Microsoft Defender for Endpoint topics Microsoft Defender for Endpoint topics Sat, 23 Oct 2021 19:49:55 GMT MicrosoftDefenderATP 2021-10-23T19:49:55Z Microsoft Defender for Android Company Owned Work Profile <P>Hi,</P><P>&nbsp;</P><P>I'm testing Android Enterprise with company owned with work profile. Install instructions have this statement "<STRONG>Currently, Personally-owned devices with work profile and Corporate-owned fully managed user device enrollments are supported in Android Enterprise. Support for other Android Enterprise modes will be announced when ready."</STRONG></P><P>&nbsp;</P><P>Does this mean we can deploy MDE to Android Enterprise Devices which are corporate owned but have work profile? Do they have to be fully managed?</P><P>&nbsp;</P><P><A href="#" target="_blank"></A></P><P>&nbsp;</P> Fri, 22 Oct 2021 09:48:15 GMT PMLIO 2021-10-22T09:48:15Z ATP need Defender or not? <P>Hello, my company is planning to deploy ATP for all servers.</P><P>While currently only Windows 2019 servers are using Windows Defender as antivirus.</P><P>Other Windows Servers and all Linux servers are using a 3rd party antivirus software.</P><P>&nbsp;</P><P>Could any one help me for some questions.</P><P>Do I need enable defender on Windows 2012 and Windows 2016 servers?</P><P>Do I need install Defender on Linux servers?</P><P>If I need full function of ATP, do I need use Defender as antivirus software?</P><P>Or if I installed Defender, but didn't use it for antivirus, will ATP failed to work, or loss some function?</P><P>&nbsp;</P><P>Thanks.</P> Fri, 22 Oct 2021 08:43:18 GMT ChengJian 2021-10-22T08:43:18Z MDE configuration with Baseline or Configuration Profiles? <P>Hello everyone,</P><P>&nbsp;</P><P>what is currently best practise to deploy settings for MDE like (ASR, Tamper Protection, Smart Screen, etc.).</P><P>Since there are settings within the Endpoint Baseline and also within the Configuration Profiles, which one should be used?</P><P>&nbsp;</P><P>Thanks.</P><P>&nbsp;</P><P>Cheers,</P><P>John</P> Fri, 22 Oct 2021 07:43:59 GMT John Matrix 2021-10-22T07:43:59Z Can I check whether an IoC/hash is already monitored by MDE? <P>The list of IoC is limited to 15k. I imagine <EM>some</EM> IoCs entries from our "custom list" are already monitored by Microsoft/MDE. So, is there a way to check whether there is a detection rule for a specific IoC (hash)? This would save us some thousand entries and improve our monitoring coverage.</P><P>&nbsp;</P><P>*Better to join forces than reinvent the wheel.</P> Thu, 21 Oct 2021 14:04:10 GMT jjsantanna 2021-10-21T14:04:10Z Running a registry based query <DIV class="">&nbsp;</DIV><DIV class=""><DIV class=""><P>Hello,</P><P>we have some computers which we need to find out the specific registry value in order to be able to update their OS.<BR />The path:&nbsp;HKEY_LOCAL_MACHINE\software\policies\Microsoft\Windows\WindowsUpdate\AU</P><P>The value (Dword): NoAutoUpdate</P><P>I want to find out which computers that are onboarded to defender for endpoint has this registry set to "1"/On.</P><P>Thanks for help</P><P>&nbsp;</P></DIV></DIV> Thu, 21 Oct 2021 08:42:24 GMT UBBER2290 2021-10-21T08:42:24Z Unable to save query to alert on no sensor data as a custom detection rule <P>Hello,&nbsp;<BR />I am trying to create a custom alert for an agent not reporting sensor data using&nbsp;the following query, which runs fine but there is an error in it per MDE, which wont let me save this as a custom detection rule:</P><P>&nbsp;</P><DIV class=""><P><SPAN>'<STRONG>Can't save detection rule</STRONG></SPAN></P><DIV class=""><P>The query contains syntax errors and cannot be used to create a detection rule. Please fix errors in the query and try again.<SPAN>'</SPAN></P><P>&nbsp;</P><P>KQL Query:&nbsp;</P><DIV><DIV><SPAN>DeviceTvmSecureConfigurationAssessment</SPAN></DIV><DIV><SPAN>| where ConfigurationId in ('scid-2000', 'scid-2001')</SPAN></DIV><DIV><SPAN>| extend Test = case(</SPAN></DIV><DIV><SPAN>ConfigurationId == "scid-2000", "SensorEnabled",</SPAN></DIV><DIV><SPAN>ConfigurationId == "scid-2001", "SensorDataCollection",</SPAN></DIV><DIV><SPAN>"N/A"),</SPAN></DIV><DIV><SPAN>Result = case(IsApplicable == 0, "N/A", IsCompliant == 1, "GOOD", "BAD")</SPAN></DIV><DIV><SPAN>| extend packed = pack(Test, Result)</SPAN></DIV><DIV><SPAN>| summarize Tests = make_bag(packed), DeviceName = any(DeviceName) by DeviceId</SPAN></DIV><DIV><SPAN>| evaluate bag_unpack(Tests)</SPAN></DIV><DIV><SPAN>| where SensorEnabled == "GOOD" and SensorDataCollection == "BAD"</SPAN></DIV><DIV><SPAN>| summarize by DeviceName, DeviceId</SPAN></DIV></DIV><P><BR />Can someone point out something I am missing here ?&nbsp;</P><P>&nbsp;</P><P>Thanks,</P><P>Princely Dmello</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P></DIV></DIV> Wed, 20 Oct 2021 02:58:01 GMT Princely 2021-10-20T02:58:01Z Custom Detection rule to find Inactive Device <P>Hello, My Org Planning to create incidents whenever the device goes inactive state in Microsoft Defender for Endpoint. It would be much appreciated if I get the query(KQL) to list the Inactive device. Thanks in Advance</P> Sun, 17 Oct 2021 06:23:32 GMT Arjun_Rajan 2021-10-17T06:23:32Z MDE LiveResponse Downloading File Fails <P>I was playing with LiveResponse and the 'BackupEventLog.ps1' script from&nbsp;</P><P><A href="#" target="_blank"></A></P><P>&nbsp;</P><P>which creates a file around 97MB, well below the 3GB limit.&nbsp;</P><P>&nbsp;</P><P>I've tried&nbsp;&nbsp;</P><P>getfile 'file'&nbsp;</P><P>&nbsp;</P><P>I've tried downloading in the background&nbsp;</P><P>download 'file' &amp;</P><P>&nbsp;</P><P>but it won't download.&nbsp;&nbsp;</P><P>&nbsp;</P><P>I can download slightly smaller files...(67MB)</P><P><SPAN>getfile C:\Windows\System32\winevt\Logs\Microsoft-Windows-Sysmon%4Operational.evtx</SPAN></P><P>&nbsp;</P><P><SPAN>Does anyone know if there's something else I was supposed to do?&nbsp;</SPAN></P><P>&nbsp;</P><P>&nbsp;</P> Thu, 14 Oct 2021 15:17:27 GMT mathurin68 2021-10-14T15:17:27Z MDE for Linux and audit logs <P>Just confirming that MDE for Linux will ingest events from the audit logs based on the following statement from Microsoft's documentation:</P><LI-CODE lang="applescript">System events captured by rules added to /etc/audit/rules.d/ will add to audit.log...</LI-CODE><P>We need to monitor file access and our Linux admin has configured the audit rules to record that information and with that, I just want to verify that the MDE for Linux agent will ingest those events.</P><P>&nbsp;</P><P>Thx</P><P>&nbsp;</P> Tue, 12 Oct 2021 12:46:53 GMT Jeff Walzer 2021-10-12T12:46:53Z Microsoft Defender for Endpoint on Mac <P>Hello all,</P><P>&nbsp;</P><P>I have recently deployed Defender on several Macs. However, most of the features are greyed out.&nbsp;</P><P>&nbsp;</P><P>On Windows devices, everything works like a charm. Please, see imaged attached. Any advise will be appreciated.</P><P>&nbsp;</P><P>Thanks,</P><P>Jose&nbsp;</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="JoseBiceps_0-1633943482435.png" style="width: 400px;"><img src=";px=400" role="button" title="JoseBiceps_0-1633943482435.png" alt="JoseBiceps_0-1633943482435.png" /></span></P><P>&nbsp;</P><P>&nbsp;</P> Mon, 11 Oct 2021 09:12:28 GMT JoseBiceps 2021-10-11T09:12:28Z DeviceLogon events doesn't capture RDP connections (?!?!) <P>I create a custom detection that starts like this:</P><P>&nbsp;</P><P>DeviceLogonEvents<BR />| where ActionType == "LogonSuccess"<BR />| where DeviceName has_any (Array of the backup servers)</P><P>| where not(AccountName has_any (Array of the expected accounts))</P><P>&nbsp;</P><P>...with the idea of catching an unexpected account successfully logging into backup servers (through compromise/privelege escalation).</P><P>&nbsp;</P><P>Should work, right?&nbsp; But upon testing, I've come to realize that RDP logons don't register in the DeviceLogonEvents table.&nbsp; Is that by design??&nbsp; Could Microsoft fix this?</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 08 Oct 2021 18:28:35 GMT Kyrouz 2021-10-08T18:28:35Z Real-time protection in Windows Defender - How does it work? <P><SPAN>Hello Everyone,</SPAN></P><P>&nbsp;</P><P><SPAN>Let me begin with a high-level presentation of our environment - our</SPAN><SPAN>&nbsp;project develops an application for EU countries on top of a Microsoft infrastructure – Windows Server 2016, Active Directory, SQL Server 2016 and BizTalk Server 2016. More than 300 servers are protected with the default antimalware solution – Windows Defender.</SPAN></P><P>&nbsp;</P><P><SPAN>Our application exchanges messages between countries, messages which often contain attachments. Since there is no particular integration with Windows Defender, we place all messages in a temporary folder for 10 minutes immediately after downloading and before starting to process them. This approach is supposed to give enough time to Windows Defender to scan the messages and the attachments.</SPAN></P><P>&nbsp;</P><P><SPAN>The concerns we have are related to this 10 minutes ‘time-window’ we allow to Windows Defender for scanning the messages. Is it enough or we need to increase it? For how long should we wait in order to make sure the messages we take from that temporary folder are scanned – regardless of their number or their size?