Defender Antivirus (AV) Passive Mode
Hi, While researching how to set Defender AV to passive mode I stumbled upon two registry keys: ForceDefenderPassiveMode https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-compatibility?view=o365-worldwide#microsoft-defender-antivirus-and-non-microsoft-antivirusantimalware-solutions https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-on-windows-server?view=o365-worldwide#set-microsoft-defender-antivirus-to-passive-mode-using-a-registry-key ForcePassiveMode https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/switch-to-microsoft-defender-onboard?view=o365-worldwide#set-microsoft-defender-antivirus-on-windows-server-to-passive-mode-manually https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/switch-to-microsoft-defender-setup?view=o365-worldwide#set-microsoft-defender-antivirus-to-passive-mode-on-windows-server Does either of you know which one is the correct one? Thanks, Andre
Microsoft Security Client - Log off Network
We have an issue with a 3rd-party application freezing after about 6min of inactivity - the only evidence in the Event Viewer is in the Application Log: Log Name: Application Source: Microsoft Security Client Date: 10/04/2021 6:30:54 PM Event ID: 5000 Task Category: None Level: Error Keywords: Classic User: N/A Computer: SOLVit-LOAN-01 Description: Log off network Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Microsoft Security Client" /> <EventID Qualifiers="0">5000</EventID> <Version>0</Version> <Level>2</Level> <Task>0</Task> <Opcode>0</Opcode> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2021-04-10T08:30:54.5764042Z" /> <EventRecordID>4819</EventRecordID> <Correlation /> <Execution ProcessID="0" ThreadID="0" /> <Channel>Application</Channel> <Computer>SOLVit-LOAN-01</Computer> <Security /> </System> <EventData> <Data>0x1</Data> <Data>ProtectionManagement</Data> </EventData> </Event> We run Malwarebytes Endpoint which is registered in 'Virus & threat protection', so unsure if we need to be registering this application as an exception in things like AppGuard or Tamper Protection or somewhere in Defender?Exposure level clarification
Hi everybody, I having some machines in Defender ATP and wondering about the Exposure level. As explained in the info icon the exposure level is only about the security recommendations. Is there any deeper explanation how this number is generated? Because I see some low level recommendations but in some cases the level is medium - this does not make sense to me. Anyone having the same? RegardsMDM Security Baseline vs Intune Profile
Hi all, I am testing currently the 2 profiles in the Security Baselines in default configuration. As they are now checked against the endpoint there is one Error in the Per-settings status: Type of system scan to perform Problem is now - I cannot see anything configured in the MDM Security Baseline for May 2019 the setting itself in the Intune profile is configured. Any idea? Best regards MiguelWindows Defender Full Scan renders devices unusable for 6-7 hours (while scan is running)
We are using Microsoft Defender for Endpoint and configured daily quick scans and weekly full scans. The quick scans don't create any problems but the full scans are a big problem. Devices are not usable while the scan is running, e.g. one click in MS Teams takes about one minute to complete. We are using the defaults recommended by Microsoft in our configuration profiles. What are the recommended settings for fine tuning full scans (e.g. ScanAvgCPULoadFactor) or are there specifi settings which are to be disabled in order to improve performance (e.g. DisableArchiveScanning). Thank you!Inconsistent Defender Search Results When Searching by Hash
I am seeing inconsistent search results in Defender when searching for a file by hash. I saved a file to my desktop and sent it via email. I hashed the file with SHA1, SHA256, and MD5 algorithms. When I perform searches in https://securitycenter.windows.com/ for the MD5 hash the search completely fails. When I search using the SHA256 hash for the same file the search completes but finds no results. If I search for the SHA1 value for the same file, the file is found, and it lists the SHA256 and MD5 values for the file that previously yielded no results or failed. If I do the same searches in the M365 portal (https://security.microsoft.com) the MD5 search still fails. The SHA256 search finds an occurrence of the file in email but the result doesn't show any results for the file on endpoints. Searching for the SHA1 hash of the file again finds the file on the endpoint and email and also lists the corresponding SHA256 and MD5 but doesn't show any email results. Has anyone encountered the same issue? This seems to be a bug in Microsoft's platform.Question on web protection with Defender for Android
I'm planning a rollout of Defender for Android using Intune (aka Endpoint Manager) and enabling Web Protection. The app will be installed in the Enterprise Workspace with permissions so it can scan Personal and Work space. My question is does Web Protection only apply to web sites accessed using the Edge browser also installed in Work space or does the Defender for Android also inspect web browsing from Chrome and other browsers installed in User partition?
Microsoft Defender EDR for old Windows Server 2008/2012/2016
Microsoft documentation states EDR feature is supported on older windows server versions like Server 2012/2016. Then it goes on to say to deploy the MMA agent. But, isn't MMA agent just a read-only log analytics agent that can only report the status of the server but can take no action. Hence, EDR means only detection but no response. Am I correct in understanding that? We are evaluating Defender for Servers and have gone through quite a lot of documentation but still no definitive answer.Licensing and Where's the Endpoint List?
I recently moved some users on E5 licenses so we could see about using Endpoint Defender in place of our current endpoint AV. The license description says ED is included in E5. But I cannot find the list of those users' endpoints anywhere. The MS documentation is an endless circle of waffle. Documentation suggests I should have a Device Inventory in the new Security admin console, but I have none. It seems to want me to start a trial of an additional service even though it's supposed to be included with E5. The only place I can find anything likely is with the Intune (bleah) console. We dropped Intune 5 years ago as it was very very poor. I'd be grateful if anyone can say: - Is Intune needed for ED? - Where can I see a list of endpoints and status? - Do I really need an additional service on top of the E5 licenses?
