Comments on: Handling Inactive Devices in Microsoft Defender for Endpoint

By: Thijs Lecomte

Thijs Lecomte — Wed, 27 Sep 2023 11:16:08 +0000

In reply to ANdrew. Hi Andrew If the service has stopped on the device, something else is going on. You will need to dig into the event logs why the service is stopping. Can you check the sense event viewer and tell me what you see?

By: ANdrew

ANdrew — Wed, 27 Sep 2023 00:31:21 +0000

So if your device is onboarded. it can reach MS endpoint servers but sensor is inactive in defender portal and the device SC QC Sense = stopped
is the only way to fix this is to onboard again?

By: Thijs Lecomte

Thijs Lecomte — Thu, 07 Sep 2023 18:04:39 +0000

In reply to Jeff. Microsoft updated the setting to retain data 180 days by default, there is currently no way to change it.

By: Jeff

Jeff — Thu, 31 Aug 2023 13:42:55 +0000

In reply to Thijs Lecomte.

Hi,
I don’t have a Retention menu in the navigation of Settings – Endpoints
Where I can find this ?
I can have this info via powershell script ?
Thank’s

By: Brian Sinclair

Brian Sinclair — Tue, 01 Aug 2023 11:17:12 +0000

Thanks for the guide – as an update, Microsoft has now included a exclude button with justifications to remove them from your vulnerability lists.

By: Debouchaud

Debouchaud — Fri, 30 Jun 2023 13:13:29 +0000

In reply to Liam Sheridan.

I the same issue, that’s a mess to handle…
if anyone got a clue

By: Thijs Lecomte

Thijs Lecomte — Sat, 24 Jun 2023 17:26:03 +0000

In reply to HENG MENGHUN.

Can you elaborate on this? I would find it strange that it is changed to ‘Can be onboarded’. This can only happen if it’s manually offboarded.
It can happen, that, if a device is onboarded. It has two entries for a while. One ‘can be onboarded’ and one ‘onboarded’, is this case?

By: HENG MENGHUN

HENG MENGHUN — Thu, 22 Jun 2023 01:48:36 +0000

In reply to Thijs Lecomte. Hello Thijs, Some of devices already run onboarding script and the status appear Onboarded, but many day later it is appear Can be onboarded, May I know what is the problem.

By: Thijs Lecomte

Thijs Lecomte — Tue, 30 May 2023 20:10:02 +0000

In reply to lola.

Hi Lola

Can you provide me more information where you see the following information: unassigned and invisible?
Do you mean they are not seen in the portal. This can happen if the machines are not onboarded or have not been seen by an onboarded device.
Defender has a capability called ‘Device Discovery’ (https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/device-discovery?view=o365-worldwide) which will actively scan the network to identify other, non-onboarded devices.
If a machine is scanned, but not onboarded, it will receive one of the following statuses:
– Unsupported => The device is not supported to be onboarded
– Insufficient => not enough info is available to verify if onboarding is possible
– Can be onboarded => device is supported to be onboarded into MDE

By: lola

lola — Tue, 16 May 2023 13:23:46 +0000

Hello Thijs

during the deployment of the EDR in block-mode with the existence of another antivirus, we have machines that are not onboarded and they display on the MDE portal the following statuses:
can be onboarded, unsupported, insufficient information

also machines that are invisible or unassigned

do you have an explanation for this?

do you have a definition for each status:
can be onboarded?
insufficient information?
unsupported?
invisible?
unassigned?

THANKS