&nbsp;</SPAN></P><P>&nbsp;</P><P><STRONG>What does it mean 'Real-time protection' and how does it work?</STRONG> Do we really need to wait 10 minutes to make sure the files are scanned?&nbsp;<STRONG>Is it possible for a user or application to access/read/copy/run/use in any way an infected file before being scanned?</STRONG></P><P>&nbsp;</P><P>I should mention that our servers are not connected to internet but only rely on CLIENT features (offline signature database which is periodically updated). We do not use CLOUD threats intel as we cannot submit suspicious files to be analyzed due to GDPR constrains.</P><P>&nbsp;</P><P><SPAN>Thanks in advance for your clarifications.</SPAN></P><P>&nbsp;</P><P><SPAN>George</SPAN></P> Fri, 08 Oct 2021 16:50:26 GMT GeorgeCostache 2021-10-08T16:50:26Z ASR: Block abuse of exploited vulnerable signed drivers <P>Hey there,</P><P>&nbsp;</P><P>I am seeing a recommendation to apply the ASR Rule as listed above. It looks like a fairly new edition to the series of 16 ASR rules that can be configured.</P><P>&nbsp;</P><P>However, on closer inspection there doesn't yet appear to be an Intune/Endpoint Manager option to add this under the standard Endpoint Security / Attack Surface Rules section.</P><P>&nbsp;</P><P>There's an "Intune name" and a GUID but... I don't want to push this out via a MEM OMA-URI, it fractures where all the policies are kept and makes things messy.</P><P>&nbsp;</P><P>Can I ask when it is expected to have this baked into the main Attack Surface Reduction rules section?</P><P>&nbsp;</P><P>Seems a bit daft to make recommendations to implement the setting across all your endpoints when it's not as easy as all the other rules to actually implement?</P><P>&nbsp;</P><P>Thanks very much.</P><P>&nbsp;</P><P>James</P> Fri, 08 Oct 2021 13:58:42 GMT James_Gillies 2021-10-08T13:58:42Z Suppressing Alerts generated by RMM software <P class="">I am hitting a bit of a brick wall with this and wondering if anyone had some advice on the best methodology to go down to fix it.</P><P class="">All our machines have an RMM tool on them that runs PowerShell, inventories the machine etc. This is LTSVC.exe. All of this behaviour is legitimate. We are testing Defender for Endpoint on a few machines in our environment and, unsurprisingly, this behaviour is generating a lot of incidents and alerts.</P><P class="">I'll use this as an example but there are plenty of these examples. The inventory gets a list of users by running "net1 user" .</P><P class="">&nbsp;</P><P class="">If I look at the Alerts that are generating, and choose to make a suppression rule I get two options in the triggering IOC dropdown:</P><P class=""><A href="#" target="_blank" rel="noopener nofollow ugc"></A><SPAN>&nbsp;</SPAN>or<SPAN>&nbsp;</SPAN><A href="#" target="_blank" rel="noopener nofollow ugc"></A></P><P class="">&nbsp;</P><P class="">I don't want to whitelist the command "net1 user" because what if a non legitimate tool runs it? I also don't want to whitelist the entire LTSVC.exe. What if someone pushes a malicious command out through it?</P><P class="">&nbsp;</P><P class="">In plain English what I want to say in the suppression rule. "If LTSVC.EXE runs "net1 user" then that's fine. There doesn't seem to be a way to do this.</P><P class="">&nbsp;</P><P class="">Anyone have any idea on the best way to achieve this, or am I going about this in entirely the wrong way?</P> Mon, 27 Sep 2021 11:49:50 GMT WayneD911 2021-09-27T11:49:50Z Multiple instances of device in Defender console <P>Hi</P><P>&nbsp;</P><P>Does anyone know why a single AAD/Intune Win 10 device would have 4 separate instances in the inventory list in MDE?&nbsp; The iOS and Android devices all have a single entry.</P><P>&nbsp;</P><P>Many thanks</P><P>Keith</P> Sat, 25 Sep 2021 10:53:56 GMT stromnessian 2021-09-25T10:53:56Z Devices with malware detections Report <P>Hi, in our MDE portal the '<SPAN>Devices with malware detections' contains a few devices which supposedly have active malware, however, the devices do not have any (active) alerts in Defender for Endpoint. It seems the information in the report is gathered from Intune, but the same information is displayed there and does not provide any further&nbsp;indications other than the threat name. How/where can I find the alerts associated&nbsp;with the 'active malware', if they are not in Defender for Endpoint?</SPAN></P> Thu, 23 Sep 2021 13:02:12 GMT Juulw 2021-09-23T13:02:12Z Defender for Endpoint for devices with Intune in Endpoint Manager <P>I am trying to deploy Defender for devices with Intune in Endpoint Manager. As shown in the picture below, I am trying connect Windows devices to Defender but I keep getting the error highlighted. It's been like that for 4 days. The intune connection thing is enabled on Defender console too. Anyone else have this problem too?</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="tk298_0-1632165352301.png" style="width: 400px;"><img src=";px=400" role="button" title="tk298_0-1632165352301.png" alt="tk298_0-1632165352301.png" /></span></P><P>&nbsp;</P> Mon, 20 Sep 2021 19:18:35 GMT tk298 2021-09-20T19:18:35Z MsSenseS.exe high CPU usage <P>Good Afternoon - We have a few servers in Azure that have extremely high CPU usage due to the "MsSenseS.exe" process. Is there anything that can be done to alleviate this? Seems like this process is related to Defender or some sort of Microsoft sensor.</P><P>&nbsp;</P><P>I have opened a ticket with Microsoft Support which has not been that helpful.</P> Fri, 17 Sep 2021 17:33:12 GMT jham01 2021-09-17T17:33:12Z Finding DC's using KQL in and defender fro endpoitns <P>Hi</P><P>This is probably a dumb question but is there a foolproof way to use the telemetry provided by DME to identify DC's? I'm often in a position where we were not involved in the MDE rollout and need to verify that all of the DC's have been onboarded. Also interested in using this approach to automatically tag DC's etc..</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 17 Sep 2021 13:21:55 GMT PeterJInobits 2021-09-17T13:21:55Z Machine tagging in Defender <P>Hi all,</P><P>I have tagged a number of now inactive devices and added them to a machine group. But whilst I tagged 24 devices, 31 are showing up in my device group. I have tagged the 24 devices InactiveReimaged and the machine group is also InactiveReimaged. I chose to add devices to the group by using the Tag Equals InactiveReimaged option.&nbsp;</P><P>I did tag and untag a couple of devices before setting up the group, as a test, but only the 24 devices are, or should be, tagged.</P><P>Any ideas on why more devices are showing up, and more importantly, how I can fix this?</P> Wed, 15 Sep 2021 21:20:53 GMT GI472 2021-09-15T21:20:53Z test malware, specifically for CVE-2012-0217 exploit malware in EDR in Block Mode <P>We just implemented EDR in Block mode and wanted to test for a specific CVE, is that possible?</P><P>I know there are simulation attacks you can run but was hoping to setup using a specific CVE.</P><P>&nbsp;</P><P>Cheers,</P><P>&nbsp;</P><P>Serge</P> Wed, 15 Sep 2021 19:29:36 GMT snteran 2021-09-15T19:29:36Z Defender for Endpoint Licensing <P>Hello,&nbsp;</P><P>Our organization is doing a test run for Defender for Endpoint.</P><P>I've read that Defender for Endpoint license allows</P><P>1 license Per User = 5 devices</P><P>&nbsp;</P><P>I'm using Intune as my deployment method. I've assigned 1 defender for Endpoint license to my global admin account. I've successfully onboarded about 10 devices. I'm receiving all the advanced data analytics from these devices. These devices have different users, which I have not assigned a Defender for Endpoint license to.</P><P>&nbsp;</P><P>I'm getting confused on how the licensing works for Defender for Endpoint. Any help explaining how it works will be greatly appreciated.&nbsp;</P> Mon, 13 Sep 2021 17:19:58 GMT TasnubaSyeda 2021-09-13T17:19:58Z Sysmon worth using in addition to Defender ATP? <P>I'm trying to get opinions if sysmon is worth using alongside Defender ATP?&nbsp; The logs would be going into Splunk, if that helps, but just in general.&nbsp;&nbsp;</P><P>&nbsp;</P><P>(Disclaimer:&nbsp; I have asked this in a couple blue team slack chats as well).&nbsp;&nbsp;</P> Mon, 13 Sep 2021 15:40:50 GMT mathurin68 2021-09-13T15:40:50Z Microsoft defender API <P><SPAN>Hello community, I have one question. We are using alienvault otx to get IOC of domains/IP's. It's huge data and every platform will have some limitations of blocking these IOC's. For example, In Microsoft defender, we can only block 15k per tenant. We are usually taking these IOC and checking in virustotal to see if it is already detected by a firewall, Microsoft defender to avoid adding duplicates. How you guys are handling this situation? Is there any way to do automation using graph API to check if it is already detected by the defender?</SPAN></P> Sat, 11 Sep 2021 22:10:24 GMT mohan_infosec 2021-09-11T22:10:24Z How to check the events for Attack surface reduction in Audit mode using Advanced hunting <P>Hello Team,</P><P>&nbsp;</P><P>We have deployed ASR rules using Microsoft System Center Configuration Manager in audit mode. I found that the&nbsp; ASR events in audit mode can only be checked in Event logs by configuring event forwarder.