Microsoft Defender for Identity health alerts - Microsoft Defender for Identity (2023)

  • Article
  • 11 minutes to read

Health issues page

The Microsoft Defender for Identity Health issues page lets you know when there's a problem with your Defender for Identity instance, by raising a health alert. To access the page, follow these steps:

(Video) Defender for Identity Alerts

  1. In Microsoft 365 Defender, go to Settings and then Identities.

    Microsoft Defender for Identity health alerts - Microsoft Defender for Identity (1)

  2. Under General, select Health issues.

    (Video) Microsoft Defender For Identity Demo

  3. The Health issues page is displayed, where you can see Open, Closed, and Suppressed health issues.

    Microsoft Defender for Identity health alerts - Microsoft Defender for Identity (2)

  4. Select any issue for more details, and the option to close or suppress the issue.

    (Video) Microsoft Defender for Identity Webinar: Detection Deep Dive with Defender for Identity Engineering

    Microsoft Defender for Identity health alerts - Microsoft Defender for Identity (3)

Note

(Video) Remediation | Microsoft Defender for Identity

Sensor related health alerts can also be found in the Sensor settings page.

Health alerts

This section describes all the health alerts for each component, listing the cause and the steps needed to resolve the problem.

Sensor specific health alerts are displayed in the Sensors settings page and domain related or aggregated health alerts are displayed in the Health issues page as detailed in the tables below.

(Video) Save your business with TD SYNNEX Azure Fraud prevention C2R

A domain controller is unreachable by a sensor

AlertDescriptionResolutionSeverityDisplayed in
The Defender for Identity sensor has limited functionality due to connectivity issues to the configured domain controller.This impacts Defender for Identity's ability to detect suspicious activities related to domain controllers monitored by this Defender for Identity sensor.Make sure the domain controllers are up and running and that this Defender for Identity sensor can open LDAP connections to them. In addition, in Settings make sure to configure a Directory Service account for every deployed forest.MediumSensors settings page

All/Some of the capture network adapters on a sensor are not available

AlertDescriptionResolutionSeverityDisplayed in
All/Some of the selected capture network adapters on the Defender for Identity sensor are disabled or disconnected.Network traffic for some/all of the domain controllers is no longer captured by the Defender for Identity sensor. This impacts the ability to detect suspicious activities, related to those domain controllers.Make sure these selected capture network adapters on the Defender for Identity sensor are enabled and connected.MediumSensors settings page

Directory services user credentials are incorrect

AlertDescriptionResolutionSeverityDisplayed in
The credentials for the directory services user account are incorrect.This impacts sensors' ability to detect activities using LDAP queries against domain controllers.- For a standard AD accounts: Verify that the username, password, and domain in the Directory services configuration page are correct.
- For group Managed Service Accounts: Verify that the username and domain in the Directory Services configuration page are correct. Also check all the other gMSA account prerequisites described on the Directory Service account recommendations page.
MediumHealth issues page

Low success rate of active name resolution

AlertDescriptionResolutionSeverityDisplayed in
The listed Defender for Identity sensors are failing to resolve IP addresses to device names more than 90% of the time using the following methods:
- NTLM over RPC
- NetBIOS
- Reverse DNS
This impacts Defender for Identity's detections capabilities and might increase the number of false positive alarms.- For NTLM over RPC: Check that port 135 is open for inbound communication from Defender for Identity sensors on all computers in the environment.
- For reverse DNS: Check that the sensors can reach the DNS server and that Reverse Lookup Zones are enabled.
- For NetBIOS: Check that port 137 is open for inbound communication from Defender for Identity sensors on all computers in the environment.
Additionally, make sure that the network configuration (such as firewalls) isn't preventing communication to the relevant ports.
LowSensors settings page and health issues page

No traffic received from domain controller

AlertDescriptionResolutionSeverityDisplayed in
No traffic was received from the domain controller via this Defender for Identity sensor.This might indicate that port mirroring from the domain controllers to the Defender for Identity sensor isn't configured yet or not working.Verify that port mirroring is configured properly on your network devices.
On the Defender for Identity sensor capture NIC, disable these features in Advanced Settings:
Receive Segment Coalescing (IPv4)
Receive Segment Coalescing (IPv6)
MediumSensors settings page and health issues page

