MAV (Managed AV - Microsoft Defender)

One of the key components of Windows Defender is the Attack Surface Reduction (ASR) Rules. In my opinion, the ASR rules is what makes Defender such a powerful platform. It would be great if we could include the ability to turn on, manage, and add exclusions for the ASR rules in huntress. Other competitor platforms can do this and it works quite well. These rules exponentially expand the effectiveness of Defender.

https://docs.microsoft.com/en-NZ/microsoft-365/security/defender-business/?view=o365-worldwide

The setting description in MAV states: "This is currently not recommended per Defender guidelines and set to "Disabled" by Huntress Managed Antivirus" However, the Microsoft CSP policy suggests: "It is recommended to enable this setting." Here's the link to the policy document: https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#allowscanningnetworkfiles Is this the same rule, or am I missing something?

Our organization makes heavy use of ephemeral AVD hosts that are reimaged daily. Prior to our implementation of Tamper Protection, we were able to run install and uninstall Huntress scripts prior to provisioning and deprovisioning hosts. This would allow us to keep our agent counts reasonable by offboarding hosts before they are destroyed. After implementing Tamper Protection, the uninstall script no longer removes the dead hosts from the Huntress portal. I understand there is a feature for exclusion based on client or hostname. However, the ephemeral AVD hosts have dynamically generated host names, so we are unable to set an exclusion rule for any future hosts provisioned. I believe an effective solution would be to allow for client-based Tamper Protection exclusions that can be set based on device tag. This way, when we run the install script on our AVD hosts, we can tag them as ephemeral and exclude them from Tamper Protection to allow the uninstall. I realize that disabling Tamper Protection on any host is potentially risky. However, in an ephemeral host situation where we are piping event logs into Log Analytics and a Storage Account, we believe we have effectively addressed the risk of potentially losing visibility. Would appreciate feedback on this suggestion as soon as possible, as we would not like to leave our hosts undefended, but do not want to accumulate additional charges for stale hosts.

Be able to force enable defender when defender is disabled.

Requesting Managed AV for Mac Devices so that our MSP partners can have AV across operating systems.

Would love to get reports on managed end points AV scans. Having these in one easy to find easy to read place would be a great benefit for insights into AV activity. Additionally being able to pull reports for end points that have been manually scanned across multiple tenants in our Huntress program would make it easier to verify remediation for known or suspected infections, and would reduce the manual steps needed to ensure remediation or confirmation that the scanned end points do not have IOCs.

Looking for the ability for Defender to automatically scan USB media when plugged in. This would ideally be in addition to the quick scan and full scan schedule.

Hi team, would love the ability to control tamper protection for MAV via Huntress. We have a few clients that use it and it can get turned off for a variety of reasons and would love to have that control in a policy.

To enable better reporting via RMM, it would be nice to enable notifications for Defender detections. Including those which are low-severity or automatically remediated.