Forum Discussion
Proactive Remediations - Security Recommendations Defender Endpoint
First off, you stated 'Proactive remediation is not an option in a non joined scenario'. As long as your devices are hybrid AD joined or AAD Joined, you are good to go. What join method are you using?
I would recommend not using proactive remediations to configure settings as they can become quite cumbersome to maintain. I would advise to use different Intune profiles.
For ASR for example: https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction#intune
For the Adobe Reader, I would try to use a 'MST' configuration file during installation => https://www.adobe.com/devnet-docs/acrobatetk/tools/Wizard/basics.html
Would this solve your issue?
Thanks for your reply.
You cant disable persistence via WMI via Intune.
This one you can - GUID - d1e49aac-8f56-4280-b9ba-993a6d77406c
This one you cant - GUID - e6db77e5-3df2-4cf1-b95a-636979351e5b
As explained here
It requires a PowerShell script to be written, signed with both the script and the signing certificate published to Windows endpoints. I haven't signed the PowerShell script yet and are figuring out a safe way to store it "publicly" - I have no website so are thinking about putting them into a SharePoint site that is available to all. I have run the PowerShell ASR script locally on 3 test machines and are waiting for Defender Endpoint to report back to see if the recommendation closes on these machines (which it should as this happens when I close recommendations on a test machine (test) then the entire tenant).
I will get back to you asap (probably a week - my day job isn't info tech) on the Acrobat problem and your recommendation, but now might investigate if I can close these via hash blocks in Defender Endpoint (some additional testing now required on how Acrobat runs java and flash).
Thanks.
- Have you checked out regular Powershell script in Intune? These might suit you better, you can also sign these (but should also be possible with proactive remediations)
Btw: this setting is currently in development to be configured through the portal. If I were you I would hold on a little longer and configure it natively. https://docs.microsoft.com/en-us/mem/intune/fundamentals/in-development#new-setting-for-attack-surface-reduction-rules-to-block-malware-from-gaining-persistence-through-wmiI have enabled this via PowerShell although I found issues with Azure AD and Intune
I will move this to the native solution when available and keep developing PowerShell scripts to deploy to fix the other short comings.
Thanks
.png){kind=link}