Read-only user password to expire shortly

AlertDescriptionResolutionSeverityDisplayed in
The read-only user password, used to perform resolution of entities against Active Directory, is about to expire in less than 30 days.If the password for this user expires, all the Defender for Identity sensors stop running and no new data is collected.Change the domain connectivity password and then update the Directory Service account password.MediumHealth issues page

Read-only user password expired

AlertDescriptionResolutionSeverityDisplayed in
The read-only user password, used to get directory data, expired.All the Defender for Identity sensors stop running (or will stop running soon) and no new data is collected.Change the domain connectivity password and then update the Directory Service account password.HighHealth issues page

Sensor outdated

AlertDescriptionResolutionSeverityDisplayed in
A Defender for Identity sensor is outdated.A Defender for Identity sensor is running a version that can't communicate with the Defender for Identity cloud infrastructure.Manually update the sensor and check to see why the sensor isn't automatically updating. If this doesn't work, download the latest sensor installation package and uninstall and reinstall the sensor. For more information, see Download the Microsoft Defender for Identity sensor and Install the Microsoft Defender for Identity sensor.MediumSensors settings page and health issues page

Sensor reached a memory resource limit

AlertDescriptionResolutionSeverityDisplayed in
The Defender for Identity sensor stopped itself and restarts automatically to protect the domain controller from a low memory condition.The Defender for Identity sensor enforces memory limitations upon itself to prevent the domain controller from experiencing resource limitations. This happens when memory usage on the domain controller is high. Data from this domain controller is only partly monitored.Increase the amount of memory (RAM) on the domain controller or add more domain controllers in this site to better distribute the load of this domain controller.MediumSensors settings page

Sensor service failed to start

AlertDescriptionResolutionSeverityDisplayed in
The Defender for Identity sensor service failed to start for at least 30 minutes.This can impact the ability to detect suspicious activities originating from domain controllers being monitored by this Defender for Identity sensor.Monitor Defender for Identity sensor logs to understand the root cause for Defender for Identity sensor service failure.HighSensors settings page

Sensor stopped communicating

AlertDescriptionResolutionSeverityDisplayed in
There has been no communication from the Defender for Identity sensor. The default time span for this alert is 5 minutes.Network traffic is no longer captured by the network adapter on the Defender for Identity sensor. This impacts Defender for Identity's ability to detect suspicious activities, since network traffic won't be able to reach the Defender for Identity cloud service.Check that the port used for the communication between the Defender for Identity sensor and Defender for Identity cloud service is not blocked by any routers or firewalls.MediumSensors settings page

Some Windows events are not being analyzed

AlertDescriptionResolutionSeverityDisplayed in
The Defender for Identity sensor is receiving more events than it can process.Some Windows events aren't being analyzed, which can impact the ability to detect suspicious activities originating from domain controllers being monitored by this Defender for Identity sensor.Consider adding additional processors and memory as required. If this is a standalone Defender for Identity sensor, verify that only the required events are forwarded to the Defender for Identity sensor or try to forward some of the events to another Defender for Identity sensor.MediumSensors settings page and health issues page

Some network traffic could not be analyzed

AlertDescriptionResolutionSeverityDisplayed in
The Defender for Identity sensor is receiving more network traffic than it can process.Some network traffic couldn't be analyzed, which can impact the ability to detect suspicious activities originating from domain controllers being monitored by this Defender for Identity sensor.Consider adding additional processors and memory as required. If this is a standalone Defender for Identity sensor, reduce the number of domain controllers being monitored.
This can also happen if you're using domain controllers on VMware virtual machines. To avoid these alerts, you can check that the following settings are set to 0 or Disabled in the virtual machine (in the Windows OS, not in the VMware settings):
- Large Send Offload V2 (IPv4)
- IPv4 TSO Offload
The names may vary depending on your VMware version. For more information, see your VMware documentation.
MediumSensors settings page and health issues page

Some ETW events are not being analyzed

AlertDescriptionResolutionSeverityDisplayed in
The Defender for Identity sensor is receiving more Event Tracing for Windows (ETW) events than it can process.Some Event Tracing for Windows (ETW) events aren't being analyzed, which can impact the ability to detect suspicious activities originating from domain controllers being monitored by this Defender for Identity sensor.Consider adding additional processors and memory as required.MediumSensors settings page and health issues page

