Forum Discussion
Stop Defender isolating Domain Controllers
Recently we have experienced Defender isolating our Domain Controllers. It is always the same rule which causes the isolation "Suspected AD FS DKM key read". I edited the rule and set it to auto re...
Luchete, thanks for the reply. What you propose is exactly what I would like to do, exclude the DCs from this specific rule. However I cannot find anywhere in the defender portal that allows me to exclude these device from this rule.
I cannot find any documentation that relates to excluding devices from specific rules either.
When you say "go to the settings for exclusions" where exactly do you mean in the portal?
All i can find is exclusions for files\folders\processes.
Thanks
Yes you're right
I took the wrong approach, Microsoft Defender typically lets you exclude files, folders, or processes, but there's no built-in way to directly exclude a device from a specific detection rule.
However, you can work around this by creating a custom policy within Defender for Endpoint. This would allow you to fine-tune how Defender handles detections on Domain Controllers, and you could set it up so that alerts from the "Suspected AD FS DKM key read" rule are automatically resolved or suppressed when triggered by DCs.
Another option is to adjust the isolation settings within Defender. You can configure these settings to automatically release a Domain Controller from isolation if that particular rule triggers, which would prevent the need for manual intervention.
While there's no direct exclusion for a specific rule on a device, these steps should help reduce the need for manual management.
Luchete, where do I find the setting to adjust the isolation settings?
Is this in security centre or in Defender on the device?
I already have an auto resolve setting, but this doesn't auto release from isolation.
Thanks
You can adjust the isolation settings in the Microsoft Defender Security Center, not on the individual device. To do this, go to the Defender Security Center portal and navigate to the Settings section. From there, you should find the options for Device or Network Isolation under the Endpoint Security or Attack Surface Reduction settings. You can configure the settings to automatically release devices from isolation when a specific alert is triggered or after a certain period.
Since you already have the auto-resolve setting, the issue might be with how the isolation rule is set up, so it’s worth checking the isolation configurations.
Luchete
Thanks for the reply
Unfortunately I do not see the setting you are describing. I find nothing in security portal that will allow me to adjust isolation settings.
I am looking at using Power Automate, which does have an unisolate function for Defender.
regards
