Forum Discussion
EDR in block mode - specific devices & false positives
Hi all, How do I set EDR in block mode for specifc devices rathe than whole tenant? Also if I have false positives how to I enable access to that app if blocked by mistake?
You should create a Windows Custom Policy (OMA-URI) - in Intune go to Windows Configuration Profiles > pick Template Custom >Add OMA URI Settings > OMA-URI should be: ./Device/Vendor/MSFT/Defender/Configuration/PassiveRemediation the data type integer and value I picked is 4 (4 stand for: Passive Remediation Realtime Protection Remediation, again see this link defender-csp ). See attached screenshot for the Configuration. After this you need to assign it to the device.
Regarding False positives you should first run the solution in audit mode and filter out the known false positives using the Defender Admin Portal before going to production. The OMA-URI integer value should be 2 for audit mode. After you encounter false positives in the audit phase or in the production remediation phase, follow this guide: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/defender-endpoint-false-positives-negatives?view=o365-worldwide There is a section about un-doing remediation actions. You can perform those steps from the Defender Admin Portal, it is all well explained in the above guide.
Im still unsure what the policy would include?
Regarding apps which will get blocked would it be only those which are suspicious or could it think a app is malicious but then it actually isnt ie a false positive, would we be able to unblock the app quickly to allow users to carry on working without interruptions ?
Regarding apps which will get blocked would it be only those which are suspicious or could it think a app is malicious but then it actually isnt ie a false positive, would we be able to unblock the app quickly to allow users to carry on working without interruptions ?
You should create a Windows Custom Policy (OMA-URI) - in Intune go to Windows Configuration Profiles > pick Template Custom >Add OMA URI Settings > OMA-URI should be: ./Device/Vendor/MSFT/Defender/Configuration/PassiveRemediation the data type integer and value I picked is 4 (4 stand for: Passive Remediation Realtime Protection Remediation, again see this link defender-csp ). See attached screenshot for the Configuration. After this you need to assign it to the device.
Regarding False positives you should first run the solution in audit mode and filter out the known false positives using the Defender Admin Portal before going to production. The OMA-URI integer value should be 2 for audit mode. After you encounter false positives in the audit phase or in the production remediation phase, follow this guide: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/defender-endpoint-false-positives-negatives?view=o365-worldwide There is a section about un-doing remediation actions. You can perform those steps from the Defender Admin Portal, it is all well explained in the above guide.
- Can you try detect the error in the Eventviewer >DeviceManagement-Enterprise-Diagnostics-Provider:
https://learn.microsoft.com/en-us/troubleshoot/mem/intune/device-configuration/deploy-oma-uris-to-target-csp-via-intune#the-windows-event-log- The error in event viewer states HexIn1: 0x86000002
in intune the error is -2016281112
Any ideas?
