Forum Discussion
Stop Defender isolating Domain Controllers
Recently we have experienced Defender isolating our Domain Controllers. It is always the same rule which causes the isolation "Suspected AD FS DKM key read". I edited the rule and set it to auto re...
Hi IanFlood
You can prevent Defender from isolating your Domain Controllers by creating an exclusion for them.
In this case, instead of just editing the rule to auto-resolve, go into Defender settings and exclude the Domain Controllers from being affected by that specific rule. This will stop the "Suspected AD FS DKM key read" rule from triggering isolation on the DCs, but Defender will still monitor them for any other potential threats. Setting up exclusions ensures that the DCs won't be isolated by this rule while still maintaining security.
Just in case, to set up exclusions, open Microsoft Defender Security Center and go to the settings for "Exclusions." From there, you can add your Domain Controllers to the exclusion list for the specific rule that’s causing the isolation. You’ll want to specify that the “Suspected AD FS DKM key read” rule should not apply to your DCs.
Again, this configuration will allow Defender to still scan them for other threats but avoid isolating them because of that rule. After you set up the exclusions, make sure to save the changes and monitor the system to confirm the isolation no longer happens.
Let me know how it goes!
Regards
Luchete, thanks for the reply. What you propose is exactly what I would like to do, exclude the DCs from this specific rule. However I cannot find anywhere in the defender portal that allows me to exclude these device from this rule.
I cannot find any documentation that relates to excluding devices from specific rules either.
When you say "go to the settings for exclusions" where exactly do you mean in the portal?
All i can find is exclusions for files\folders\processes.
Thanks
Yes you're right
I took the wrong approach, Microsoft Defender typically lets you exclude files, folders, or processes, but there's no built-in way to directly exclude a device from a specific detection rule.
However, you can work around this by creating a custom policy within Defender for Endpoint. This would allow you to fine-tune how Defender handles detections on Domain Controllers, and you could set it up so that alerts from the "Suspected AD FS DKM key read" rule are automatically resolved or suppressed when triggered by DCs.
Another option is to adjust the isolation settings within Defender. You can configure these settings to automatically release a Domain Controller from isolation if that particular rule triggers, which would prevent the need for manual intervention.
While there's no direct exclusion for a specific rule on a device, these steps should help reduce the need for manual management.
Luchete, where do I find the setting to adjust the isolation settings?
Is this in security centre or in Defender on the device?
I already have an auto resolve setting, but this doesn't auto release from isolation.
Thanks