&nbsp;</P><P>&nbsp; I want to know whether there is any Kusto query to run in Advanced Hunting and get the list of files in audit mode. This help us in whitelisting the ASR rules</P> Fri, 10 Sep 2021 04:27:42 GMT Naresh2174 2021-09-10T04:27:42Z where can I see the "detection build id/number"? <P>Where can I see the "detection build id/number". For example, at&nbsp;<A href="#" target="_blank"></A> it says; "<SPAN>Enterprise customers who manage updates should select the detection build 1.349.22.0 or newer and deploy it across their environments." I would like to know what version do my customer have deployed.</SPAN></P> Thu, 09 Sep 2021 09:44:22 GMT jjsantanna 2021-09-09T09:44:22Z MDE Anti-malware Policy Management <P>Good day community,</P><P>&nbsp;</P><P>Rookie question, but MDE does not allow AV policy management across devices, correct? In other words, I still need to manage my Windows 10 devices through MEM/Config Manager for things like file/folder exclusion.</P><P>&nbsp;</P><P>In short, MDE does not allow me to manage Windows Defender AV.</P><P>&nbsp;</P><P>TIA</P> Thu, 09 Sep 2021 07:00:20 GMT SebastiaanR 2021-09-09T07:00:20Z ip address of Microsoft Azure Defender IP Ranges <P>Hello ,&nbsp;</P><P>I go to this link :&nbsp;<A href="#" target="_blank"></A>&nbsp;for download the servicetags_public file, is it ip range of Microsoft Azure defender endpoint ?</P><P>And Can I use these ip addresses instead of DNS? because my firewall is not suport dns-based rules.</P><P>&nbsp;</P><P>Regards !</P> Wed, 08 Sep 2021 02:02:22 GMT tdo2021 2021-09-08T02:02:22Z Will Microsoft Defender for Endpoint prevent user to change settings in Windows security? <P>Hi<BR /><BR /></P><P>1. If I turn on&nbsp;<SPAN>Allow or block file </SPAN><SPAN>(&nbsp;Microsoft 365 Defender &gt; Settings &gt;Endpoints &gt; General &gt; Advanced features &gt; Allow or block file &gt; On), Will Microsoft Defender for Endpoint prevent user to change settings in Windows security?</SPAN></P><P>&nbsp;</P><P><SPAN>2. If yes, how to let user have ability to turn it off?</SPAN></P><P><SPAN>&nbsp; &nbsp; (Why I ask the question is After&nbsp;turn off Allow or block file, user still see "This setting is managed by your administrator")</SPAN></P> Tue, 07 Sep 2021 09:29:33 GMT KevinLin 2021-09-07T09:29:33Z How to apply M365 Endpoint Defender setting immediately? <P>Hi</P><P>&nbsp;</P><P>After setting be changed (&nbsp;Microsoft 365 Defender &gt; Settings &gt;Endpoints &gt; General &gt; Advanced features &gt; Allow or block file &gt; On), how to apply it to all device immediately?</P> Mon, 06 Sep 2021 10:01:07 GMT KevinLin 2021-09-06T10:01:07Z Microsoft Defender for Endpoint doesn't detect renamed virus file <P>Microsoft Defender for Endpoint successfully detects test virus file, however when i rename it to 123.jpg it's not detected as a virus. Is there an option in&nbsp;Microsoft Defender for Endpoint&nbsp; which would allow recognition of renmed virus file?</P> Thu, 02 Sep 2021 10:31:32 GMT ferapontov 2021-09-02T10:31:32Z Microsoft Defender for Endpoint deployment to devices that aren't in a domain or active directory <P>We recently deployed Defender for Endpoint with Group Policy to the devices within the domain. And we are looking to deploy Defender to devices that aren't in the domain. I know we can use a local script to do it but is there a way to deploy Defender for Endpoint to devices that aren't company domain joined automatically or easily without having to go through them one at at time?</P><P>&nbsp;</P><P>Thanks</P> Wed, 01 Sep 2021 17:20:45 GMT tk298 2021-09-01T17:20:45Z How to notify if any of the MDE sensor going to "INACTIVE" state <P>How can get notification if any of the Microsoft Defender Endpoint (MDATP aka MDE) sensors going to "INACTIVE" state. This will be an proactive approaches that will help to avoid assets flagging related to S360 KPI&nbsp;</P> Wed, 01 Sep 2021 06:59:36 GMT Mscommunityta21 2021-09-01T06:59:36Z Defender for Endpoint for macOS feedback <P>Hi MDE humans,</P><P>&nbsp;</P><P>Two points of feedback to MDE on macOS which we are trialing internally.&nbsp;</P><P>Client ran a full scan after being concerned about security on their macOS. The full scan scanned not only the root volume but also the time machine mount attached to the mac. The issue was that the time machine device stored terabytes of data and took days to scan.</P><P>The interesting behavior out of this is that while MDE detected adware within a DMG, I did not get an alert in M365 Defender until the scan had finished.</P><P>&nbsp;</P><P>So two requests:</P><P>1. Is there a way to limit scanning to not follow symlinks across the network - similar to how a full scan on Windows will do C: by default but not network attached drives.</P><P>2. Can we be notified through MDE when the threat is found in a full scan - not on completion of the scan.</P><P>&nbsp;</P><P>Thanks</P><P>&nbsp;</P><P>Danny</P><P>&nbsp;</P> Tue, 31 Aug 2021 03:33:27 GMT Danny Grasso 2021-08-31T03:33:27Z Add Custom Detections via api? <P>Is it possible to add our own Custom Detections, either Sigma Rules or indicators from MISP via the api?&nbsp;&nbsp;</P><P>&nbsp;</P><P>Thank you!&nbsp;</P><P>&nbsp;</P><P>Also, is this the best place to ask questions and learn?&nbsp; Is there a slack channel, discord chat?&nbsp;</P> Thu, 26 Aug 2021 23:03:00 GMT mathurin68 2021-08-26T23:03:00Z Auto sign in for Microsoft Defender endpoint iOS app managed by intune <P>Quick question, need to install Defender on iOS devices. This devices are company owned and managed by Inutune, but they are devices without user affinity. Is there a way to auto sign into the Defender app for IOS? This iPhone don’t use user affinity, so I don’t have any Email address to provide the app with to set up Defender. I would greatly appreciate it, if someone can help.</P> Tue, 24 Aug 2021 22:05:24 GMT imhandaniel 2021-08-24T22:05:24Z DeviceID in Defender Device Inventory <P>Hi everyone,</P><P>&nbsp;</P><P>I have an issue with duplicate devices in Defender which I have now found out is a feature. When devices are reimaged for reissue, the old machine stays on the list in the Device Inventory for a period of time.&nbsp;I have a couple of questions though, and I'm hoping someone can help!</P><P>&nbsp;</P><P>The duplicate devices have a different DeviceID but they all have the same DeviceName. Can anyone tell me if there is a way to show the DeviceID in the Device Inventory screen in Defender? Maybe a filter or something? I only found out about this when I hit export on the Device Inventory list and saw the extra column. It would be helpful to see the DeviceID on screen rather than have to export to .csv.&nbsp;</P><P>&nbsp;</P><P>Does anyone know where the DeviceID is sourced from? Is it Azure AD, AD, or just a Defender thing? It would be good to know this, so that I can check the source and confirm that the devices I think are current really are.</P><P>&nbsp;</P><P>Lastly, the duplicates are impacting our Security Recommendations. I spent a couple of weeks looking at patching devices that are actually old images. I can tag these devices in the Device Inventory as DuplicateDevice or something similar, but these tags are not transmitted over to Security Recommendations (why not?!?). I have read about machine groups and adding these devices to a DuplicateDevice group, but this seems to be a bit long-winded. Is there an easier way to move tags from Device Inventory so that they also show in the Security Recommendations section?</P><P>&nbsp;</P><P>Thanks in advance for any help.&nbsp;</P> Wed, 25 Aug 2021 08:42:45 GMT GI472 2021-08-25T08:42:45Z [MDE] Add the important feature, Yara rules if possible <DIV>Hi,<BR /><BR />Refer to this advisory (first link). In addition, you can see that there are Yara rules from GitHub (inside pdf). (2nd link)</DIV><DIV>All EDR/XDR companies (except Microsoft) already have features and a Yara rule configuration for the incident responders to detect.</DIV><DIV>&nbsp;</DIV><DIV>The method of adding and detecting Yara rules has been in practice across companies for many years.</DIV><DIV><SPAN>Would you mind advising on any reason why not adding the important feature, Yara rules?</SPAN></DIV><DIV><SPAN>It would be good if you include the important feature, Yara rules.</SPAN></DIV><DIV><SPAN>If not, would you mind advising on converting from Yara rules to MDE query for querying via advanced threat hunting? Thanks much appreciated. :)</img></SPAN></DIV><DIV><DIV><DIV><DIV>&nbsp;</DIV><DIV><DIV><DIV><FONT face="Arial"><A href="#" target="_blank" rel="noopener noreferrer"></A></FONT></DIV><DIV><FONT face="Arial">&nbsp;</FONT></DIV><DIV><FONT face="Arial">This link is the Yara rule.</FONT></DIV><DIV><FONT face="Arial"><A href="#" target="_blank" rel="noopener noreferrer"></A></FONT></DIV><DIV><FONT face="Arial">&nbsp;</FONT></DIV><DIV><FONT face="Arial"><A href="" target="_blank" rel="noopener noreferrer"></A><BR /></FONT><DIV>&nbsp;</DIV></DIV></DIV></DIV></DIV></DIV></DIV> Wed, 25 Aug 2021 06:38:32 GMT tay76 2021-08-25T06:38:32Z Does the 'Hide Alert' option in Defender remove the data from the corresponding table? <P>We are trying to suppress an alert based on command-line containing a specific file name which doesn't seem to currently be possible. We were planning to instead suppress alerts based on the&nbsp; Processname and create a custom detection rule to exclude command-lines containing the specific file name and alert on the rest. My question is, will the alert data still be present in the 'AlertInfo', '<SPAN>AlertEvidence</SPAN>' tables after creating the suppression rule with the 'Hide Alert' option or should we be using the "Resolve Alert" option instead?