Unable to apply ASR rules for Windows servers (2012R2,2016, 2019 and 2022) via SCCM
Hi, I have onboarded servers 2012 R2, 2016, 2019 and 2022 into the Microsoft Defender for Endpoint via a unified solution (I am not using MMA or AMA), All statuses are Active and onboarded in the www.security.microsoft.com console. These servers are managing through the SCCM and I could deploy the Antimalware policy for all servers. Still, I am unable to deploy ASR rules for the onboarded servers, I have tried manually configure rules into the servers. Still, when I run Get-MpPreference powershell command there are blank fields for ASR components. Any solution for this? Note: These servers are not joined AAD.
M365 Defender - Recently seen by?
Does anyone know what "Recently seen by" under network activity actually means? We have a number of unusual device names keep popping up in our Defender inventory list, which are showing as running Windows 10. We usually get this when we reimage machines, but this is different. Firstly, all newly imaged machines present a variation of the same name, whereas these are all completely different and not in keeping with the expected naming convention. Also, when you click the Defender device page, under network activity the 'Recently seen by' section keeps showing different, genuine Windows 10 machines in our environment. The IP and MAC address however stay constant. Does anyone know what this might be? I'm thinking perhaps an issue with SCCM, or our task sequence when reimaging laptops, but don't know much for sure.
Deploying Defender - devices take hours to show in Device Inventory.
We are new Defender customers with A5 and are onboarding lots of clients each day. We are noticing that clients are taking a very long time to show in the "Device Inventory" in the cloud console. I don't think we were having this issue during our PoC phase - clients that ran the onboard script would show almost immediately. Now it can take several hours or overnight for a client to show up after being onboarded with CM. I am not sure if this is expected or if I am doing something wrong. When I look in Device Inventory and sort by "last device update" there haven't been any new updates in about 7 hours (0730AM) - but when I check tomorrow, Device Inventory will show many last device updates occurred between 730AM and now - they just dont show in the console until the next day. It is pretty frustrating during the rollout phase to try tracking progress of the rollout without being able to find and verify the devices in "Device Inventory" I have done some reading on this topic to troubleshoot. I can see in the registry that the client is marking that it has been successfully enrolled. It seems like the only problem is that it takes a very long time for the console in Azure to reflect the current state.
Device Un isolation Issue
We have some issues with endpoints that when they are put into isolation and then trying to remove them isolation it will fail or just be in a pending state. Trying the force unisolation script does not work on these devices as we get a error message "unisolation failed with exit code 2". Has anyone run into these issues? Another thing that I have noticed is when a device is put into isolation it enrolls that device again and shows the same device twice in device inventory.
Unified RBAC and Entra PIM
I'm interested in any experiences people have had with activating custom Unified RBAC roles using Entra ID PIM. We are currently doing something similar with a custom role in Defender for Office 365 (using these instructions: https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/pim-in-mdo-configure?view=o365-worldwide) , and my experience has been that it takes up to 50 minutes, after activating the Entra ID PIM group, for the permissions to be applied to Defender. Microsoft support can't decide whether this problem should be addressed by the Entra ID division or the Defender XDR division, and therefore it's not getting addressed. Has anyone configured an Entra ID PIM group with a custom Defender RBAC role (using these instructions: https://techcommunity.microsoft.com/t5/security-compliance-and-identity/configure-just-in-time-access-to-m365-defender/ba-p/3764564) and if so, how well is it working. Thanks in advance!
Microsoft Defender onboarding issues
In our organization we are using Microsoft Defender 365 as our main AV and EDR solution. Most of our machines are onboarded using SCCM/GPO but in some parts of organization those are managed manually and are onboarded using onboarding package. We’ve recently noticed that during system distribution update, some machines are losing sync with Defender 365 portal and are listed as Onboarded and Can be onboarded at same time (the screenshot below shows same machine as viewed from search). This leaves this machine without advanced capabilities like Live Response, Initiated scans etc (The machine that is onboarded is not responding to actions from M365 Defender portal). We are looking for a way to “offboard previous record” and onboard new one. We’ve tried to offboard machine using offboarding package and onboard it again, but with no success (we left machine offboarded for more than 24h to ensure that data will sync with portal), after re-onboarding service is working correctly, but detection script is not generating alert. Some of machines were re-imaged and onboarded again (and issue was by resolved), but we are wondering if there is a better and more efficient way to solve this issue?Onboarded device missing info
I'msetting up defender in preparation for a migration from my current AV Provider. Iv created some test devices and successfully onboarded them and they have recent updated times and dates since last week. I have active onboarded devices, when i select the device is see the device Overview and Incidents and alerts tabs but the other ones are missing such as Timeline, Security recommendations, Software inventory, Discovered Vulnerabilities, Missing KB The device also shows 0 logged on users in the last 30 days which is also incorrect. Anyone any ideas?
