Tamper Protection managed by administrator and OFF - cannot be enabled manually when joined on-prem
Hi all, We are currently only managing Microsoft Defender ATP via Group Policy and there is no GPO for tamper protection. But we cannot enable it manually either-. "This setting is managed by your administrator" and set tamper protection to OFF. When deploying a new Windows 10 I can enable it manually. When joining the computer to on-prem AD and GPO for Windows Defender ATP hits, temper protection is turned off and you cannot change it. Is this by design or is there a GPO setting interfering? Thanks!Microsoft Defender ATP and Microsoft Flow Integration
Hi Community, I want to share with you the latest about Microsoft Defender ATP and Microsoft Flow integration, not only from technical side, but show you a real-scenario on how to use this feature, to detect and respond to emerging threats with one click from your mobile device. With the help of fellow MVPs, I created a demo that ensures your security teams are alerted by email at all times about threats across your organization, and they can take actions from within that email whether they are at work, traveling and from their mobile devices. Here is a link to the full demo in a blog post and on a YouTube video. Please let me know if you have any questions regarding this integration by connecting to me on Twitter @ammarhasayen. Bonus Demo: You can also watch a real scenario demo showing how to protect your CEO machine with MS Flow Restrict App Execution demo.
MDATP File Hash Indicators
Hi, I am not allowed to upload MD5 file hashes into the Indicators Tab for Microsoft Defender Security Center. It also shows a message that MD5 file hash method is not recommended. I have around 500 MD5 hashes for IOCs which I need to upload. Is there a way around through which I can cover these MD5 file hashes to SHA-1 or SHA-256 and then upload in Defender Security Center.mdatp device compliance
Hi, is there a recent change within the handling of mdatp compliance policy out of endpoint manager? We used to assign mdatp compliance policy to "All Users" which, in the past, only evaluates the related user account, which was matched to the policy assignment. Since yesterday, we recognized, that the mdatp compliance policy is also scoped to the device itself: now also the system account gets evaluated, and we have a new built-in compliance policy system account evaluation.... In addition, the scoped user account remains as "not applicable" for this compliance policy. Anyone knows more details about this? Thank you Thomas
Wrong MDATP Logic App Connector Auth. endpoint for USgov
I'm trying to create a logic app that will trigger when a new WDATP alert occurs inside of a USgov region using the MDATP connector in the logic app designer. When I click the "Sign in" button it takes me to the authentication URL at https://login.microsoftonline.com/ which is not the proper authentication endpoint for USgov (it should redirect me to https://login.microsoftonline.us) This causes an error response letting me know that I'm making a request to a public endpoint instead of the government endpoint, and that the application must send the user to the right endpoint. I've spent hours looking for ways to change the authentication endpoint to the USgov one in the Microsoft Defender ATP logic app connector and I'm out of ideas. Has anyone encountered this issue and was able to edit the connector's request? or found a workaround? I'd love to hear from someone, thank you!DeviceFileCertificateInfo table
Hi All I want to play around with file reputation under MDATP Advanced hunting. The only place where I can find file information like this seems to be only under the DeviceFileCertificateInfo table (where I can find IsSigned and IsTrusted property). So far it's not that bad, but the issue I have is that this table uses data obtained from certificate verification activities regularly performed on files on endpoints. and doesn't seems to receive all the validation done at each time. Ex.: I execute a exe file from powershell but didn't see the executed file's hash in the DeviceFileCertificateInfo table. Is that normal ? Is there another place where I should find those information ? Thanks in advanced
