Forum Discussion
MDE vs Intune for ASR
rahuljindal Thanks for your post, this is what we have setup at present for the majority of endpoints however for servers or endpoints not managed by MEM we need to be able to use MDE to manage AV, Firewall and ASR policies. AV/FW work as expected using the MDE/MEM Security Configuration on these devices but ASR is not yet working yet the target in the policy is defined as mdm,microsoftSense so would expect ASR policies to also work in the same way.
- PaulCDickerJun 16, 2022Brass ContributorThanks Guys have escalated to Australian engineering team to see if we can get anything on roadmap and timeline
- mcoombeSep 09, 2022Brass Contributor
PaulCDicker This issue still exists for us and we have actually gone backwards. Any device in MEM showing as MDE managed is now reporting in MDE Security Improvements as an "Exposed Device" for all 16 x ASR Security Controls. To make matters worse the PowerShell commands we used to use on these devices to manually enable these 16 ASR commands no longer work. We assume that this is because these devices are now enrolled in MEM using the "Use MDE to enforce security configuration settings from MEM" option which we assume either means only MEM policies can be applied to these devices or Tamper Protection is now blocking the ASR commands via PowerShell. We have other devices enrolled in MDE but not in MEM that are showing as compliant for all 16 ASR security controls as we have successfully enabled these using PowerShell. This is turning into a bit of a mess for hybrid environments where a reasonable number of devices are not enrolled in MEM or not Hybrid AD Joined but have are onboarded in MDE (MicrosoftSense) for EDR, TVM etc.
- Jim HillMar 17, 2023Brass ContributorI see that this is now resolved in Endpoint Manger / Endpoint Security / Attack Surface Reduction. Just create a new rule and select the top item on the list (Windows 10, Winodws 11, and Windows Server) under Platform when you create the new rule. Disable your existing one of course and then enable the new one which includes the new ASR rule selection for "Bock abuse of exploited vulnerable signed drivers." I am not sure when that showed up but it is there now.
- TP_ITSep 08, 2022Brass Contributor