Sensor with Windows Server 2008 R2: Will be unsupported soon

AlertDescriptionResolutionSeverityDisplayed in
The Defender for Identity sensor is running on Windows 2008 R2, which will be unsupported soon.Starting June 15, 2022, Microsoft will no longer support the Defender for Identity sensor on devices running Windows Server 2008 R2. More details can be fount at: https://aka.ms/mdi/2008r2Upgrade the Operating System on this Domain Controller to at least Windows Server 2012.Medium (Starting June 1, 2022 the severity of this health alert will be High)Sensors settings page

Sensor with Windows Server 2008 R2: Unsupported

AlertDescriptionResolutionSeverityDisplayed in
The Defender for Identity sensor is running on Windows 2008 R2, which is unsupported.Starting June 15, 2022, Microsoft will no longer support the Defender for Identity sensor on devices running Windows Server 2008 R2. More details can be found at: https://aka.ms/mdi/2008r2Upgrade the Operating System on this Domain Controller to at least Windows Server 2012.HighSensors settings page

Sensor has issues with packet capturing component

AlertDescriptionResolutionSeverityDisplayed in
The Defender for Identity sensor is using WinPcap drivers instead of Npcap drivers.We recommend all customers use the Npcap driver instead of the WinPcap drivers. Starting with Defender for Identity version 2.184, the installation package will install Npcap 1.0 OEM instead of the WinPcap 4.1.3 drivers.Install Npcap according to the guidance as described in: https://aka.ms/mdi/npcapLowSensors settings page
The Defender for Identity sensor is running an Npcap version older than the minimum required version.We recommend all customers use the Npcap driver instead of the WinPcap drivers. Starting with Defender for Identity version 2.184, the installation package will install Npcap 1.0 OEM instead of the WinPcap 4.1.3 drivers.Upgrade Npcap according to the guidance as described in: https://aka.ms/mdi/npcapMediumSensors settings page
The Defender for Identity sensor is running an Npcap component that is not configured as required.We recommend all customers use the Npcap driver instead of the WinPcap drivers. Starting with Defender for Identity version 2.184, the installation package will install Npcap 1.0 OEM instead of the WinPcap 4.1.3 drivers.Install Npcap according to the guidance as described in: https://aka.ms/mdi/npcapHighSensors settings page

NTLM Auditing is not enabled

AlertDescriptionResolutionSeverityDisplayed in
NTLM Auditing is not enabled.NTLM Auditing (for event ID 8004) is not enabled on the server.Enable NTLM Auditing events according to the guidance as described at the Event ID 8004 section, in the Configure Windows Event collection page.MediumSensors settings page

Directory Services Advanced Auditing is not enabled as required

AlertDescriptionResolutionSeverityDisplayed in
Directory Services Advanced Auditing is not enabled as required.The Directory Services Advanced Auditing configuration does not include all the categories and subcategories as required.Enable the Directory Services Advanced Auditing events according to the guidance as described in the Configure Audit Policies section, in the Configure Windows Event collection page.MediumHealth issues page

Directory Services Object Auditing is not enabled as required

AlertDescriptionResolutionSeverityDisplayed in
Directory Services Object Auditing is not enabled as required.The Directory Services Object Auditing configuration does not include all the object types and permissions as required.Enable the Directory Services Object Auditing events according to the guidance as described in the Configure Audit Policies section, in the Configure Windows Event collection page.MediumHealth issues page

Power mode is not configured for optimal processor performance

AlertDescriptionResolutionSeverityDisplayed in
Power mode is not configured for optimal processor performance.The operating system's power mode is not configured to the optimal processor performance settings. This can impact the server's performance and the sensors' ability to detect suspicious activities.Configure the power option of the machine running the Defender for Identity sensor to High Performance (or set both the minimum and maximum processor state to 100) as described in the Server specifications section, in the Defender for Identity prerequisites page.LowSensors settings page

See also

FAQs

What is the purpose of Microsoft Defender for identity? ›

Microsoft Defender for Identity (formerly Azure Advanced Threat Protection, also known as Azure ATP) is a cloud-based security solution that leverages your on-premises Active Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your ...

