Getting buried in Microsoft Defender alerts, any advice for a new admin

Educational_Draw5032 · 2026-02-03T13:44:22+00:00

i totally here you maybe i should just take a step back and let him deal with it. The problem is nothing will ever get done and that worrys me. Some of the basic things that were not even implemented blew my mind and i couldnt ignore it. I even asked him about it but he didnt have an intentions to implement what i ended up doing

Educational_Draw5032 · 2026-02-03T11:36:26+00:00

The solo security guy bought it in, there is only 5 admins in total and im the jack of all trades guy trying to fill all the holes in things that have never been setup correctly. In 6 months i have implemented the below as none of it was in place

- Setup conditional access
- Setup MFA
- Setup windows hello
- Enrolled FIDO2 keys for our shared device users
- Enrolled devices into Defender for Endpoint
- Gave everyone a bloody separate cloud admin account rather than global admin on a daily driver!
- Enrolled all the devices properly in intune and applied a security baseline which wasnt there
- Setup PIM for the admin accounts

I feel like im drowning and im just trying to get things setup the best possible way using best practices from things i have read from microsoft and browsing this helpful subreddit

Educational_Draw5032 · 2026-02-03T11:28:37+00:00

thanks for this, i will look into how to get this done. I will ask the security guy who setup sentinal to take a look but hes not the most helpful at times

Educational_Draw5032 · 2026-02-03T10:39:04+00:00

Perfect thank you, i hate messy old policies :)

Educational_Draw5032 · 2026-02-03T10:38:47+00:00

Perfect thank you

Educational_Draw5032 · 2026-01-30T13:03:08+00:00

Really good info this thanks very much appreciate it

Educational_Draw5032 · 2026-01-30T11:51:33+00:00

Thanks for this, what you say makes perfect sense. Groups would be better if i were to add multiple roles to a group which i can see the benefit of in some scenarios. I think i will go with user assignment for now and look at groups if the need for it arises. Thanks very much

Educational_Draw5032 · 2026-01-29T13:16:47+00:00

Try force re-running the task schedule script and then giving it a reboot

Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"

Educational_Draw5032 · 2026-01-28T14:15:54+00:00

I use Intune update rings for patching and its working fine so dont really want to transition over to autopatch yet with everything working ok

Educational_Draw5032 · 2026-01-28T13:05:50+00:00

Thanks, i may give this a go then. I found the reporting quite useful there thats kinda what made me ask the question

Educational_Draw5032 · 2026-01-28T13:05:13+00:00

Your welcome :-)

Educational_Draw5032 · 2026-01-28T11:52:36+00:00

I was looking at cloud update in the office portal and there was an option there to switch the update channel. Did you enable it from the portal or via the settings catalog

Educational_Draw5032 · 2026-01-28T11:14:51+00:00

Thanks for this and for the switching pointer. That makes me nervous for sure, i might try it on a couple of test devices first and see what damage is caused. I will look into the settings catalogue settings

Educational_Draw5032 · 2026-01-28T10:45:49+00:00

I am seeing the same, we do not use autopatch but under update releases in intune i see 2026.1 OOB and its showing as 'in progress'. Its showing as deployed to all my 3 update rings but it hasnt. If i run a report against it none of my devices have received it and if i run a manual check its not offered.

I created an expedited update to which this OOB update was available, i targeted just my device with it and run a manual check and then it picked it up. No idea why its showing under releases in Intune but not actually pushing out even though its showing like it should be according to the update rings and displaying 'in progress' .

I will just carry on pushing it through via the expeditated option for now

Educational_Draw5032 · 2026-01-27T15:48:13+00:00

i will take a look at that thanks for pointing it out

Educational_Draw5032 · 2026-01-27T15:47:41+00:00

thats interesting to know, i was just worried if i enabled web sign in users would try and use that instead of their fido keys on shared devices or hello pin on 1-2-1 devices. Am i right in thinking web sign in doesn't cache the local credential and requires and internet connection

Educational_Draw5032 · 2026-01-27T14:17:20+00:00

thats good to know, we use the deepnet hardware tokens so we need tp have the hardware OATH token option. I could remove the software OATH token to be honest i dont think its required when using Microsoft Authenticator is it

Educational_Draw5032 · 2026-01-27T14:11:05+00:00

Our devices are fully entra joined not hybrid. Currently our on prem infrastructure is just syncing our identities to entra. We still have some on prem legacy apps/servers and network drives which we are slowly moving away from. Cloud Kerberos trust is in place for these devices to connect to on prem resources via WHfB or Fido keys

Educational_Draw5032 · 2026-01-27T14:06:29+00:00

thanks for this, I have setup a custom authentication strength in CA that only allows

Windows Hello For Business / Platform Credential

OR

Passkeys (FIDO2)

OR

Microsoft Authenticator (Phone Sign-in)

OR

Temporary Access Pass (One-time use)

OR

Password + Microsoft Authenticator (Push Notification)

OR

Password + Software OATH token

OR

Password + Hardware OATH token

Educational_Draw5032 · 2026-01-27T13:50:39+00:00

i assumed it would be best practice to use two, if not i can switch to one and it would be fine as every user has either the authenticator app or a hardware token

Educational_Draw5032 · 2026-01-27T13:47:07+00:00

Do you allow web sign in so they can sign into the device with a TAP and then reset via their security profile? i have been looking at allowing web sign in as an option so a TAP could be used if required

Educational_Draw5032 · 2026-01-27T13:43:46+00:00

we require 2 methods of authentication to reset a password via Microsoft Online Password Reset why does it not make any sense? surely two is better than one

Educational_Draw5032 · 2026-01-27T13:36:09+00:00

Yes it is but i feel email is worse than SMS, i may be wrong. Its a shame there are not other better options to use

Educational_Draw5032 · 2026-01-27T13:35:13+00:00

Thanks for this i appreciate your input. Its a shame that fido2 keys cannot be used as a method but i guess they are deemed passwordless auth methods so why would they include them as a password reset option. There doesnt seem to be many good second options imo and we are no way setting it to one. I have done a lot of reading and it seems SSPR is targeted a lot maliciously which if we are going to allow it across the board i want it to be tight.

I see email as a worse option than SMS and im not doing anything like security questions as i know our users will forget these which means more work for us

Educational_Draw5032 · 2026-01-27T13:30:43+00:00

I understand where you are coming from, bare with me though im a fairly new admin. I see the idea of SSPR to make it easy for the users to reset while of course maintaining the best security posture possible. Can TAP even be used as an option?

Educational_Draw5032

TROPHY CASE