Forum Discussion
EDR in block mode - specific devices & false positives
Hi all,
How do I set EDR in block mode for specifc devices rathe than whole tenant? Also if I have false positives how to I enable access to that app if blocked by mistake?
You should create a Windows Custom Policy (OMA-URI) - in Intune go to Windows Configuration Profiles > pick Template Custom >Add OMA URI Settings > OMA-URI should be: ./Device/Vendor/MSFT/Defender/Configuration/PassiveRemediation the data type integer and value I picked is 4 (4 stand for: Passive Remediation Realtime Protection Remediation, again see this link defender-csp ). See attached screenshot for the Configuration. After this you need to assign it to the device.
Regarding False positives you should first run the solution in audit mode and filter out the known false positives using the Defender Admin Portal before going to production. The OMA-URI integer value should be 2 for audit mode. After you encounter false positives in the audit phase or in the production remediation phase, follow this guide: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/defender-endpoint-false-positives-negatives?view=o365-worldwide There is a section about un-doing remediation actions. You can perform those steps from the Defender Admin Portal, it is all well explained in the above guide.
- SebastiaanSmitsSteel ContributorYou can set EDR in block mode per devices using Intune, see here: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/edr-in-block-mode?view=o365-worldwide#enable-edr-in-block-mode -- "Starting with platform version 4.18.2202.X, you can now set EDR in block mode to target specific device groups using Intune CSPs"
You can find the Defender CSP here: https://learn.microsoft.com/en-us/windows/client-management/mdm/defender-csp
For your second question can you please elaborate a little more on what your scenario is..- AB21805Bronze ContributorIm still unsure what the policy would include?
Regarding apps which will get blocked would it be only those which are suspicious or could it think a app is malicious but then it actually isnt ie a false positive, would we be able to unblock the app quickly to allow users to carry on working without interruptions ?- SebastiaanSmitsSteel Contributor
You should create a Windows Custom Policy (OMA-URI) - in Intune go to Windows Configuration Profiles > pick Template Custom >Add OMA URI Settings > OMA-URI should be: ./Device/Vendor/MSFT/Defender/Configuration/PassiveRemediation the data type integer and value I picked is 4 (4 stand for: Passive Remediation Realtime Protection Remediation, again see this link defender-csp ). See attached screenshot for the Configuration. After this you need to assign it to the device.
Regarding False positives you should first run the solution in audit mode and filter out the known false positives using the Defender Admin Portal before going to production. The OMA-URI integer value should be 2 for audit mode. After you encounter false positives in the audit phase or in the production remediation phase, follow this guide: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/defender-endpoint-false-positives-negatives?view=o365-worldwide There is a section about un-doing remediation actions. You can perform those steps from the Defender Admin Portal, it is all well explained in the above guide.