction rules in Intune and has been working fine until recently. This policy is used to block all USB ports of corporate machines by default unless they are explicitly allowed. As already mentioned, it works perfectly by blocking all USB ports and we have the option to unblock some if needed. Now, here is the problem I am recently experiencing: We have like twenty-five branches located in different countries, and there is only one policy in Intune in place for all the countries, including the head office. If I exclude a device and allow it to be used in the head office using its serial number, it works fine, but if the same USB stick is connected to a branch office computer, it is blocked again, and there is no conditional access policy configured to warrant such behavior. I appreciate any help that will lead to solving this issue. Best regards Alieu Here are some screen shots of my policy in Intune: 1. 2. 3 4.
Unable to enable tamper protection using MDM
I’m working on implementing Tamper Protection for Windows devices using a custom MDM solution with the Defender CSP, but I’ve run into some issues and could use your help. A couple of questions: What specific data needs to be sent with the Defender CSP to enable or disable Tamper Protection? I’ve tried using the Defender, but I’m not sure about the correct value to set. Are there any permissions or enforcement scope settings that need to be adjusted for a custom MDM to manage Tamper Protection? I tested Intune on some devices, and Tamper Protection couldn’t be enabled there either. Could there be a specific hierarchy or prerequisite settings in the Microsoft Defender for Endpoint portal that I’m missing? If anyone has experience with this or has any insights, I’d really appreciate the help. Thanks in advance!
MDE configuration for Linux via managed JSON
Per this Microsoft article, a JSON file is being used to configure basic MDE settings on Debian 11 servers: { "antivirusEngine":{ "enforcementLevel":"real_time", "threatTypeSettings":[ { "key":"potentially_unwanted_application", "value":"block" }, { "key":"archive_bomb", "value":"audit" } ] }, "cloudService":{ "automaticDefinitionUpdateEnabled":true, "automaticSampleSubmissionConsent":"safe", "enabled":true } } Despite the setting to configure PUA protection in block mode, the Defender portal shows a security recommendation which states: "Turn on Microsoft Defender Antivirus PUA protection in block mode for Linux". The server has been rebooted and mdatp health has been confirmed. Why might Defender still think that PUA protection isn't on?
Defender Portal - Bulk exclude removed devices
Hi, We regularly do bulk replacement of computers (1k at the time) in which the old computers continue to live in the Defender security center and its reports for 30 days after being tagged as inactive. It would be nice if it was an easier way to bulk exclude devices from the reports. It can be done one-by-one from the portal, or in bulk with PowerShell today but can be a bit cumbersome in some scenarios.
