Tamper Protection managed by administrator and OFF - cannot be enabled manually when joined on-prem
Hi all, We are currently only managing Microsoft Defender ATP via Group Policy and there is no GPO for tamper protection. But we cannot enable it manually either-. "This setting is managed by your administrator" and set tamper protection to OFF. When deploying a new Windows 10 I can enable it manually. When joining the computer to on-prem AD and GPO for Windows Defender ATP hits, temper protection is turned off and you cannot change it. Is this by design or is there a GPO setting interfering? Thanks!
MDATP File Hash Indicators
Hi, I am not allowed to upload MD5 file hashes into the Indicators Tab for Microsoft Defender Security Center. It also shows a message that MD5 file hash method is not recommended. I have around 500 MD5 hashes for IOCs which I need to upload. Is there a way around through which I can cover these MD5 file hashes to SHA-1 or SHA-256 and then upload in Defender Security Center.Microsoft Defender ATP and Microsoft Flow Integration
Hi Community, I want to share with you the latest about Microsoft Defender ATP and Microsoft Flow integration, not only from technical side, but show you a real-scenario on how to use this feature, to detect and respond to emerging threats with one click from your mobile device. With the help of fellow MVPs, I created a demo that ensures your security teams are alerted by email at all times about threats across your organization, and they can take actions from within that email whether they are at work, traveling and from their mobile devices. Here is a link to the full demo in a blog post and on a YouTube video. Please let me know if you have any questions regarding this integration by connecting to me on Twitter @ammarhasayen. Bonus Demo: You can also watch a real scenario demo showing how to protect your CEO machine with MS Flow Restrict App Execution demo.MDATP and Incident Handling
Hi! We do security incident handling based on incidents in MDATP. But we find it troublesome that a incident can contain several computers. The fact that alerts tied to the same computer end up in one incident is great, but when you start handing these cases it gets messy real fast if there is 28 computers in one MDATP Incident. I would like the option in MDATP for Incidents to be limited to one machine. Thoughts?
Wrong MDATP Logic App Connector Auth. endpoint for USgov
I'm trying to create a logic app that will trigger when a new WDATP alert occurs inside of a USgov region using the MDATP connector in the logic app designer. When I click the "Sign in" button it takes me to the authentication URL at https://login.microsoftonline.com/ which is not the proper authentication endpoint for USgov (it should redirect me to https://login.microsoftonline.us) This causes an error response letting me know that I'm making a request to a public endpoint instead of the government endpoint, and that the application must send the user to the right endpoint. I've spent hours looking for ways to change the authentication endpoint to the USgov one in the Microsoft Defender ATP logic app connector and I'm out of ideas. Has anyone encountered this issue and was able to edit the connector's request? or found a workaround? I'd love to hear from someone, thank you!mdatp device compliance
Hi, is there a recent change within the handling of mdatp compliance policy out of endpoint manager? We used to assign mdatp compliance policy to "All Users" which, in the past, only evaluates the related user account, which was matched to the policy assignment. Since yesterday, we recognized, that the mdatp compliance policy is also scoped to the device itself: now also the system account gets evaluated, and we have a new built-in compliance policy system account evaluation.... In addition, the scoped user account remains as "not applicable" for this compliance policy. Anyone knows more details about this? Thank you Thomas