Where should you install the Microsoft Defender for identity sensor? ›

Installation path: The location where the Defender for Identity sensor is installed. By default the path is %programfiles%\Azure Advanced Threat Protection sensor .

Can Windows Defender send email notification? ›

You can configure Defender for Endpoint to send email notifications to specified recipients for new alerts. This feature enables you to identify a group of individuals who will immediately be informed and can act on alerts based on their severity.

Should I turn off Microsoft Defender? ›

Turning off Microsoft Defender Firewall could make your device (and network, if you have one) more vulnerable to unauthorized access. If there's an app you need to use that's being blocked, you can allow it through the firewall, instead of turning the firewall off.

Can you trust Microsoft Defender? ›

Microsoft Defender antivirus is pretty safe. It has almost 100% real-time protection rates, according to independent tests. It also has additional features for device protection against malware, such as scanning, app and browser control, and account protection options.

Can Windows Defender detect anything? ›

Microsoft Defender Antivirus is a built-in malware scanner for Microsoft Windows 10. As part of the Windows Security suite, it will search for any files or programs on your computer that can cause harm to it. Defender looks for software threats like viruses and other malware across email, apps, the cloud, and the web.

What does Windows Defender do when it finds a threat? ›

As soon as a malicious file or software is detected, Microsoft Defender blocks it and prevents it from running. And with cloud-delivered protection turned on, newly detected threats are added to the antivirus and antimalware engine so that your other devices and users are protected, as well.

How do I prevent Windows Defender from being detected? ›

Go to Start > Settings > Update & Security > Windows Security > Virus & threat protection. Under Virus & threat protection settings, select Manage settings, and then under Exclusions, select Add or remove exclusions.

How often does Microsoft Defender scan for vulnerabilities? ›

First, Microsoft's scanner detects vulnerabilities in real-time while Qualys's scanner scan our machines every 4 hours.

Should I stick with Windows Defender? ›

If you're comfortable with all this — and in our experience, Edge is lighter and faster than Chrome — then Microsoft Defender Antivirus and the related protections built into Windows 10 and 11 should absolutely be good enough to protect you from malware infection, and give you a few useful extra security features as ...

How can I tell if an email from Microsoft is genuine? ›

If you aren't sure about the source of an email, check the sender. You'll know it's legitimate if it's from the Microsoft account team at account-security-noreply@accountprotection.microsoft.com.

Does Windows Defender have behavior monitoring? ›

Microsoft Defender Antivirus uses several methods to provide threat protection: Cloud protection for near-instant detection and blocking of new and emerging threats. Always-on scanning, using file and process behavior monitoring and other heuristics (also known as "real-time protection")

Does Microsoft send unusual activity emails? ›

Microsoft will send you emails about unusual account activity, but the address they come from is account-security-noreply@accountprotection.microsoft.com.This is not a scam that just targets Microsoft customers.

What are the disadvantages of Windows Defender? ›

Cons of Windows Defender
  • Lacks integrated dashboard for all devices using Windows Defender.
  • No accountability if the computer is infected by malware.
  • Limited features for large scale use.
  • Slows down installation of frequently-used applications.
Sep 22, 2021

Does Defender remove virus? ›

The Windows Defender Offline scan will automatically detect and remove or quarantine malware.

What happens if I turn off Windows Defender? ›

Microsoft Defender can be turned off in Settings, but will turn back on when you restart your computer. Installing a 3rd party antivirus program will permanently turn off Microsoft Defender. Keep in mind that turning off Defender will open up your computer to security threats.

Can Windows Defender detect Trojans? ›

How to protect against trojans. Use the following free Microsoft software to detect and remove it: Microsoft Defender Antivirus for Windows 10 and Windows 8.1, or Microsoft Security Essentials for previous versions of Windows.

Is Microsoft Defender enough protection? ›

Microsoft Defender is closer than it's ever been to competing with third-party antiviruses — but it's still not good enough. And it's certainly not good enough compared to dedicated antivirus programs like Norton and Bitdefender.

Is Windows Defender a good virus checker? ›

Microsoft Defender scores 9.6, which is quite a good score. It's better than any other free product tested with this same sample set. Adaware, Avast, and Bitdefender Antivirus Free Edition all score 9.2, while Kaspersky, Panda, and Avira score still lower.