&nbsp;</P> Tue, 24 Aug 2021 22:53:05 GMT Princely 2021-08-24T22:53:05Z problems with MS Defender for Endpoint on iOS device <P>Hi. We recently deployed MS Defender for Endpoint on all our iOS devices through Intune. However, since then, people are complaining their internet browsing experience is not good. It's slow, some sites take forever to load (when they do), etc. When we manually disable the Defender VPN connection, it's working again. How can we fix this issue? Thanks.</P> Tue, 24 Aug 2021 18:09:32 GMT bjork6 2021-08-24T18:09:32Z Restrict access to event timeline for privacy reasons <P>The event timeline per device in within Microsoft Defender for Endpoint might be great for incident response.</P><P>However, I see a privacy violation as some users only use the portal for vulnerability management and hardening and do not need to see detailed event timelines.</P><P>&nbsp;</P><P>Is it possible to either a) disable it at all or b) restrict access to users that use Microsoft Defender for Endpoint for vulnerability management and hardening purposes only.</P><P>&nbsp;</P><P>&nbsp;</P> Mon, 23 Aug 2021 19:59:49 GMT agua_todo_el_dia 2021-08-23T19:59:49Z KQL Queries with RemoteIP, whitelist Agency Public IP Addresses Is it possible to add a list somewhere to Defender EndPoint to 'whitelist' the Agency public IP addresses? Or say you're searching for LOLBINS reaching out to public IP addresses and you want to ignore the Agency IP addresses? Is there a way to do that? Thank you! Mon, 23 Aug 2021 18:57:00 GMT mathurin68 2021-08-23T18:57:00Z knowbe4 ransim test failed <P>We are testing ATP defender for endpoints, we tested with knowbe4 ransim test software and ATP defender failed 20/23 scenarios.&nbsp;</P><P>It very well could be a mis-configuration. Has anyone ran this tool? Are there recommended settings for ATP that need to be configured to block all forms of malware?</P><P>&nbsp;</P><P>&nbsp;</P> Mon, 23 Aug 2021 14:14:56 GMT Jason_B1025 2021-08-23T14:14:56Z Newbie question about IPS <P>Hi I am looking at Microsoft Defender for Endpoint but cannot find anything that actually says that it provides IPS or IDS protection.</P><P>&nbsp;</P><P>Plus is it also possible to run this system in an on-Prem only mode which is isolated with no internet access?</P><P>&nbsp;</P><P>Thanks&nbsp;</P> Fri, 20 Aug 2021 09:59:00 GMT Bozzie-UK67 2021-08-20T09:59:00Z Restrict PowerShell on end user devices <P>Hello all</P><P>All devices are running the latest version on Windows 10. We have deployed defender for endpoint, Intune, and sccm. Can defender for endpoint tell me what the current powershell execution policy is on every device ? can i also use it to set the execution policy in mass? I dont want to resort to GPO because many users work remotely because of covid.</P><P>Thank you&nbsp;</P> Thu, 19 Aug 2021 17:40:48 GMT Skipster311-1 2021-08-19T17:40:48Z smartscreen log events <P>I everyone</P><P>&nbsp;</P><P>I have a question about defender and the SmartScreen protection.</P><P>&nbsp;</P><P>I can see the logs of SmartScreen in the timeline of device and on the alert table in defender &nbsp;if there is a alert.</P><P>&nbsp;</P><P>But was wondering if we enable debug events are we getting these events that also in defender?&nbsp;&nbsp;<A href="#" target="_blank" rel="noopener"></A></P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="lourens1075_0-1629367548380.png" style="width: 400px;"><img src=";px=400" role="button" title="lourens1075_0-1629367548380.png" alt="lourens1075_0-1629367548380.png" /></span></P><P>&nbsp;</P><P>&nbsp;</P> Thu, 19 Aug 2021 10:26:17 GMT lourens1075 2021-08-19T10:26:17Z Linux machine apears as localhost on microsoft defender for endpoint <P>Hello,</P><P>We have a few linux machines where the device name appears as localhost.</P><P>We would like to change this but we aren’t sure how this can be achieved.</P><P>&nbsp;</P><P>Can anyone help?</P><P>Regards,</P> Wed, 18 Aug 2021 09:26:40 GMT arestas 2021-08-18T09:26:40Z Help edit KQL script for Endpoint Status report <P>I would like to add the OSPlatform to this script:</P><P>&nbsp;</P><LI-CODE lang="sql">// Best practice endpoint configurations for Microsoft Defender for Endpoint deployment. DeviceTvmSecureConfigurationAssessment | where ConfigurationId in ("scid-91", "scid-2000", "scid-2001", "scid-2002", "scid-2003", "scid-2010", "scid-2011", "scid-2012", "scid-2013", "scid-2014", "scid-2016") | summarize arg_max(Timestamp, IsCompliant, IsApplicable) by DeviceName, ConfigurationId | extend Test = case( ConfigurationId == "scid-2000", "SensorEnabled", ConfigurationId == "scid-2001", "SensorDataCollection", ConfigurationId == "scid-2002", "ImpairedCommunications", ConfigurationId == "scid-2003", "TamperProtection", ConfigurationId == "scid-2010", "AntivirusEnabled", ConfigurationId == "scid-2011", "AntivirusSignatureVersion", ConfigurationId == "scid-2012", "RealtimeProtection", ConfigurationId == "scid-91", "BehaviorMonitoring", ConfigurationId == "scid-2013", "PUAProtection", ConfigurationId == "scid-2014", "AntivirusReporting", ConfigurationId == "scid-2016", "CloudProtection", "N/A"), Result = case(IsApplicable == 0, "N/A", IsCompliant == 1, "GOOD", "BAD") | extend packed = pack(Test, Result) | summarize Tests = make_bag(packed) by DeviceName | evaluate bag_unpack(Tests)</LI-CODE><P>&nbsp;</P><P>I am new to KQL and could use some help.</P><P>&nbsp;</P><P>Appreciate any assistance,&nbsp;</P> Mon, 16 Aug 2021 16:46:21 GMT snteran 2021-08-16T16:46:21Z Allow Defender Definition update but restrict other Windows Update <P>Hi All,</P><P>&nbsp;</P><P>Is that possible to allow only defender security intelligence update and restrict other windows update through GPO without compromising the setting "Turn off access to all Windows Update features - Enabled" ?</P><P>&nbsp;</P><P>Planning one of these options (Internal Update Server or Network file share) if above option is not possible.</P><P>&nbsp;</P><P>Thanks!</P> Sat, 14 Aug 2021 06:21:33 GMT mas18 2021-08-14T06:21:33Z Feature Request: Alerts when logs ingestion is missing logs <P>We would like to see MSDFE generating alerts when end clients have communication or connectivity issues where logs are not being ingested into the MSDFE portal.</P><P>&nbsp;</P><P>Thanks,</P><P>sac</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 10 Aug 2021 15:52:07 GMT sac2000 2021-08-10T15:52:07Z Microsoft Defender for Endpoint Device group question <P>I know Defender in general is extra user friendly but for the Defender for endpoint to work properly, do I need to put all devices in a machine group and set a remediation level? All the training videos I have watched tells me I have to put the devices in a Device group in settings and set a remediation level. I didn't set it up and it still seems to quarantine unwanted software or malicious software. Can someone why the device group and remediation level are necessary?</P> Sun, 08 Aug 2021 01:28:06 GMT tk298 2021-08-08T01:28:06Z ASR detection shows Rules Turned OFF on machines <P>Hi Team,</P><P>&nbsp;</P><P>We have recently migrated from TrendMicro to MSDATP ( Cloud) along with Defender as AV . We have deployed Exploit Guard policy on all WKs&nbsp; through SCCM CB however when i checked Attack Surface detection rule -&nbsp; shows Rule is turned off on&nbsp; few machines . Any idea how to fix it and&nbsp; Also please let me know which of ASR rules should be enabled in Audit mode for pilot phase .</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="PraveenrajThyagarajan_0-1628179438866.png" style="width: 400px;"><img src=";px=400" role="button" title="PraveenrajThyagarajan_0-1628179438866.png" alt="PraveenrajThyagarajan_0-1628179438866.png" /></span></P><P>&nbsp;</P> Mon, 09 Aug 2021 06:24:43 GMT PraveenrajThyagarajan 2021-08-09T06:24:43Z AV Status shows disabled on end point <P>Morning,&nbsp; When I run a filtered report on machines via the security center I see around 23 (out of 800+) machines that are active but show as AV Disabled.&nbsp; Remoting to a few of these machines, I see that Defender is indeed running and doing its thing. Normally I get a warning that an endpoint is disabled but none on these</P><P>&nbsp;</P><P>Any idea?</P> Thu, 05 Aug 2021 15:32:54 GMT Craig_Ob 2021-08-05T15:32:54Z M365 Defender for Endpoints | Licensing <P>Hello,<BR /><BR />At the moment our company is in a multi-vendor security security profile using O365 E3 + EMS E3 from the Microsoft portfolio. Discussions are on-going with multiple vendors for an EDR solution and M365 Defender for Endpoints is being considered as an option.&nbsp;<BR />However, looking into the licensing it seems like we might have to move our 500+ users from the current licensing plan to M365 E3 + M365 E5 Security Add-on?<BR />Initially it was said by a partner that an EMS E5 plan would suffice but I don't think that's the case.&nbsp;<BR />Any advice is much appreciated.<BR /><BR />Thanks,<BR />HS&nbsp;</P> Thu, 05 Aug 2021 05:39:01 GMT Hrishikesh Sekhar 2021-08-05T05:39:01Z EDR in block mode using phased approach <P>HI Team</P><P>&nbsp;</P><P>Cannot we enable block mode on some machines and audit mode on some machines for ATP/EDR?