Hey everyone! António and Rob here!
For the past few years, we’ve been working closely with many of our customers, assisting them in their journeys toward adopting the full Microsoft Defender A...
Updated Apr 22, 2020
Version 7.0
Blog Post
Hi Antonio Vasconcelos & Rob Mallicoat ,
We are just at the process of Auditing/Validating the Endpoints to ensure the correct settings are being enabled "as advertised" and as part of that my Brother pointed out this great resource on Github that does a lot of the heavy lifting apart from the fact that it's for Build 1709:
https://github.com/cottinghamd/HardeningAuditor/blob/master/ASD1709HardeningComplianceCheck.ps1
It clearly has some elements missing on ASR, so needs updating.
Running this in Powershell brings out *ALL* the ASR rules via Get-MpPreference :
- $Preferences = Get-MpPreference; $Preferences.ExclusionPath
- $Preferences = Get-MpPreference; $Preferences.ExclusionProcess
- $Preferences = Get-MpPreference; $Preferences.AttackSurfaceReductionRules_Actions
- $Preferences = Get-MpPreference; $Preferences.AttackSurfaceReductionRules_Ids
From this I was able to effectively report the following table to prove/validate the correct settings are in place, but it is very long winded process.
Question - how come we are stuck with GUID's, can't these be called something easy to recognize?
Please see this post from Monday for more context - https://techcommunity.microsoft.com/t5/windows-it-pro-blog/optimize-windows-monthly-update-deployment-for-remote-devices/ba-p/1309917