Can Windows Defender detect spyware? ›

Windows Defender is a signature-based antimalware system, and these signatures provide the definitions that Windows Defender uses to identify malware on a Windows system. These signatures provide information about current spyware and other forms of malware.

How do you tell if you have a virus on your computer? ›

10 signs your computer is infected
  1. Unexpected pop-up windows. ...
  2. Random sounds. ...
  3. Unexplained file or folder changes. ...
  4. Slow operation. ...
  5. Random connections to unknown websites. ...
  6. Unexpected images. ...
  7. Inability to download antivirus programs or updates. ...
  8. Spam sent from your email address or social media.
Jul 5, 2022

Does Windows Defender scan in the background? ›

Like other anti-malware applications, Windows Defender automatically runs in the background, scanning files when they are accessed and before user open them. When a malware is detected, Windows Defender inform you. It won't ask you what you want to do with the malicious software it finds.

Why does Windows Defender keep saying threats found? ›

If so, it's certainly a false alarm caused by an issue with Microsoft Defender's protection history. The only way to stop receiving these annoying notifications is to clear Microsoft Defender's protection history. Our guide on how to clear the Microsoft Defender protection history will show you how to do that.

Can you get rid of Microsoft Defender? ›

Select Start and type "Windows Security" to search for that app. Select the Windows Security app from the search results, go to Virus & threat protection, and under Virus & threat protection settings select Manage settings. Switch Real-time protection to Off. Note that scheduled scans will continue to run.

How do I get rid of fake Windows Defender security warning? ›

Remove Windows Defender security warning from your browser
  1. Click on the three dots at the top right corner.
  2. Choose “Settings”
  3. Click “Advanced ” in the bottom left of the window.
  4. Press ”Reset and clean up”
  5. Choose “Restore settings to their original defaults”
  6. Click “Reset settings”
Dec 30, 2022

Does Windows Defender scan for all viruses? ›

Windows Security continually scans for malware (malicious software), viruses, and security threats. In addition to this real-time protection, updates are downloaded automatically to help keep your device safe and protect it from threats.

How long should a full Windows Defender scan take? ›

Click Show hidden icons at the bottom right‑hand side of your taskbar, and then click the Windows Defender icon. On the Windows Defender Security Center home screen, click Virus & threat protection. On the Virus & threat protection screen, click Quick Scan, which takes 45–60 minutes.

How long does it take for a vulnerability to be detected? ›

Vulnerability scanners typically run the conventional 'if-then scenarios' to discover breaches in the network. Even a robust tool on the market takes 1-3 hours to scan vulnerabilities as 'quick scans.

How do I stop fake emails from Microsoft? ›

In the message list, select the message or messages you want to report. Above the reading pane, select Junk > Phishing > Report to report the message sender.

Is a Gmail account a Microsoft account? ›

Your original Gmail address is your Google account, and it gives you access to Google's services and devices. Even if it's associated with a Gmail address, your Microsoft account is a different account that gives you access only to Microsoft's devices and services.

Will Microsoft ever text me? ›

We might send you a text message when you sign in to your Windows phone for the first time or if you try to use a feature that requires you to verify your identity. We might also text you when you sign in to a device that we haven't seen you use before.

Does Microsoft track your browsing history? ›

If you consent in your settings, Microsoft will collect your Microsoft Edge browsing history to provide you with a rich, personalized browsing experience. Your browsing history can be collected from your account if: You've turned on syncing for browsing history. Learn more.

How often do Microsoft accounts get hacked? ›

The volume of password attacks has soared to an estimated 921 attacks every second. That's a 74% rise in one year, according to the latest Microsoft Digital Defense Report.

Can Microsoft Office track your activity? ›

Demetriades found employers can use the governance and risk management tools in Office 365 to look at the content of emails or messages sent by specific employees and identify the activities that individual users have carried out using their work computer.

What is identity defender? ›

Microsoft's managed identity security service

Microsoft Defender for Identity is one technology that helps organizations secure and monitor user identities at scale.

How do I stop Microsoft from verifying my identity? ›

Go to Security settings and sign in with your Microsoft account. Under the Two-step verification section, choose Set up two-step verification to turn it on, or choose Turn off two-step verification to turn it off.

