Forum Discussion
MDE vs Intune for ASR
PaulCDicker This issue still exists for us and we have actually gone backwards. Any device in MEM showing as MDE managed is now reporting in MDE Security Improvements as an "Exposed Device" for all 16 x ASR Security Controls. To make matters worse the PowerShell commands we used to use on these devices to manually enable these 16 ASR commands no longer work. We assume that this is because these devices are now enrolled in MEM using the "Use MDE to enforce security configuration settings from MEM" option which we assume either means only MEM policies can be applied to these devices or Tamper Protection is now blocking the ASR commands via PowerShell. We have other devices enrolled in MDE but not in MEM that are showing as compliant for all 16 ASR security controls as we have successfully enabled these using PowerShell. This is turning into a bit of a mess for hybrid environments where a reasonable number of devices are not enrolled in MEM or not Hybrid AD Joined but have are onboarded in MDE (MicrosoftSense) for EDR, TVM etc.
- JoeGhalyApr 04, 2023Copper Contributor
Jim Hill The problem is that we use Graph API to deploy this policy, but we can't do the same for the new mdm,ms.sense policy for (Windows 10,11 and Windows Server)
Apparently this new type doesn't have an API yet ??- Jim HillApr 05, 2023Brass ContributorI am not sure about that. Please report back if you find out anything more on this.