This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(19.2, 69%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EI%3C/text%3E%3C/svg%3E)
Hi
We have M365 Business Premium licenses, which contains Defender for Business. We are controlling endpoint security configurations via Intune Endpoint Security.
I have one machine, where Controlled Folder Access have blocked some file changes.
Problem here is that I do not get any info about this in the portal or anywhere.
If I go to Security portal (security.microsoft.com) -> Devices -> choose the device -> Incidents and alerts, I see no incidents there.
I dont receive anykind of info from any device about any incidents to the portal or via email and I know for a fact, that there has been incidents because I can see them in the device Defender history.
What is wrong? Would could be the reason that I cant get info about incidents?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(294.40000000000003, 48%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHG%3C/text%3E%3C/svg%3E)
Hello,
Normally you see event related to the actions taked by Controlled Folder Access:
1123 is the event id for blocked CFA event.
It always recommended to have CFA set to Audit mode to evaluate the impact before switching to Block.
Please let me know if it's OK.
GH
If I use whatever other antivirus software, I can see their detections, blocks and other actions centralized from the admin portal of the solution.
Microsoft Defender I guess do not work like that? Do I really have to go to separately gather information as admin to receive info about Defender actions in user devices??
Hi IMK
If you are not receiving any information about incidents related to Controlled Folder Access in the Microsoft 365 Security portal or through email notifications, there could be a few potential reasons for this issue:
Configuration Issue: Ensure that the necessary settings are properly configured in both Intune and Defender for Business to capture and report incidents. Review the configuration settings related to incident reporting and notifications in both Intune Endpoint Security and Defender Security Center to verify that they are set correctly.
Delayed Reporting: Sometimes, there can be a delay in incident reporting and data synchronization between the endpoint device and the security portal. Allow some time for the incidents to be reported and synchronized to the portal. Check the timestamp of the incidents in the Defender Security Center to see if there is any significant delay in reporting.
Filtering and Alert Settings: Check the filtering and alert settings in the Microsoft 365 Security portal to ensure that incidents related to Controlled Folder Access are not being filtered out or suppressed. Adjust the settings as necessary to include the desired incidents in the portal and email notifications.
Licensing Limitations: Confirm that your M365 Business Premium licenses include the necessary features for incident reporting and monitoring. Review the licensing documentation to ensure that the licenses you have provide access to the desired incident reporting capabilities.
Permission Issues: Ensure that the account you are using to access the Microsoft 365 Security portal has the necessary permissions to view and receive incident reports. Check your user roles and permissions in the portal to ensure that you have the appropriate access.
If none of the above steps resolve the issue, it is recommended to reach out to Microsoft Support for further assistance.