&nbsp; In Mcafee and other vendors, we have an option to deploy EDR in audit mode on some machines and block mode on others. DO wehave same in MS here. Please elaborate.</P> Wed, 04 Aug 2021 16:19:40 GMT Harithacissp 2021-08-04T16:19:40Z Exclude mount paths <P>Hi folks,<BR /><BR />I try to set path exclusions for my Microsoft Defender.</P><P>That works for "normal" folders and their subfolders.</P><P>&nbsp;</P><P>Now I have several external disks mounted under a subfolder, e.g. I got C:\mounts\ and under there I have several mount points: C:\mounts\disk01,&nbsp;C:\mounts\disk02,&nbsp;C:\mounts\disk03 etc. with disks mounted.<BR />So I tried to list&nbsp;C:\mounts\ under exclusions hoping it will automatically exclude subfolders.&nbsp;</P><P>But that does not work.</P><P>&nbsp;</P><P>How to exclude disk mount points that are mounted unter a normal subfolder?</P><P>&nbsp;</P><P>Thanks,</P><P>&nbsp;</P> Wed, 04 Aug 2021 10:54:24 GMT Marcus2460 2021-08-04T10:54:24Z Defender ATP Amount of Logs/data <P>Hello,</P><P>&nbsp;</P><P>We are looking to expand the retention period of our ATP logs/Data from the max 180 days in the console. WE are looking to use a storage account in Azure. Before we would like to know just how much data we should expect to be stored so we can budget the cost?</P><P>&nbsp;</P><P>Any help on how we could figure out how much data we currently have or ingest in the ATP console?</P><P>&nbsp;</P><P>Thanks!&nbsp;</P> Tue, 03 Aug 2021 13:05:09 GMT LuisRomero 2021-08-03T13:05:09Z Defender for Endpoint trial support <P>Hi,</P><P>we are running the Defender for Endpoint trial and have a bunch of questions. Is there any specific MS contact for the trial to get some answers?</P><P>Thanks in advance<BR />Best, Henri</P> Mon, 02 Aug 2021 16:01:49 GMT nosecam 2021-08-02T16:01:49Z Machines in BSOD / Automatic repair after Defender Migration Utility Deployment <DIV>machines ended up with BSOD after Defender Migration tool deployment. Any body who has knowledge on how to resolve the issue?</DIV> Fri, 30 Jul 2021 18:23:20 GMT mangkanor 2021-07-30T18:23:20Z Advanced Hunting Query to include logged on users <P>Hello&nbsp;</P><P>&nbsp;</P><P>I am using the below query to get an endpoint status report. The query works great, however requesting help on modifying the query to show me the logged on users. Thank you in advance</P><P>&nbsp;</P><DIV><DIV><SPAN>"//&nbsp;Best&nbsp;practice&nbsp;endpoint&nbsp;configurations&nbsp;for&nbsp;Microsoft&nbsp;Defender&nbsp;for&nbsp;Endpoint&nbsp;deployment.</SPAN></DIV><DIV><SPAN>DeviceTvmSecureConfigurationAssessment</SPAN></DIV><DIV><SPAN>|&nbsp;where&nbsp;ConfigurationId&nbsp;in&nbsp;("scid-91",&nbsp;"scid-2000",&nbsp;"scid-2001",&nbsp;"scid-2002",&nbsp;"scid-2003",&nbsp;"scid-2010",&nbsp;"scid-2011",&nbsp;"scid-2012",&nbsp;"scid-2013",&nbsp;"scid-2014",&nbsp;"scid-2016")</SPAN></DIV><DIV><SPAN>|&nbsp;summarize&nbsp;arg_max(Timestamp,&nbsp;IsCompliant,&nbsp;IsApplicable)&nbsp;by&nbsp;DeviceName,&nbsp;ConfigurationId</SPAN></DIV><DIV><SPAN>|&nbsp;extend&nbsp;Test&nbsp;=&nbsp;case(</SPAN></DIV><DIV><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;ConfigurationId&nbsp;==&nbsp;"scid-2000",&nbsp;"SensorEnabled",</SPAN></DIV><DIV><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;ConfigurationId&nbsp;==&nbsp;"scid-2001",&nbsp;"SensorDataCollection",</SPAN></DIV><DIV><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;ConfigurationId&nbsp;==&nbsp;"scid-2002",&nbsp;"ImpairedCommunications",</SPAN></DIV><DIV><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;ConfigurationId&nbsp;==&nbsp;"scid-2003",&nbsp;"TamperProtection",</SPAN></DIV><DIV><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;ConfigurationId&nbsp;==&nbsp;"scid-2010",&nbsp;"AntivirusEnabled",</SPAN></DIV><DIV><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;ConfigurationId&nbsp;==&nbsp;"scid-2011",&nbsp;"AntivirusSignatureVersion",</SPAN></DIV><DIV><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;ConfigurationId&nbsp;==&nbsp;"scid-2012",&nbsp;"RealtimeProtection",</SPAN></DIV><DIV><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;ConfigurationId&nbsp;==&nbsp;"scid-91",&nbsp;"BehaviorMonitoring",</SPAN></DIV><DIV><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;ConfigurationId&nbsp;==&nbsp;"scid-2013",&nbsp;"PUAProtection",</SPAN></DIV><DIV><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;ConfigurationId&nbsp;==&nbsp;"scid-2014",&nbsp;"AntivirusReporting",</SPAN></DIV><DIV><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;ConfigurationId&nbsp;==&nbsp;"scid-2016",&nbsp;"CloudProtection",</SPAN></DIV><DIV><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;"N/A"),</SPAN></DIV><DIV><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;Result&nbsp;=&nbsp;case(IsApplicable&nbsp;==&nbsp;0,&nbsp;"N/A",&nbsp;IsCompliant&nbsp;==&nbsp;1,&nbsp;"GOOD",&nbsp;"BAD")</SPAN></DIV><DIV><SPAN>|&nbsp;extend&nbsp;packed&nbsp;=&nbsp;pack(Test,&nbsp;Result)</SPAN></DIV><DIV><SPAN>|&nbsp;summarize&nbsp;Tests&nbsp;=&nbsp;make_bag(packed)&nbsp;by&nbsp;DeviceName</SPAN></DIV><DIV><SPAN>|&nbsp;evaluate&nbsp;bag_unpack(Tests)"</SPAN></DIV></DIV> Wed, 28 Jul 2021 22:25:05 GMT Skipster311-1 2021-07-28T22:25:05Z Inconsistent Defender Search Results When Searching by Hash <P>I am seeing inconsistent search results in Defender when searching for a file by hash. I saved a file to my desktop and sent it via email. I hashed the file with SHA1, SHA256, and MD5 algorithms. When I perform searches in <A href="#" target="_blank"></A>&nbsp;for the MD5 hash the search completely fails. When I search using the SHA256 hash for the same file the search completes but finds no results. If I search for the SHA1 value for the same file, the file is found, and it lists the SHA256 and MD5 values for the file that previously yielded no results or failed.</P><P>&nbsp;</P><P>If I do the same searches in the M365 portal (<A href="#" target="_blank"></A>) the MD5 search still fails. The SHA256 search finds an occurrence of the file in email but the result doesn't show any results for the file on endpoints. Searching for the SHA1 hash of the file again finds the file&nbsp; on the endpoint and email and also lists the corresponding SHA256 and MD5 but doesn't show any email results.</P><P>&nbsp;</P><P>Has anyone encountered the same issue? This seems to be a bug in Microsoft's platform.</P> Wed, 28 Jul 2021 19:23:10 GMT Purple_Socks 2021-07-28T19:23:10Z How to remediate active malware <P>Hello everyone,</P><P>&nbsp;</P><P>on the dashboard within the Security Center I can see that one of my devices is listed with active malware.</P><P>If I click on the dashboard icon, I get forwared to the reports, but how can I remediate this?</P><P>Do I have to isolate the device manually? What would be the normal procedure for this?</P><P>&nbsp;</P><P>Thanks.</P><P>&nbsp;</P><P>Cheers,</P><P>John</P> Wed, 28 Jul 2021 12:50:07 GMT John Matrix 2021-07-28T12:50:07Z Turn off Microsoft 365 Defender <P>Hello</P><P>I have turned on Microsoft 365 defender and would like to know if it can be turned off on Azure.</P><P>&nbsp;</P><P>Thanks in advance for your replies</P><P>Regards</P> Wed, 28 Jul 2021 10:01:35 GMT dermotcronineurolux 2021-07-28T10:01:35Z 2012R2 not Reporting Test Alerts (Eicar/Powershell) <P>Hi,<BR />im currently running a POC for MS Defender for Endpoint on Servers<BR />* Windows Server 2012R2, 2016,2019<BR />* Outbound Communications<BR />&nbsp;&nbsp; 2019 uses a special proxy for Telemetry-Data<BR />&nbsp;&nbsp; 2012R2 and 2016 use an OMS gateway (no telemetry)<BR />* 2012R2 have SCEP installed<BR />* Updates are applied by WSUS<BR /><BR />ISSUE:<BR />When i create an eicar on a 2012R2 it´s detected and quarantined. I see the Filecreation in the timeline in the but i get no alert and that it´s an Eicar.</P><P>With 2016 and 2019 it works as expected.<BR />Any ideas why?</P> Tue, 27 Jul 2021 09:12:29 GMT PeDe 2021-07-27T09:12:29Z IdentityInfo not available via /api/advancedqueries <P>Hello,</P><P>I created a query in the advanced hunting interface from</P><P>It accesses the tables DeviceInfo and IdentityInfo and gets out the eMail of the last logged in User.</P><P>Now I wanted to create a script to load this data in a nightly job in a database like I already do with other data from the API.</P><P>But querying the IdentityInfo fails, because the table is not visible via the advancedqueries-API !</P><P>I boiled it down to just query the table (target is redacted by me) :</P><P>Query =&nbsp; 'IdentityInfo ' gives:&nbsp;</P><P><A href="#" target="_blank" rel="noopener"></A> "POST /api/advancedqueries/run HTTP/1.1" 400 213</P><P>{"error":{"code":"BadRequest","message":"\'\' operator: Failed to resolve table or column or scalar expression named \'IdentityInfo\'. Fix semantic errors in your query","target":"xxxxxxxxxx"}}'</P><P>&nbsp;</P><P>I thought the advanced-queries API should support all the Hunting queries.</P><P>Even here the table IdentityInfo is regarded as an example :</P><P><A href="" target="_blank" rel="noopener">Best practices for leveraging Microsoft 365 Defender API's - Episode One - Microsoft Tech Community</A></P><P>&nbsp;</P> Tue, 27 Jul 2021 08:56:30 GMT sirferl 2021-07-27T08:56:30Z Defender for endpoint Lab <P>I am seeking a way to set up a lap to study for the sc-200, sc-300, and sc-400. Anybody been down this path and have solutions/suggestions?