-
标题
What's new 12.1 - Microsoft Defender Integration -
说明
On 12.1, Agents can now be sent commands related to Microsoft Defender:
- Perform a Quick Scan
- Perform a Full Scan
- Update Signatures
- Enable Microsoft Defender
Additional to this, there are two sections on the Device Inventory, inside Security that shows:
- Microsoft Defender Status
- Microsoft Defender Threat History
-
解决办法
This feature has the following requirements:
- Agent managed (12.1+) or agentless device
- Windows 10, Windows Server 2016, or later
- PowerShell Enabled
The following error will be displayed if the agent is below 12.1: "Microsoft Defender is disabled on this device". This error also shows up if the device is not running under a supported Windows OS:
For the options to appear under Inventory | Devices, Bulk Actions must be enabled. This option is enabled by default after upgrading to 12.1.
Also on General Settings, you can adjust the retention for keeping records of Threat Data. Default is 1 Month and can be increased up to 12 Months:
Then the options can be accessed from the Devices page and run across multiple supported devices:
Alternatively, it can be run individually on the Device's Inventory page under Choose Action:
Notice that a button for Disable Network Traffic was also added. This will disable the physical NIC(s) on the PC, and thus, won't be able to communicate with the SMA. The NIC(s) need to be re-enabled manually in order for the agent to re-connect.
Here's an example of Microsoft Defender Inventory Output when there's a Threat found:
Here's the Detail when clicked:
