We use Veeam to backup our Azure VMs and every single day it creates a new 'worker' Ubuntu VM to process the backups and deletes the one from the previous day. The VM is running for less than an hour before being deallocated.

This is causing an issue where we have a new VM show up in Defender XDR every day that sticks around long after it's been deleted in Azure. It's annoying because it affects our secure score/vulnerability recommendations.

How can we stop these VMs from being automatically onboarded in the first place?

Hi everyone,
I am new to defender and have been going through the task of onboarding my devices to MDE.
So far have all my workstations and a handful of Servers successfully onboarded.
The question I have is are there any best practices for configuring the Firewall?

I have searched but have not come across anything with the minimal recommended settings.
Currently, I have Domain, Private and Public Firewall turned on, only other settings enabled are,
Default Inbound Action - Block (default)
Default Outbound Action - Allow (Default),

all other settings - Not configured.

Would be very appreciative if someone could please advise the best practice or recommended settings.
The settings I am using are in the Endpoint Security blade - Firewall.

Greetings Redditors, Hoping you all can help me figure out what might be going on. I have a friend who’s a sys admin seeing non-interactive sign ins to his admin account. What makes these logins suspicious is that they are coming for an Application with the display name “App Service” that’s not in his enterprise apps or app registrations. What makes it more suspicious is the public IP of these logins is the public IP from his old apartment, he has t lived there for over a month now. Totally different ISP than he has now, and in a totally different part of the state. Any educated ideas would be greatly appreciated.

Hi guys, my company is trying to move off a 3rd party AV solution to unify things with our existing Office365 / Intune ecosystem. My head of IT has given myself and himself 1 license each of Defender for 365 Plan 1, and would like to see me setup the defender portal so we can evaluate if its a good enough solution compared to existing. The issue I'm having is that after deploying the Defender Agent via intune to our Mac computers the agent shows up in the toolbar with an error stating 'No license found - Looks like your org does not have a license for Microsoft 365 Enterprise Subscription' Our Org is currently using Business Standard licenses as well as F1 licenses so Intune works. Don't i need a defender agent even with Plan 1 Defender?

Hi!

Where do you guys add the exclusions for CFA protected folders blocks? I have a user that is having problems with a user with python blocked by the protected folder %userprofile%\Documents\Python\Folder

I don't know if it should go in AV or add the process to allow or something

Thank you in advance

So we recently onboarded the estate to Defender (HAADJ > Intune > Defender) and all of the desktops went down perfectly.

We moved onto the servers, onboarded those with the onboarding packages for 2012 and 2022 where applicable, and of the 50 or so machines we joined, 40 were fine. But the other 10 (mixed OS) have been a nightmare.

They all showed up in Defender, and we can see Exposure level, Engine, Platform, software inventory, all that good stuff and all up to date, and the policy we set to run quick scans is running normally.

But full scans are not. I have no idea what could be causing the scans to not start (status is no scan performed), I've been through the standard options (low power state, perms, disk space etc) but nothing is standing out to me. To make things weirder for me, of those 10 machines, 4 just randomly started working.

If I could find some trace of something being "broken" then I could try to fix it, but right now I don't know enough to troubleshoot it. I mean it looks like it's just choosing when and what to work with, so far not seen any correlation

Hi everyone,

I have onboarded Microsoft Defender for Endpoint on some servers since June. However, due to the firewall migration, all servers have been moved from their original network subnet to others.

In recent checking, it seems the migrated subnet is unable to connect to all Defender service URLs, causing those server sensors to become inactive on the portal.

Does anyone know if fixing the connectivity issue will allow the servers to reconnect to the Defender portal and update their sensor status automatically?

Alternatively, do I need to run the onboarding script again on these servers to re-onboard them after fixing the connectivity issue? Some have been inactive since July, which raises this concern.

Thank you!!!

Hi everyone,

I am currently trialing Defender for Endpoint for business. I have a web filtering policy on and it works fine for my Windows devices.

However the on-boarded Mac devices do not apply the web filtering policy. I have correctly set up everything through Intune and checked by mdatp -health and all seems to be active and healthy.

Also i have no access to device groups in the security portal.

Am i right to think that this is not the correct SKU of Defender i need to be able to apply web filtering on Macs? Do you know if P1 would be able to work properly or will i need P2?