</P><P>&nbsp;</P><P>TIA!</P><P>&nbsp;</P><P>Brad</P> Tue, 27 Jul 2021 03:18:10 GMT vscoderbrad 2021-07-27T03:18:10Z Defender AV - Active/Passive Mode - Advanced Hunting <DIV><DIV>While researching how to verify if Defender AV is in active or passive mode I found an Advanced Hunting query that searches "<EM>DeviceTvmSecureConfigurationAssessment</EM>" and then filters "<EM>ConfigurationId</EM>" by "<EM>scid-2010</EM>" as the "<EM>Context</EM>" column contains the status of Defender AV.</DIV><DIV>&nbsp;</DIV><DIV>So far, I discovered that:</DIV><UL><LI>"0" = Defender AV is active,</LI><LI>"1" = Defender AV is passive,</LI><LI>"4" = Defender AV is in "EDR Block Mode"</LI></UL><DIV>I am not sure what "<EM>Unknown</EM>" in the "<EM>Context</EM>" column means though. Does it mean that Defender AV is not installed, or that it was manually disabled (via registry keys, GPO, ...) or that it running but not reporting?</DIV><DIV>&nbsp;</DIV><DIV><DIV><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="amuellertf_0-1627282851412.jpeg" style="width: 400px;"><img src=";px=400" role="button" title="amuellertf_0-1627282851412.jpeg" alt="amuellertf_0-1627282851412.jpeg" /></span><P>&nbsp;</P></DIV></DIV></DIV> Mon, 26 Jul 2021 07:06:06 GMT amueller-tf 2021-07-26T07:06:06Z Servers not showing AV Version in Defender Security Center Reports <P>Ive rolled out Windows Defender to our 2016 and 2019 servers. They are showing in Defender Security Center, however when running Advanced Hunting queries or queries through PowerBI they are not pulling through the AV Signature version or Engine Version. Doing a little bit of digging ive found the following:-</P><P>&nbsp;</P><P>Windows 2016 Server - under HKLM\Software\Policies\Microsoft\Windows Advanced Threat Protection theres a registry key called ConfigurationPending, what is this as it is onboarded?</P><P>&nbsp;</P><P>Windows 2019 Server - Under HKLM\Software\Policies\Microsoft\Windows Advanced Threat Protection theres a registry key called latency with a value of Demo, what is this, could this be causing it to not report fully?</P><P>&nbsp;</P><P>Not too sure&nbsp; if this is related just trying to find out why the AV INformation isnt pulling through for servers and it is for clients?</P><P>&nbsp;</P><P>Any help on this would be much appreciated.</P><P>&nbsp;</P><P>Thanks</P> Fri, 23 Jul 2021 07:15:40 GMT cumpleby 2021-07-23T07:15:40Z Able to add an additional threat intelligence feeds to Microsoft Defender for Endpoint ? <P>Hi,</P><P>&nbsp;</P><P>Is there any way to add additional threat intelligence feeds (e.g. community threat intelligence, autofocus-hosted threat intelligence) to Microsoft Defender for Endpoint?</P> Fri, 23 Jul 2021 02:04:15 GMT tay76 2021-07-23T02:04:15Z How to go back and login to the trial version for Microsoft Defender evaluation <P>I've already been approved for Microsoft Defender Endpoint Evaluation. I was directed once and then I logged out and could not find the URL again to log in. Anyone have the URL? They gave me 60 days, but I think I'm down to half that time now.</P> Thu, 22 Jul 2021 18:52:46 GMT ParasZ225 2021-07-22T18:52:46Z Permission required to import to Indicators page? Error "Failed to Import Indicators" <P>Hello,</P><P>&nbsp;</P><P>Do you need the permission "Manage security settings in Security Center" in order to import xslx to Indicators?</P><P>&nbsp;</P><P>User getting error "Failed to import indicators. User is not exposed to all Indicator's machine groups.&nbsp; Contact your administrator for further information."</P><P>&nbsp;</P><P>User is in role.&nbsp; Role is setup with a group that has all the permissions expect "Manage security settings in Security Center".&nbsp; Role also has access to device groups that are setup.</P><P>&nbsp;</P><P>&nbsp;<A href="#" target="_blank">Create and manage roles for role-based access control | Microsoft Docs</A></P><P>-Link above doesn't list "Indicators" in permission options</P><P>&nbsp;</P><P>Can not find the answer based on Googling</P><P>&nbsp;</P><P>Thanks!</P><P>&nbsp;</P> Tue, 20 Jul 2021 18:42:13 GMT MDEUser 2021-07-20T18:42:13Z Non Persistent VDI - Slow Slow Slow ;-) <P>Hey,</P><P>&nbsp;</P><P>We are facing some challenges with Defender as it massively slows down our CRM workflows.</P><P>We are using a VMWare Horizon Instant Clone setup with Windows 10 (21H1) VDIs.</P><P>Updates for the CRM or Workflows like loading a Template from a network share takes a crazy amount of time. Task Manager tells me its either Antimalware Service or ATP Service which starts to create high CPU usage. We tried to work with exceptions but it seems it doesnt care at all for it.&nbsp;</P><P>As an example an update without Realtime Scan takes 35 Seconds. With Real Time Scan enabled it takes 3 Minutes.</P><P>&nbsp;</P><P>Can someone help me on that challenge?</P><P>&nbsp;</P> Tue, 20 Jul 2021 11:42:48 GMT JSchop 2021-07-20T11:42:48Z Trial license for Defender Endpoint for Servers <P>Hi everyone,</P><P>&nbsp;</P><P>we want to change from Symantec Endpoint Protection to Defender for Endpoint Servers. To have a PoC we wanted to get 5 trial licenses to test it out.</P><P>But these licenses are not available in "purchase services" or i look at the wrong place.</P><P>Are there trial licenses available?</P><P>&nbsp;</P><P>We already rolled out the clients and wanted our servers to follow.</P><P>&nbsp;</P><P>Best regards</P><P>Stephan</P><P>&nbsp;</P> Mon, 19 Jul 2021 12:11:48 GMT StephanGee 2021-07-19T12:11:48Z An obfuscated command line sequence was identified was detected by Microsoft Defender for Endpoint <P>we are getting a bunch of "An obfuscated command line sequence was identified was detected by Microsoft Defender for Endpoint " alerts from ATP that are triggered by SenseIR.exe itself. These seem to be false positives. Is anyone else having this problem and what's the best way to prevent them?</P> Fri, 16 Jul 2021 20:51:04 GMT srub555 2021-07-16T20:51:04Z Missing Azure Defender GPO Policies missing <P>&nbsp;</P><P>Hi Community,</P><P>&nbsp;</P><P>I have a problem that I need your help with. I have deployed Azure Defender on Windows Server 2019 servers, running on Microsoft Azure. Azure Security Center is enabled on subscription as also on the Log Analytics Workspace. After the installation, some GPO policies for the configuration of Attack Surface Reduction are missing from the Group Policy Management Editor, I'm missing these policies:</P><P>&nbsp;</P><OL><LI>Windows Defender Antivirus</LI><LI>Windows Defender Application Guard</LI><LI>Windows Defender Exploitation Guard</LI><LI>Windows Defender Smartscreen</LI></OL><P>&nbsp;</P><P><STRONG>Situation</STRONG></P><P>Normally the deployment goes automatically from the Azure Security Center, after setting the status from the option <STRONG><SPAN class="ext-data-collection-base-column ext-displayName-column">Log</SPAN><SPAN class="ext-data-collection-base-column ext-displayName-column"> Analytics agent for Azure VMs </SPAN></STRONG><SPAN class="ext-data-collection-base-column ext-displayName-column">to <STRONG>On</STRONG> from the <STRONG>Auto provisioning</STRONG> blade in the Azure Security Center. But, this implementation is slightly different because there are two virtual servers in this subscription that absolutely should not have Azure Defender installed on them. I have installed Azure Defender by using the 'Using the Local Script' from the deployment method in Microsoft Defender on my Domain Controller. I have checked if Azure Defender is running and the alerts are showing up in my Microsoft Defender Portal.</SPAN></P><P>&nbsp;</P><UL><LI><SPAN class="ext-data-collection-base-column ext-displayName-column">Azure Defender Plan is <STRONG>Enabled</STRONG> on subscription level.</SPAN></LI><LI><SPAN class="ext-data-collection-base-column ext-displayName-column">Azure Defender for <STRONG>Servers</STRONG> is <STRONG>Enabled</STRONG> on the subscription level.</SPAN></LI><LI><SPAN class="ext-data-collection-base-column ext-displayName-column">Azure Defender Plan is <STRONG>Enabled</STRONG> on the Log Analytics Workspace.</SPAN></LI><LI><SPAN class="ext-data-collection-base-column ext-displayName-column">Azure Defender for <STRONG>Servers</STRONG> is <STRONG>Enabled</STRONG> on the Log Analytics Workspace.</SPAN></LI><LI><SPAN class="ext-data-collection-base-column ext-displayName-column">The <STRONG>Microsoft.Azure.AzureDefenderForServers.MDE.Windows</STRONG> extension is added to the Virtual Machines.</SPAN></LI><LI><SPAN class="ext-data-collection-base-column ext-displayName-column">The <STRONG>Microsoft.EnterpriseCloud.Monitoring.MicrosoftMonitoringAgent</STRONG> extension is added to the Virtual Machines.</SPAN></LI><LI><SPAN class="ext-data-collection-base-column ext-displayName-column">The integration with Microsoft Defender for Endpoint and Cloud App Security is <STRONG>Enabled</STRONG>.</SPAN></LI><LI><SPAN class="ext-data-collection-base-column ext-displayName-column">In the Inventory blad in the Azure Security Center, I can see that the Virtual Machines are in the <STRONG>Monitored</STRONG> state and that Azure Defender is showing as <STRONG>On</STRONG>.