What information does Microsoft Defender collect? ›

Information collected includes file data (such as file names, sizes, and hashes), process data (running processes, hashes), registry data, network connection data (host IPs and ports), and device details (such as device identifiers, names, and the operating system version).

What happens if I remove Windows Defender? ›

You cannot uninstall it as it it part of the Windows 10 operating system. If you disable it as you have found out it will just turn itself back on. Was this reply helpful? You can disable it, in fact, third party Antivirus utilities disable it automatically since having two Antivirus utilities can conflict.

How Much Does Identity Guard cost a month? ›

How Much Does Identity Guard Cost?
CompanyComprehensive PlanMonthly Cost - Billed Annually
Identity Guard »Ultra$29.99 $12.99
IdentityForce »UltraSecure + Credit$19.96 $11.67/month
IDShield »Individual 3 BureauN/A
Aura »Individual$12.00 $8.00
2 more rows
Jan 3, 2023

Does Identity Guard monitor bank accounts? ›

Here's how Identity Guard protects you: We monitor your personal information, credit, and bank account for signs of fraud. We alert you to breaches and credit fraud in near real-time. If you're a victim of fraud, our U.S-based fraud agents will help you resolve the issue.

How can I monitor my identity? ›

What you can do to detect identity theft
  1. Track what bills you owe and when they're due. If you stop getting a bill, that could be a sign that someone changed your billing address.
  2. Review your bills. ...
  3. Check your bank account statement. ...
  4. Get and review your credit reports.

Why do I always have to verify my identity? ›

Some government applications require identity verification. This additional layer of security requires you to prove you are you - and not someone pretending to be you. You will need to verify your identity and secure your account.

Why do I keep getting Microsoft verification? ›

If you forget your password, or if someone else is trying to take over your account, we send a verification code to that alternate email or phone number. When you give the code back to us, we know that you're really you so we can help get you back into your Microsoft account.

Why am I having trouble verifying my identity? ›

You may have answered security questions incorrectly. Your credit report may be locked or frozen. Your credit profile may contain erroneous information. You may have already verified your identity with ID.me.

Can Microsoft Defender see browsing history? ›

Neither Microsoft nor your organization can see data from apps installed on your device, browsing content, or stored browsing history.

Does Windows Defender detect everything? ›

As part of the Windows Security suite, it will search for any files or programs on your computer that can cause harm to it. Defender looks for software threats like viruses and other malware across email, apps, the cloud, and the web.

Can Windows Defender remove all viruses? ›

The Windows Defender Offline scan will automatically detect and remove or quarantine malware.

Is Windows Defender enough or do I need an antivirus? ›

Windows Defender scans a user's email, internet browser, cloud, and apps for the above cyberthreats. However, Windows Defender lacks endpoint protection and response, as well as automated investigation and remediation, so more antivirus software is necessary.

Videos

1. Save your business with TD SYNNEX Azure Fraud prevention C2R
(TD SYNNEX Sweden AB)
2. Incident investigation with Microsoft Defender for identity
(Microsoft Security)
3. New Remediation Actions in Microsoft Defender for Identity | Microsoft Defender for Identity
(Microsoft Security Community)
4. Introduction to Defender for Identity
(T-Minus365)
5. Microsoft Defender for Identity (Part 1) - Offering, Architecture & Deployment
(Atul Raizada)
6. Microsoft Defender for Identity webinar: Deployment and configuration
(Microsoft Security)
Top Articles
Latest Posts
Article information

Author: Nicola Considine CPA

Last Updated: 02/20/2023

Views: 6198

Rating: 4.9 / 5 (49 voted)

Reviews: 88% of readers found this page helpful

Author information

Name: Nicola Considine CPA

Birthday: 1993-02-26

Address: 3809 Clinton Inlet, East Aleisha, UT 46318-2392

Phone: +2681424145499

Job: Government Technician

Hobby: Calligraphy, Lego building, Worldbuilding, Shooting, Bird watching, Shopping, Cooking

Introduction: My name is Nicola Considine CPA, I am a determined, witty, powerful, brainy, open, smiling, proud person who loves writing and wants to share my knowledge and understanding with you.