Thank you

Hello,

Has anyone noticed a spike in ASR blocks related to AsrLsassCredentialTheftBlocked and svchost.exe these past days?

https://preview.redd.it/rgk5growsrxd1.png?width=1775&format=png&auto=webp&s=94687c82bce539296cad6bec353b119fe1eaae46

I'm just wondering if this could have been caused by a change before going down the rabbit hole.

Hi,
We have 500 windows devices of which 270 of them are in the defender portal.

The others are not showing up although all devices are in Intune and use the Intune connector and Endpoint detection and response to onboard the devices. We use Microsoft 365 E3 licenses.

I spoke to a M365 consultant and they pointed it out it may be due to us enrolling the intune devices with a service account. So we've maxed out the number of times one account could be used. I've gone through and updated the primary user form the service account to the actual unique user, tried re syncing the device in Intune but still they dont show in the Defender portal.

Does anyone have any suggestions please? I have a ticket open with Microsoft but no response from them yet.

Hi All,
I was wondering how you classify incidents that are not malicious but the system has correctly detected something. For example, user logs in in new location, but its an unusual location for them and we get an alert, IP checks out, and user has performed MFA and no suspicious activity on the account, how would you mark that? I think it should be False Positive - not malicious, but its been said to me we should mark as Informational Expected Activity, as the system has correctly identified the unusual log on but its found to be normal work day alert. What are your thoughts on this?

Can someone explain the difference between Microsoft Defender AV vs Microsoft Defender Antivirus exclusions profile. I don't remember it exactly if it had some limitation in perspective of OS or anything else?

Note: It's silly but haven't worked on it for a long time.

Anyone else seeing an increase in detections of f_* files in the cache folders of chrome and edge browsers? Always different detections. Last one was mimikatz on 4kb cache file.

Hi everyone,

I work in the cybersecurity department of a healthcare facility in Canada. We are currently trying to identify all user devices that are connected to our network from outside of Canada.

We have received some alerts indicating connections from foreign locations, and we need to ensure the security and integrity of our network. Could anyone provide guidance or share best practices on how to effectively track and manage these connections using Microsoft Defender or Sentinel?

Any help or insights would be greatly appreciated!

Thank you!

Hey there,

I am in the middle of trying to utilize a service account through power automate in order to set up automatic tagging for servers/devices. One of the issues that I have been running into is trying to find some sort of documentation as to what permissions are required for the service account to run an advanced hunter query to pull up the servers in scope so that it can tag the servers with a specific tag. I have looked on google for this answer, but everytime I look up a discussion post/blog the post does nothing with answering the question as to what permission is required for the service account to run an advanced hunter query. I then tried to chatgpt the answer, which I was given the role of "Security Reader" which does not work. Any ideas?

https://security.microsoft.com/threatexplorerv3 So how do you search for a "Smith, John" display name, when the UI will always separate it as 2 display names when it sees the comma? Quotes and \ escapes don't work.

So i had "Identity" jump from 63% to 82% on the 27:th October, lifting us from 68% to 70% overall. According to the guys working with Identity, nothing has been changed (but they have stated earlier that some calculations had to be wrong).

All below suddenly became completed.

Ensure user consent to apps accessing company data on their behalf is not allowed.
Ensure that password hash sync is enabled for hybrid deployments.
Ensure the 'Password expiration policy' is set to 'Set passwords to never expire (recommended)'.
Enable Conditional Access policies to block legacy authentication because fewer users are affected
Ensure multifactor authentication is enabled for all users because more users are affected
Ensure multifactor authentication is enabled for all users in administrative roles because fewer users are affected
Enable Microsoft Entra ID Identity Protection sign-in risk policies. Great work!​
Enable Microsoft Entra ID Identity Protection user risk policies because fewer users are affected

At first when i started working with Defender XDR a year ago, i found Secure Score quite nice an intuitive to present to management and to use as a "game" (jokingly) with the engineers. Now, not so much.

Hello, We are interested in deploying Defender for Identity. We have a single forest and single domain Active Directory. We have a simple Tiering (0,1,2) model implemented. Is it feasible to deploy one gMSA and its needed permissions for each Tier separately, so that we end with 3 gMSA? Will MDI function 100% as expected? Are their any drawbacks? And would this be the correct approach to keep the tiering structure or is there another way? I appreciate any input. Thanks in advance. Best regards

Is there a way to back up policy's and configurations?