</SPAN></LI></UL><P>&nbsp;</P><P><SPAN class="ext-data-collection-base-column ext-displayName-column">Do you know why I'm missing those policies? I want to configure Attack Surface Reduction rules in my Windows Server 2018 environment but I'm not able to configure ASR due to the missing GPO policies.</SPAN></P><P>&nbsp;</P><P><SPAN class="ext-data-collection-base-column ext-displayName-column">Thanks in advance for your help!</SPAN></P> Thu, 08 Jul 2021 13:02:32 GMT Tiennes 2021-07-08T13:02:32Z Microsoft Defender for Endpoint <P>If I have&nbsp;Enterprise Mobility + Security E5, can I see the add-on for&nbsp;Microsoft Defender for Endpoint on the admin center and price or how it works?</P> Wed, 14 Jul 2021 13:06:21 GMT sarahTarek97 2021-07-14T13:06:21Z MDATP Console Audit Logs - Administrator Activity <P>Hi All,</P><P>&nbsp;</P><P>Is there a way i can find or get the logs if any activity performed on the MDATP console can be visible somewhere. Like, if one of the user with administrator access changed any option in MDATP console.</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 15 Jul 2021 17:34:57 GMT TechArch97 2021-07-15T17:34:57Z Defender for endpoints & Azure Arc for servers <P>&nbsp;</P><P><STRONG>Question</STRONG>:<BR />To monitor onprem servers (2012, 2016, 2019) can we just install MMA agent or do we need to onboard server to Azure Arc &amp; Azure security center?</P> Wed, 14 Jul 2021 02:02:04 GMT Pa_D 2021-07-14T02:02:04Z Defender for Endpoints for Servers: Workspace ID <P>There are 2 places we get Workspace ID while working with server onboarding<BR />In Defender for Endpoint portal ( &gt; Onboarding<BR />In Azure security center &gt; when creating a new workspace for onboarding new servers</P><P>&nbsp;</P><P><STRONG>Question</STRONG>:<BR />Which workspace ID do we use when installing MMA agent manually on onprem servers (2012, 2016, 2019 OS)?</P><P>&nbsp;</P><P>My understanding is, if we want to onboard only to Defender for endpoints then use workspace ID from Defender for endpoint portal.<BR />If we want to onboard to both Defender for endpoints + Azure security center use Workspace ID from Azure security center.</P> Wed, 14 Jul 2021 02:01:00 GMT Pa_D 2021-07-14T02:01:00Z Microsoft Defender update for Windows operating system installation images - Signature update <P>We have requirement that all machines should have antimalware signature less than 7 days old. For the fresh virtual machines, the VHD doesn't have latest signature before the first auto-update, so we plan to use the tool provided here&nbsp;<A href="#" target="_blank">Microsoft Defender update for Windows operating system installation images</A>&nbsp;to update our VHD once a week.&nbsp;</P> <P>&nbsp;</P> <P>However, this tool is updated monthly which means the signature is not up-to-date, is there a similar tool we can use to update the antimalware signature at least once a week?</P> Tue, 13 Jul 2021 00:14:36 GMT chenleo 2021-07-13T00:14:36Z Best Practices for actions on detected malware threats ? <P>Anyone have Best Practices for actions on detected malware threats.</P><P>&nbsp;</P><P>Block, Delete, and Quarantine ?</P><P>&nbsp;</P><P>Thanks Roger.</P> Mon, 12 Jul 2021 21:26:57 GMT roger_jr 2021-07-12T21:26:57Z Do Web content filtering supported in Microsoft defender for end point in windows 2016 /2019 servers <P>Do Web content filtering supported in Microsoft defender for end point in windows 2016 /2019 servers</P> Mon, 12 Jul 2021 16:55:28 GMT kdinesh111 2021-07-12T16:55:28Z How to search multiple domains in Advance hunting query <P>Hi All,</P><P>&nbsp;</P><P>Could you please help me with the query I want to search multiple domains at the same time?</P><P>&nbsp;</P><P>I am using or Remote URL contains want to reduce that effort.</P> Mon, 12 Jul 2021 08:35:29 GMT neha_0107 2021-07-12T08:35:29Z ASRTool Issue <P>I'm trying to run the ASRtool.exe and getting the below error. I'm trying to run test against our ASR rules. Any ideas?</P><P>&nbsp;</P><P>A referral was returned from the server.</P> Fri, 09 Jul 2021 20:43:04 GMT BinTN 2021-07-09T20:43:04Z MDE for Linux - show logged on users <P>I'm currently testing MDE for Linux in my environment and noticed that the 'Logged on users' section on the Device page in Defender Security Center is blank, even though I can find network logon events within the event Timeline.&nbsp; Is this expected behavior, or should I be able to see the list of users who have logged into a machine on the device overview page?&nbsp; &nbsp;Testing on CentOS 7 with the latest MDE for Linux package,&nbsp;mdatp-101.34.27-1.</P><P>&nbsp;</P><P>Thanks in advance!</P> Thu, 08 Jul 2021 21:12:22 GMT branfarm 2021-07-08T21:12:22Z Microsoft Defender ATP Trial <P>Hello everyone,</P><P>&nbsp;</P><P>we requested&nbsp;<SPAN>for a Defender ATP trial for our tenant and for one of our clients two weeks ago. Can someone help us to start the trial?&nbsp;<BR /><BR />Thanks for your help</SPAN></P><P>&nbsp;</P><P><SPAN>Marco</SPAN></P> Thu, 08 Jul 2021 14:01:38 GMT magusi16 2021-07-08T14:01:38Z Credential Guard <P>What method or tool can i use to turn the tpm\uefi on remotely in the bios? All of our devices are Dell precision 7520 laptops and&nbsp;Latitude 54xx series . Is there a tool from Dell? Can i use Intune\Autopilot ?</P><DIV>&nbsp;</DIV> Tue, 06 Jul 2021 18:12:38 GMT Skipster311-1 2021-07-06T18:12:38Z Microsoft Defender for Endpoint Audit Logs <DIV><DIV class=""><DIV class="public-DraftStyleDefault-block public-DraftStyleDefault-ltr"><SPAN>Is there a way to check who created the Microsoft Defender for Endpoint instance in the first place and set up the Data Storage option.</SPAN></DIV><DIV class="public-DraftStyleDefault-block public-DraftStyleDefault-ltr">&nbsp;</DIV></DIV><DIV class=""><DIV class="public-DraftStyleDefault-block public-DraftStyleDefault-ltr"><SPAN>may we can run some queries to get the activity logs on who created the instance and set the Data Storage option and Data Retention option.</SPAN></DIV></DIV></DIV> Tue, 06 Jul 2021 14:35:34 GMT AnuragSrivastava 2021-07-06T14:35:34Z Tamper protection - REvil ransomware <P><STRONG>Please note:</STRONG> This is not a issue, just a question/discussion regarding if tamper protection actually would have helped.</P><P>&nbsp;</P><P>Hey,</P><P>Trying to figure out how tamper protection would have assisted in the case of Kaseya VSA attacks going on.</P><P>Right now i've tried to run the script for disabling the following features with powershell, both with local admin rights and with system rights, without any success:</P><UL class=""><LI>Disables Real Time Monitoring</LI><LI>Disables IPS</LI><LI>Disables Cloud Lookup</LI><LI>Disables script scanning</LI><LI>Disabled Controlled Folder Access (ransomware preventation feature)</LI><LI>Disables Network Protection</LI><LI>Stops cloud sample submission</LI></UL><P><EM>powershell.exe Set-MpPreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend</EM></P><P>&nbsp;</P><P>In my case, this confirms that if tamper protection and managed settings through CM/Intune/gPO's would have blocked the script from disabling core features in Defender for Endpoint / Defender.&nbsp;</P><P>Am i missing something out?</P> Mon, 05 Jul 2021 11:26:33 GMT AxelHellstroem 2021-07-05T11:26:33Z Defender for endpoint - Tenant Migration <P>Hi All,</P><P>&nbsp;</P><P>We have Defender for Endpoint enabled in old tenant and all the Windows devices are on boarded successfully.</P><P>&nbsp;</P><P>Now we are performing tenant migration and testing the machines configuring to new tenant where new ATP service is enabled. Seems the onboarding via local script is ok in new tenant.</P><P>&nbsp;</P><P>But when we try to perform it via Intune, it doesn't reflect and shows pending for Endpoint detection policy. Is there any conflict with old tenant since we off boarded long before.</P><P>&nbsp;</P><P>Is there anything i need to verify to migrate from old tenant to new tenant defender for endpoint services. Please advice</P> Sun, 04 Jul 2021 13:01:22 GMT SanakPratap 2021-07-04T13:01:22Z Defender Antivirus (AV) Passive Mode <P>Hi,</P><P>&nbsp;</P><P>While researching how to set Defender AV to passive mode I stumbled upon two registry keys:</P><UL><LI><STRONG>ForceDefenderPassiveMode</STRONG><BR /><UL><LI><A href="#" target="_blank" rel="noopener"></A><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="amuellertf_0-1625212129633.png" style="width: 400px;"><img src=";px=400" role="button" title="amuellertf_0-1625212129633.png" alt="amuellertf_0-1625212129633.png" /></span></LI><LI><A href="#" target="_blank" rel="noopener"></A></LI><LI><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="amuellertf_1-1625212166591.png" style="width: 400px;"><img src=";px=400" role="button" title="amuellertf_1-1625212166591.png" alt="amuellertf_1-1625212166591.png" /></span></P></LI></UL></LI></UL><P>&nbsp;</P><UL><LI><STRONG>ForcePassiveMode</STRONG><UL><LI><A href="#" target="_blank" rel="noopener"></A><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="amuellertf_2-1625212206080.png" style="width: 400px;"><img src=";px=400" role="button" title="amuellertf_2-1625212206080.png" alt="amuellertf_2-1625212206080.png" /></span></LI><LI><A href="#" target="_blank" rel="noopener"></A></LI></UL></LI></UL><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="amuellertf_3-1625212237224.png" style="width: 400px;"><img src=";px=400" role="button" title="amuellertf_3-1625212237224.png" alt="amuellertf_3-1625212237224.png" /></span></P><P>&nbsp;</P><P>Does either of you know which one is the correct one?