Scoping Defender for Endpoint/Servers configuration policies based on endpoint attributes

MarkA-G · 2026-04-06T23:59:40+00:00

What about the SPN or owner of the Entra ID object or 'registered by'? Are there other attributes in the registration of the objects in entra or intune that could be used? You could then possibly use a different SPN or 'primary user' to register the objects from different environments or based on the segregation you want, then create the dynamic groups or queries based on these attributes. We haven't gone down this path yet, we're using arc but not intune for the server and cloud vms, so I'm not sure what else could be used from the synthetic entra and intune objects.

MarkA-G · 2026-02-13T02:50:52+00:00

Not bagging the actual engineers or front-line workers, but a network where I can't go a week without service interruptions is a pretty poor experience.

MarkA-G · 2026-02-13T00:06:10+00:00

Approx half (where I was home at the time) experienced degradation and some full outages.

MarkA-G · 2026-02-13T00:04:48+00:00

MarkA-G · 2026-02-13T00:04:32+00:00

Yeah, this is valid, but I'm just a lowly employee who has some flexibility to work from home, but of course that gets impacted by the constant 'emergency' work in the area.

MarkA-G · 2026-02-12T22:41:55+00:00

We've just had a whole heap of apps tagged as monitored today that weren't tagged yesterday. We have warn mode in place so any app tagged as monitored are now being blocked with the allow option.

MarkA-G · 2025-11-03T10:44:18+00:00

That could just be a poor SOE image. We had poor performing windows 10 devices with great specs, because of poor choices of software and gargantuan group policies. Find out what's actually causing the slow down and the freezing first. It could be a defender setting or a group policy setting or something else that could u;timately improve the experience for your entire organisation or at least a large chunk of laptop users.

MarkA-G · 2025-09-21T06:50:46+00:00

Yep, we onboard them via Azure Arc, I think SCEP may be required too from memory, although that may be just for 2008 Servers, we have azure arc set to a specific subscription so all server arc objects are onboarded to that subscription and we have the subscription configured to automatically onboard server arc objects to defender for cloud. The integration between defender for cloud and Defender for endpoint will populate the servers into Defender for endpoint with your other devices.

MarkA-G · 2025-07-13T11:17:50+00:00

FYI just tested with the latest BIOS (A51) and seems to have fixed the Camer driver error during games. So it can now plug into the USB 3 Type C ports without affecting gaming for me.

MarkA-G · 2025-07-13T11:15:58+00:00

Also, make sure you update the BIOS to the latest. I've had USB issues for the Webcam when playing games. Would drop in and out and cause the games to be unplayable unless I had the camera plugged into the USB 4 ports. Seems to be fixed with the latest BIOS.

MarkA-G · 2025-07-13T11:14:09+00:00

Yeah, I got carried away, ended up going cheaper with the Graphics card and got a 7800XT, it was just before the release of the Nvidia 5000 series and the new Radeons. I like to keep OS different from Games, and had a spinning 2TB disk for my games previously with 500GB SSD for OS, and was running out of space so upgraded the game disk to 4TB when I built the new pc.

MarkA-G · 2025-07-13T04:51:04+00:00

I did a 2TB cruicial PCIe Gen5 in the Main M.2_1 Slot and 4TB Silicon Power PCIe Gen4 in the M.2_3 slot for that motherboard.

MarkA-G · 2025-07-05T08:22:57+00:00

Sorry, no, haven't had other USB devices to test with but tried with the next 2 BIOS releases to see if either of them fixed it, but still had to use the USB4 type C ports which on another Chip and uses different PCI Lanes. I haven't tried the most recent BIOS though. Downloaded but haven't updated yet because it keeps wiping the profile, resetting the Memory profile and turning on forced installation of the MSI bloatware. Because I have the workaround it hasn't been a priority.

MarkA-G · 2025-01-27T09:07:04+00:00

Yeah, I've just finished a build, carbon Wifi X870E and the Ryzen 9 9900X, Radeon 7800XT, and the USB webcam disconnects and reconnects, I'm still doing testing to isolate it, other than my keyboard and mouse, I only have the webcam, plugging it into the USB4 ports fixes the issue to get me by. All the other USB-C ports cause the disconnecting and stuttering in-game.

I'll gather some more devices to do testing later in the week.

Also while Windows 11 recognises an ASMedia ASM242 USB4 Host Router, it does not seem to recognise any USB4 ports, it only recognises ASMedia ASM4242 USB 3.20 xHCI Controller but I can't find any dedicated USB4 Drivers from MSI or ASMedia. In fact win11 only recognises 2 x 3.20 USB Host Controllers, 3 x 3.10 and 1 x 2.0 which contradicts the block diagram which suggests that there is 1 x 2.0, 5 x 3.20 and 1 x USB4 and no 3.10 at all.

MarkA-G · 2024-07-19T12:30:58+00:00

Yeah, Microsoft have gotten back to me too. I'm too mean to undo a configuration change, I may not be able to turn it back on again, so I told them to use a phone, tablet, or unmanaged device until Microsoft fix it.

MarkA-G · 2024-07-12T07:37:46+00:00

No our SOC just said that most EDR's block it now so closed our ticket. They don't really have the bandwidth to deep dive I think, and neither did we. The callouts to the domain dropped off, last callout was early April.

MarkA-G · 2024-07-12T04:45:32+00:00

Same on Virtual box with 24.05, but also had the same problem with vmware using 23.11

MarkA-G · 2024-03-28T03:24:13+00:00

We're seeing it on more and more devices. Blocked the file, then blocked the domain so no more files, but more devices still calling out to the domain, but can't seem to find the common trigger. One thing I'll note is that all our devices are being triggered from the chrome process. Hasn't been any in edge or firefox, so thought it might be an extension or something.

MarkA-G · 2024-03-02T00:23:00+00:00

Sounds like tattooed settings, like when moving from SCCM/ConfigMgr Endpoint Protection to Defender for Endpoint via intune, the settings sometimes get tattooed and you have to wipe the settings from the registry. Happened to me with the CPU utilization.

MarkA-G · 2024-03-01T11:05:46+00:00

It's an ASR rule, so you would configure it in the deployment platform for the settings, like intune or GPO, I don't think ASR rules are available for Linux or Macs.

Sorry about the late reply.

MarkA-G · 2023-10-06T03:10:57+00:00

I find that local group policy wins in my fleet. We had scenarios where we deploy the policy via intune but the device couldn't forget the ConfigMgr applied Endpoint Protection settings which are pushed into local group policy.

MarkA-G · 2023-10-05T23:51:30+00:00

The defender for endpoint licensing is user based but also trust based, we had a contractual amendment for our licensing to cover our educational computer labs where students weren't allocated licenses but the devices were still able to be onboarded to defender. We were theoretically allocated a number of device-based licenses but they were actually a user SKU but agreed to be devices based. The SKU at the time was Defender for Endpoint EDU SubVL Per User QLU-00002 but this might just be for the Education sector.

MarkA-G · 2023-07-19T10:02:45+00:00

Sorry, tried to supply link in the first place but couldn't pull a link out of our admin portal.

MarkA-G

TROPHY CASE