I don't see any subreddit relate to only Microsoft Purview sadly. Except one, that were no publications for a few years...

Any good links to give example of insider risk policy and how to configure it, maybe so use cases as well ? :)

Initial setting was Linux “on all device” in the enforcement scope. Some Linux devices had performance issues so settings was changed back to tagged devices in the enforcement scope. This action caused some Linux devices disappear in the device inventory. Does anyone know what could be reason or had similar experience?

I am planning on deploying Applocker and then after stack with App Control for Business (WDAC). However I am a little confused logging wise. App Control for Business gets logged via MDE, and will show in the DeviceEvents table, but can I somehow get Applocker to log that way. As per say, it seems like the only option is to log via Security Events, which would mean I also need the AMA agent enrolled for the workstations.

The test file for cloud-delivered protection seems to not be accessible anymore: https://aka.ms/ioavtest

ref: https://learn.microsoft.com/en-us/defender-endpoint/defender-endpoint-demonstration-cloud-delivered-...

Is someone able to confirm this (and report the issue to MSFT) ?

How do you classify spam that was submitted as such. It shows up in our Incidents and I really don't know what to do about them. A lot of them are vendor emails that the user doesn't want and they submit it as spam. I have been just resolving these without classification because I was unsure what to classify them as.

How do you deal with this, I could ask them to just unsubscribe but that is a pain

We have some Linux desktop versions (mostly Ubuntu), and I am wondering if it is possible to install and run Defender for Endpoint on them. From reading the Microsoft documentation, I understand that only Linux Server versions are supported.

Hi all! Currently it takes emails over an hour to appear in Defender 365 Explorer. Actions such as submitting an email to MS aren't possible, as the source email item cannot yet be found. This is impacting our way of handling phishing mails that users are reporting to us. Could anyone please conform that these delays are expected? (MS claims that these delays are normal) Any suggestions on how we can quickly resolve Phishing incidents by removing similar emails from our users' inboxes? Guides such as: https://learn.microsoft.com/en-us/defender-office-365/remediate-malicious-email-delivered-office-365 are of no use as they all revolve around the use of Explorer Thanks!

Hello,

Would be grateful for some help if possible please

Attempting to update security intelligence on a RHEL device by Internet access. It sits behind a FW that can only allow outbound traffic by IP so unable to use URL Wildcard or Service Tags.

Added IPs found here Onboarding devices using streamlined connectivity for Microsoft Defender for Endpoint - Microsoft Defender for Endpoint | Microsoft Learn

and IPs from AzureService Tags "AzureUpdateDelivery" Home Page - Azure IP Ranges

But Intelligence update fails running " mdatp definitions update " and will update roughly once a week

# mdatp connectivity test shows errors to smartscreen (not configured on device anyhow)

Anyone come across this issue?

The server appears in DFE and is managed by MDE.

Thanks in advance!!

Hey, got a mystery to solve.

We're using Intune and Defender as our MDM/antivirus setup in the company.

Defender is deployed via Intune with custom plist files like in the docs:
https://learn.microsoft.com/en-us/defender-endpoint/mac-install-with-intune
Used ones are now:
-Approve extensions
-Full Disk Access
-Background services
-Notifications
-Onboarding package

After recent problems with network extensions in macOS Sequoia 15.* we decided to resign from Network filter (network extension) at all.
We were deploying Network filter profile before (but we were not using it, cause we don't use web content filtering at all and it's disabled both in Defender and network protection is disabled in antivirus policy at Intune Endpoint security | Antivirus -> Policy).

For some reason despite deleting network extension as approved extension and no existing netfilter profile in Intune.... network extension is being installed on the endpoints and network filter is still showing up at endpoints requiring to allow content filtering (if you choose Don't allow it popups miliion times). How to stop it from being installed?

Does Defender requires network extension (com.microsoft.wdav.netext) for something else to work properly apart from web content filtering? Why is it still being pushed to the stations?

Need some guidance, tips, tricks, I'm running out of ideas.

I need to modify the block message (Conditional Access session policy) shown to non-corporate users. The notification I receive includes a mention of Defender for Cloud Apps. Is there a way to remove the product name to maintain the confidentiality of the solution in use? Customization is only available for the text to be displayed to the users.

https://preview.redd.it/qd3ql4oqjdwd1.png?width=886&format=png&auto=webp&s=0150b470b4c66a25813be056cdc769ef60b5056c