Detect Microsoft Defender broken after MS patching

Our SCCM Team started testing with May 2022 security patches which seems to break posture check for ‘Detect Microsoft Defender’, anyone else seeing this ? Issues reported so far is with ZCC 3.7.1.54 and ZCC 3.8.0.93.

G

Hello,
Are you using Microsoft Defender Advanced Threat Protection (ATP) or Microsoft Defender AV? Was it working before with pervious Client Connector versions?

Hi Jamil,
Apologies, Microsoft Defender Advanced Threat Protection (ATP) .
Yes it was working fine for months but as MS Tuesday patch cycle started early testing which then hits our custom Block message.

G

Seems I’ve cried wolf too soon, second restart seems to resolve it. We’ll update our Policy Block message asking the user to restart twice

1 Like

Update:

Info from dev-team, KB5013942 is changing the thumbprint which is causing the Windows Defender posture check to begin failing. We have updated all clouds with the new thumbprint, issue should be resolved.

1 Like

This is interesting because recently I have seen a to. Of issues because of the network isolation policy which is part of defender. It runs though even if the defender service is disabled it still drops packets. I have seen this in every system I bet you see drops on yours too if you run a netsh trace. Look in the netevents.xml. I wonder if this has anything to do with that?

Hi Scott, doesnt sound like the same issue but I’ll ask our Defender Experts to check for this.
We’ve got a ZPA block policy if the native Defender posture fails which in this case was legit as MS changed the ‘AuthenticodeSignature’.
G

The thing is that this problem with the network isolation is causing all sorts of problems that seem unrelated until you see the netevents.xml log and the wpfdiag.xml logs from a netsh debug. Note that just adding the registry keys for this does not fix it. You actually have to have it part of GPO.