</P><P>&nbsp;</P><P>Thanks,</P><P>Andre</P> Fri, 02 Jul 2021 07:57:09 GMT amueller-tf 2021-07-02T07:57:09Z Exceptions for security recommendations <P>Hello community,</P><P>&nbsp;</P><P>somehow I am not able to see the "exception options" within the Defender Security Center on the device inventory page - I have global admin permissions.</P><P>We want to set exceptions for certain security recommendations because sometimes it is not able to resolve them and our user will receive infos about this on the device.</P><P>What am I missing, where can I create the exceptions? What is the normal procedure?</P><P>I followed this:</P><P><A href="#" target="_blank">Create and view exceptions for security recommendations - threat and vulnerability management | Microsoft Docs</A></P><P>&nbsp;</P><P>Thanks.</P><P>&nbsp;</P><P>John</P> Tue, 29 Jun 2021 11:37:46 GMT John Matrix 2021-06-29T11:37:46Z Defender for Endpoint licensing for shared PC <P>What's the best way to license Windows and Defender for Endpoint for shared PCs used by First line workers? The goal is to avoid having to assign individual E5 license to multiple users who are gonna be using the same PC.&nbsp;</P> Mon, 28 Jun 2021 19:05:34 GMT SoRoy 2021-06-28T19:05:34Z Windows 10 versions in MDE <P>Why is MDE still showing anything above the Windows 10 version 20H2 as Future? Should 21H1 not be showing already?&nbsp;</P><P>&nbsp;</P><P>Cheers,</P><P>Kimmo</P> Mon, 28 Jun 2021 06:38:08 GMT KimmoB 2021-06-28T06:38:08Z Microsoft Defender for Endpoint for BYOD Devices <P>Hi,</P><P>&nbsp;</P><P>I work in academia, students bring BYOD devices to access network resources. These BYOD devices are not domain joined computers however they connect to network (wired and WiFi) to access network resources. I am exploring if Defender for endpoint is a suitable solution for BYOD endpoint security/ EDR solution. Please guide if Defender for Endpoint can be used for BYOD security and provide information how I can implement Defender for Endpoint on BYOD.</P> Sat, 26 Jun 2021 16:39:40 GMT Usman_Jawaid 2021-06-26T16:39:40Z Windows Defender Application Control - Intune Management DLL's <P>Hi,</P><P>&nbsp;</P><P>I'm busy deploying WDAC via Intune, and I was curious about the options and settings in the "Endpoint Security - Attack Surface Reduction - Application Control"-profile. This to check if it would offer some basic protection without having to implement additional profiles using xml files and to keep management simple.</P><P>&nbsp;</P><P>Off course I started in Audit mode to see the results:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot 2021-06-24 123649.png" style="width: 806px;"><img src=";px=999" role="button" title="Screenshot 2021-06-24 123649.png" alt="Screenshot 2021-06-24 123649.png" /></span></P><P>After applying and using my machine, I notice some logs which don't seem to be normal... You would expect the Intune Management Components would be trusted. Since, if you put in block mode you would still want to be able to manage your machine. Apparently, this isn't the case. For example, the OSExtentions.dll would be blocked because the file is not correctly signed. (Same for the GAC...)</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot 2021-06-24 124917.png" style="width: 958px;"><img src=";px=999" role="button" title="Screenshot 2021-06-24 124917.png" alt="Screenshot 2021-06-24 124917.png" /></span></P><P>When checking the signature of the dll, it seems to be correctly signed....</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot 2021-06-24 125037.png" style="width: 577px;"><img src=";px=999" role="button" title="Screenshot 2021-06-24 125037.png" alt="Screenshot 2021-06-24 125037.png" /></span></P><P>&nbsp;</P><P>So I don't know if this is by design or not...</P><P>&nbsp;</P><P>(This was tested on Windows 10 Enterprise v21H1 - OS Build 19043.1052)</P><P>&nbsp;</P> Thu, 24 Jun 2021 10:52:48 GMT Matthias Vandenberghe 2021-06-24T10:52:48Z MS Defender ATP and Antivirus Rules with MITRE mapping <P>Team,</P><P>&nbsp;</P><P>We are working on building certain correlation threat use case for Endpoints and cloud instances running with Defender and would like to know the list of rules in Defender with the MITRE Tactics and Techniques mappings.</P> Wed, 23 Jun 2021 18:56:11 GMT ajeeshneelamkavil 2021-06-23T18:56:11Z Scan options is not applying to device when configured from Endpoint security - Antivirus <P>&nbsp;when I configure <STRONG>Scan</STRONG> options, in Endpoint Manager (Intune) from <STRONG>Endpoint security </STRONG>blade, <SPAN>the device don't receive or apply those options,&nbsp;</SPAN>scan options like "<SPAN>Run daily quick scan at", or "Day of week to run a scheduled scan"&nbsp; </SPAN></P><P><SPAN>But when I configure the same options from <STRONG>Devices</STRONG> --&gt; "<STRONG>Configuration&nbsp;</STRONG></SPAN><STRONG>Profiles</STRONG>" --&gt; "<STRONG>Device restrictions</STRONG>" it will apply.</P><P>Why is that difference even though they are the same options.</P><P>but for other options it apply; it is only the scan options that don't apply when configured from Endpoint security blade</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="2021-06-23 12_56_15-Global_AV_Policy - Microsoft Endpoint Manager admin center.png" style="width: 400px;"><img src=";px=400" role="button" title="2021-06-23 12_56_15-Global_AV_Policy - Microsoft Endpoint Manager admin center.png" alt="2021-06-23 12_56_15-Global_AV_Policy - Microsoft Endpoint Manager admin center.png" /></span></P><P>&nbsp;</P><P>&nbsp;</P> Wed, 23 Jun 2021 17:01:44 GMT Basel_Fawal_BP 2021-06-23T17:01:44Z Defender Alerts - unwanted software <P>&nbsp;</P><P>Hi, i have a question about defender alerts</P><P>&nbsp;</P><P>We suspect that some "unwanted software" alerts are older programs that have been in the folders for some time and are only discovered at a later time.</P><P>&nbsp;</P><P>Is there a characteristic how old such files are?</P><P>Are all files already on the notebook scanned, or is a folder/software only scanned when it is accessed?</P><P>Attached is a screenshot of an alert where we assume that the .exe has been in this folder for some time but is only now being detected.</P><P>&nbsp;</P><P>(Example attached)</P> Wed, 23 Jun 2021 15:25:31 GMT David_KK 2021-06-23T15:25:31Z Defender for Endpoint - Data Storage Location integrity question (GDPR/EU) <P>Hi,</P><P>&nbsp;</P><P>I have a question specific to Defender for Endpoint and its data storage within EU and the information provided on Microsoft Docs. The english text states customer data in psuedonymized form may also be stored and processed in US.</P><P>&nbsp;</P><P><EM><STRONG>Data storage location</STRONG></EM></P><P><EM>Defender for Endpoint operates in the Microsoft Azure datacenters in the European Union, the United Kingdom, or in the United States. Customer data collected by the service may be stored in: (a) the geo-location of the tenant as identified during provisioning or, (b) if Defender for Endpoint uses another Microsoft online service to process such data, the geolocation as defined by the data storage rules of that other online service.</EM></P><P><EM>Customer data in <STRONG>pseudonymized</STRONG> form may also be stored in the central storage and processing systems in the United States.</EM></P><P><EM>Once configured, you cannot change the location where your data is stored. This provides a convenient way to minimize compliance risk by actively selecting the geographic locations where your data will reside.</EM></P><P><SPAN>&nbsp;&lt;</SPAN><A href="#" target="_blank" rel="noopener"></A><SPAN>&gt; </SPAN></P><P>&nbsp;</P><P>OK, I get that. What I don't get is that on the corresponding Docs site in Swedish, the machine-translation instead presents the word <STRONG>"anonymiserad"</STRONG> which in English is <STRONG>"anonymized"</STRONG> which is a completely different thing. Is this a bug? What is actually correct here and where can I find information about this?</P><P>&nbsp;</P><P>The following is in swedish, link/Source at the bottom:<BR /><BR /></P><P><EM><STRONG>Datalagringsplats</STRONG></EM></P><P><EM>Defender för Endpoint fungerar Microsoft Azure datacenter i EU, Storbritannien eller USA.&nbsp;Kunddata som samlas in av tjänsten kan lagras i: (a) klientorganisationens geoplats som identifieras under etableringen eller(b) om Defender för Endpoint använder en annan Microsoft-onlinetjänst för att bearbeta sådana data, den geolokalisering som definieras av datalagringsreglerna för den andra onlinetjänsten.</EM></P><P><EM>Kunddata i <STRONG>anonymiserad</STRONG> form kan också lagras i de centrala lagrings- och bearbetningssystemen i USA.</EM></P><P><EM>När den har konfigurerats kan du inte ändra platsen där dina data lagras.&nbsp;Det här är ett bekvämt sätt att minimera efterlevnadsrisken genom att aktivt välja de geografiska platser där dina data ska lagras.</EM></P><P><SPAN>&nbsp;&lt;</SPAN><A href="#" target="_blank" rel="noopener"></A><SPAN>&gt; </SPAN></P><P>&nbsp;</P><P>&nbsp;</P> Wed, 23 Jun 2021 10:03:16 GMT Simon Håkansson 2021-06-23T10:03:16Z