Forum Discussion

PaulCDicker's avatar
PaulCDicker
Brass Contributor
Jun 14, 2022

MDE vs Intune for ASR

Hi All I have a partner asking the following. Would appreciate any responses Thanks   As we discussed over the phone the vast majority of devices we manage are already enrolled in MEM (AAD Joined ...
microsoft defender for endpoint
mcoombe's avatar
mcoombe
Brass Contributor
Sep 08, 2022

PaulCDicker  This issue still exists for us and we have actually gone backwards.  Any device in MEM showing as MDE managed is now reporting in MDE Security Improvements as an "Exposed Device" for all 16 x ASR Security Controls.  To make matters worse the PowerShell commands we used to use on these devices to manually enable these 16 ASR commands no longer work.  We assume that this is because these devices are now enrolled in MEM using the "Use MDE to enforce security configuration settings from MEM" option which we assume either means only MEM policies can be applied to these devices or Tamper Protection is now blocking the ASR commands via PowerShell.  We have other devices enrolled in MDE but not in MEM that are showing as compliant for all 16 ASR security controls as we have successfully enabled these using PowerShell.  This is turning into a bit of a mess for hybrid environments where a reasonable number of devices are not enrolled in MEM or not Hybrid AD Joined but have are onboarded in MDE (MicrosoftSense) for EDR, TVM etc.

Jim Hill's avatar
Jim Hill
Brass Contributor
Mar 17, 2023
I see that this is now resolved in Endpoint Manger / Endpoint Security / Attack Surface Reduction. Just create a new rule and select the top item on the list (Windows 10, Winodws 11, and Windows Server) under Platform when you create the new rule. Disable your existing one of course and then enable the new one which includes the new ASR rule selection for "Bock abuse of exploited vulnerable signed drivers." I am not sure when that showed up but it is there now.
  • JoeGhaly's avatar
    JoeGhaly
    Copper Contributor
    Apr 04, 2023

    Jim Hill The problem is that we use Graph API to deploy this policy, but we can't do the same for the new mdm,ms.sense policy for (Windows 10,11 and Windows Server)
    Apparently this new type doesn't have an API yet ??

    • Jim Hill's avatar
      Jim Hill
      Brass Contributor
      Apr 05, 2023
      I am not sure about that. Please report back if you find out anything more on this.