Microsoft Defender for Endpoint and Secure Score not synchronising

Noah Mohamed 0

Hello, I've been dealing with issue for a while.

It all began when I turned on the endpoint agent on Microsoft Security and all of the devices of my users were successfully onboarded via Intune, prior to this the report card on Secure Score displayed only; Identity, Data, and Apps. As expected after connecting both Security and Intune/Endpoint Manager the Devices category appeared; all well and good.

However when I attempt to implement the recommended actions that relates to the device category on Secure Score (I primarily use Endpoint Manager's AV policies on Endpoint Security and the configuration profiles), and assigning them to our company wide dynamic device groups, I have yet to see any change on Intune?

I've mingled around and made use of the remediation request function on vulnerability manager, but even when I implement following that process, and despite the assignment displaying a success rate of 100% on Endpoint Manager, this does not reflect on Secure Score.

I really need help on this, I am sure I am missing out an important detail.

Thanks.

Crystal-MSFT 45,656 Reputation points Microsoft Vendor

2023-01-25T02:12:43.27+00:00
@Noah Mohamed, Thanks for posting in Q&A. From your description, it seems the secure score is not synced.

To check on the issue, could you collect the following information to clarify:

For the secure score, based as I know, it is synced from Microsoft Defender. Could you check if the secure score shows on Microsoft Defender for these devices?

For these devices, are they enrolled into Intune? Based as I know, the device enrolled into Intune will use Intune to deploy the policies. For the devices not enrolled with Intune, Devices use their Azure AD Identity to communicate with Endpoint Manager. This identity enables Microsoft Endpoint Manager to distribute policies that are targeted to the devices when they check in.

Devices managed by this capability check-in with Microsoft Endpoint Manager every 90 minutes to update policy. Please try to sync device in Microsoft Defender portal to see if the result will be different.

https://video2.skills-academy.com/en-us/mem/intune/protect/mde-security-integration#device-check-in-frequency

Please check the above information and if there's any update, feel free to let us know.
Noah Mohamed 0 Reputation points

2023-01-25T11:57:20.3133333+00:00
Hi @Crystal-MSFT

1.Do you mean sync'd from the Microsoft Defender for Endpoint page?

Secondly, yes all of these are devices are enrolled into intune, we enrolled them first prior to turning on defender for endpoint.

We regularly sync all of our devices in intune via bulk action.

I've attached some screenshots to provide context.

here is the secure score

Here is the status of applied policies on Intune

Example of implemented actions:

I do not quite understand what is happening here.

I've applied the ASR rules, I've disabled what was recommended, and as you can see the check in status shows a success rate, but the score isn't updating.

Regards

Noah
Crystal-MSFT 45,656 Reputation points Microsoft Vendor

2023-01-26T05:59:00.5266667+00:00

@Noah Mohamed, Thanks for the response. From the information you provided, I know the device is enrolled into Intune and the policies are applied successfully. But we still didn't get the score. I wonder if there's some sync issue behind. Here, I suggest open case to check on it on the background. Here is a link with the steps to open case for your reference:

[https://video2.skills-academy.com/en-us/mem/get-support

1 answer

Pavel yannara Mirochnitchenko 12,391 Reputation points MVP

2023-01-31T06:41:35.6166667+00:00
Let me try to help you with my experience;

Ensure that your endpoints talk to Defender. If they are in use on daily bases, are date time stamps changing in Defender?

When you implement a solution to cover single Security Recommendation, within 1-2 days do you see that numbers of affected devices go lower? So if you have like 100/100 on some ASR rule recommendation, you enable that rule in Intune, do you start seing that 100/100 drops to xx/100?

Somewhere in dashboards, you can find in Defender the detailed score log, it basically logs what topic or issue when and how affected your score. Try to find that view and see what happends there.
Please sign in to rate this answer.
Noah Mohamed 0 Reputation points

2023-02-02T09:19:35.92+00:00

Hi Pavel,

On Defender, in the 'Devices' page accessible from the left hand panel, all the devices have updated timestamps (Feb 1), and have a green check for being onboarded.

When I implement a solution I implement it across the dynamic device groups I've created on Azure, and as you see on the screenshots above they are applied successfully. I do see some recommendations state "70/100 devices will be affected by this" and I go ahead and continue to apply it all on all devices, and after 1-2 (now weeks) the recommendation appears as if it hasn't been applied, despite the fact that it has been.

On the logs/metrics points are being added and regressed (with no direct changes being made by me) by small increment amounts, and on the recommended actions page the bulk of the actions recommended there are of the device category - many of which I have applied on Intune.
Sign in to comment

Share via

Microsoft Defender for Endpoint and Secure Score not synchronising

1 answer