cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

MDE Device Vulnerability False-Positives

KB850VR
Copper Contributor

‎May 21 2022 08:59 AM - edited ‎May 21 2022 09:43 AM

‎May 21 2022 08:59 AM - edited ‎May 21 2022 09:43 AM

MDE Device Vulnerability False-Positives

I've been doing a lot of spot checking since we've implemented both Intune and MDE.  Intune and MDE are working in concern with each other, but something isn't right in the device reporting. Case in point:

#1 - I have several devices in MDE that show "Medium" risk levels based on outstanding patches or other software vulnerabilities.  I've logged into several of these devices only to find that patching based on my configured Update Rings and other security interventions have been done that were reported by MDE.  Yet none of these things are being updated in MDE even as the devices are syncing with Intune and sending health logs.  I don't trust the "Exposure Score" in our MDE dashboard due to this lack of proper device update reporting to MDE, and I have concerns about implementing some of the other recommendations just because I don't trust that MDE isn't going to accurately report the implementations and results therein.

 

#2 - I've implemented several ASR rules in "Block" mode Intune that MDE has yet to interpret, so my ASR reports are inaccurate.

 

#3 - I have two vulnerability remediations that I configured in Intune two weeks ago that MDE has yet to report the status on, although Intune shows devices as having received the profile update.


Is anyone else seeing similar behavior or false-positives in your MDE environment?

1,483 Views
1 Like
2 Replies
Reply
2 Replies
mark-thomas

‎Jun 08 2022 04:04 AM

‎Jun 08 2022 04:04 AM

Re: MDE Device Vulnerability False-Positives

Thanks for sharing this, I've sent you a private message to gain some more details on this scenario.
1 Like
Reply
KB850VR

‎Jun 15 2022 01:10 PM

‎Jun 15 2022 01:10 PM

Re: MDE Device Vulnerability False-Positives

Quick update. I found all the locations in the registry where the ASR rules are defined, and I deleted those subkeys. After resyncing my computer, my configured ASR settings came back as they were supposed to, so the issue is what is preventing Intune from updating the existing keys in the registry. For reference, these are the ASR locations:

1) HKLM\SOFTWARE\Microsoft\PolicyManager\providers\B469E1ED-0677-460C-BC29-A82E1BD521BC\default\Device\Defender
2) HKLM\SOFTWARE\Microsoft\Provisioning\NodeCache\CSP\Device\MS DM Server\Nodes\xxxx
3) HKLM\SOFTWARE\Microsoft\Provisioning\NodeCache\CSP\Device\MS DM Server\Nodes\xxxx
4) HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager
5) HKLM\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Policy Manager
0 Likes
Reply