Microsoft Defender for Endpoint Can Now Detect Unmanaged Devices
Microsoft on Tuesday announced the commercial release of an unmanaged device detection feature when using the Microsoft Defender for Endpoint product.
The unmanaged device inventory capability, which previewed in April, is now at the "general availability" release stage. The capability will become apparent in the Microsoft 365 Defender management console, where it'll show up under the "Endpoints" menu option.
Discovery and Onboarding
With the new unmanaged device inventory capability, Microsoft Defender for Endpoint can discover unmanaged devices in a network and then "onboard" them so that they come under management.
The unmanaged device inventory capability can detect "unmanaged workstations, servers, and mobile endpoints (Windows, Linux, macOS, iOS, and Android) that haven't been onboarded and secured," the announcement explained. It can even detect unmanaged network devices, such as firewalls, routers, switches, virtual private network gateways and more.
Having unmanaged devices in a network can be a big security risk for organizations, Microsoft acknowledged, so this new detection feature is kind of a late bloomer. The Microsoft Defender for Endpoint product, formerly known as "Microsoft Defender Advanced Threat Protection," is used to add anti-malware protections to devices and also to conduct post-breach analyses.
Standard Mode Coming on July 19
The new unmanaged device inventory capability is associated with a discovery mode switch from "Basic" to "Standard." This switch to Standard is being done automatically by Microsoft to provide better device discovery capabilities for Microsoft Defender for Endpoint users.
Microsoft plans to alert IT pros about this Standard mode switch via a pop-up box that'll appear at the top of the Microsoft 365 Defender console. The pop-up box message is just a formality, though, as Microsoft plans to automatically turn on Standard mode as the default, starting on July 19, 2021.
Microsoft describes how to exclude devices from Standard mode, if needed, in this document.
Back during the preview of the unmanaged device inventory capability, Microsoft had indicated in this April announcement that it would automatically switch tenancies using Microsoft Defender for Endpoint from "Basic discovery" to "Standard discovery" on May 10. That date apparently got pushed out to the July 19 date.
The Standard discovery mode features a more active and deeper process for finding vulnerabilities than the Basic discovery mode, Microsoft argued. Using it doesn't deliver a big hit to the network, the company claimed.
"Once you have enabled this process [Standard mode], the amount of network traffic is minimal, up to 5k of traffic is generated per discovered device and the frequency of this process is only once every 3 weeks after initial discovery or when certain characteristics of the managed device change," Microsoft explained in its April announcement.
Kurt Mackie is senior news producer for 1105 Media's Converge360 group.