Forum Discussion
braedachau
Sep 12, 2021Brass Contributor
Microsoft 365 Defender Portal - ASR Report
To whom it may concern, Somebody high up in Microsoft connected with the above mentioned portal needs to look at the detection process for ASR and the report. It is inaccurate, and although I...
David Caddick
Sep 13, 2021Iron Contributor
Hi Leon, Just checking if you've seen these articles? There is a series of 4
https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/bg-p/MicrosoftDefenderATPBlog/label-name/Demystifying%20ASR%20rules
https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/bg-p/MicrosoftDefenderATPBlog/label-name/Demystifying%20ASR%20rules
braedachau
Sep 13, 2021Brass Contributor
David,
I will read them again just in case I missed something, but I'm sure about my remarks. One way to prove would be to suspend the ASR rules in endpoint security and implement them via admx or another way that doesn't affect said registry key or even implementation through PowerShell utiling the appropriate command.
If I'm wrong I'll delete my post.
Thanks
I will read them again just in case I missed something, but I'm sure about my remarks. One way to prove would be to suspend the ASR rules in endpoint security and implement them via admx or another way that doesn't affect said registry key or even implementation through PowerShell utiling the appropriate command.
If I'm wrong I'll delete my post.
Thanks
- David CaddickSep 14, 2021Iron ContributorLeon,
So better to not delete but press on...
Maybe I'm needing another coffee this morning,, but I'm still not entirely clear on what it is that's not correct? Can I be a pain and ask you to dumb it down for me?
Dave C- braedachauOct 20, 2021Brass ContributorDavid,
I apologize on my extremely late reply.
To make it very short, I have given up on PowerShell to implement the "unsigned driver" ASR rule and moved to a CSP implementation as the aforementioned seems to be inconsistent using a custom Compliance Policy.
This issue will disappear when the "unsigned drivers" ASR rule is implemented via the MEM - Endpoint security - ASR
The current settings catalog implementation via ADMX/CSP in MEM - Devices - Compliance Policies only applies to Enterprise and Education - mine are professional.
Thankyou for your time, and you can see my frustration but I don't make the rules.