Event banner
Event details
24 Comments
- Heather_Poulsen
Community Manager
- If we set ASR rules and it breaks something, can we easily stop applying them and get back to where I started from? No tattooing, in other words. I can't break an app and be unable to fix it again. Also, we can see the logs for LSA protection, and there is a ton of stuff in there. It's impossible to deal with manually. How can we exclude 'unimportant' noise from the logs?
JoshBregmanMicrosoft
You can manage ASR rules via Microsoft Intune - Enable attack surface reduction rules with Intune
ASR rules do not make any changes to applications. They only block behaviors when enabled in block mode. If you are having issues you can Report and troubleshoot Microsoft Defender for Endpoint ASR Rules | Microsoft Learn.
You can also exclude files and folders from ASR rules as a last resort - Enable attack surface reduction rules | Microsoft Learn
- Where can the slidedecks be found that many of the individuals presenting are referencing?
- Heather_Poulsen
Slides are not available, but here are the links referenced in this session:
- Which of the 16 ASR rules are considered "standard" that was recommended to get started with?
- Found an article in case anyone else is looking for this info: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#attack-surface-reduction-rules-by-type
- You are talking about P1. Something that isn't entirely clear to me is if that licensing makes the central management available in Security.microsoft.com. Or is it purely that you are able to set certain policies. How do you manage the P1 licensed stuff? Like reporting etc.
- Is it recommended or best practice for security team to edit or update configurations in MEM or they should request the IT team to make required changes?
- Matt_CallYou can do it either way. We offer a built-in role and a tailored experience (Endpoint Security) to allow your Security Admins to manage settings, etc. Generally, this is going to come down to your organizational culture and workload assignment, and we strive to support both scenarios.
- In my experience, as the Intune guy, the security team will be tempted enable policy (e.g. a new security baseline) that clashes with existing policy configurations, due to lack of insight to the existing policies, and not being party to the testing of devices and policy during UAT. So any change to settings needs to be done in parallel with the ICT admins and the Service desk, so that potential clashes and breakages can be avoided, and impact assessed. I'd recommend a sign off process to ensure all parties are fully aware of changes.
- Heather_Poulsen
We’re happy you’re here with us at the Microsoft Technical Takeoff! Whether you are attending one session or many, please take this 2-minute survey and let us know your thoughts on this event.
We’ll continue to answer questions here in the chat for the rest of the half hour and we’ll check back throughout the week. For bonus content, make sure to check out our Technical Takeoff Demo Channel and subscribe to our YouTube channel!
- When you create ASR exclusion you also exclude them from the rules that are in auditing mode. Will that be changed so only exclude from block?
- Matt_CallGreat feedback! We are working on shipping 'Per Rule' exclusions which will allow you to be more granular with your exclusions and allowing you to specify exclusions only for certain rules (so you could add them just for your rules with block). In general, we've taken feedback both ways (audit mode excluded and included) on the usefulness. Thanks for the feedback!
- Is there a way to turn off or suppress Windows Defender notifications that are triggered after an action has been blocked e.g. by ASR or Controlled Folder Access rules?.
- Can you help elaborate the difference between "tamper protection" (vs) "this setting is managed by your administrator", which is also defined & set in Intune?
- Matt_CallSure! Tamper Protection is a feature the prevents tampering with the Defender AV engine. "This setting is managed by your administrator" simply indicates that a management configuration (regardless of channel) is forcing the setting into that state. In general, Tamper Protection provides a higher level of assurance than a 'normal' configuration coming from a management plane.
