I noticed that the security recommendations in MDE are...let's say "not smart". To give you some examples:
It is recommended that Bitlocker is enabled on virtual machines (VDIs). Why should someone enable Bitlocker on a machine that is virtual, hosted in a corporate owned datacenter and can't be stolen?
The ASR Rule "Block credential stealing from the Windows local security authority subsystem" is recommended, even if Credential Guard is enabled on a machine. The article for the ASR Rule states that this rule is only useful if Credential Guard is not enabled: Use attack surface reduction rules to prevent malware infection | Microsoft Docs
The ASR Rule "Block persistence through WMI event subscription" is recommended, even if the machine is using SCCM - you can't enbable this rule if SCCM is present on a machine (this would block SCCM Agent from functioning correctly). It is only useful if youre not co-managing devices and are only using Intune or another MDM: Use attack surface reduction rules to prevent malware infection | Microsoft Docs
All of the above could be easily detected by MDE, so my feeling about this is, that not much effort was put in the recommendations.
Could you please have a look into this? A lot of recommendations just doesn't make any sense.
I'm using Credential Guard *and* the ASR rule to block credential theft. Having the defense in depth doesn't affect performance meaningfully and helps keep desktops covered in the event of TPM failure.
I‘ve added this already, but I would love to see more communication from Microsoft in this Community site. Unfortunately, it‘s silent most of the time - not a great Community experience.
1 best response
Accepted Solutions
best response confirmed by
SteBeSec (Iron Contributor)
