Push ASR rules with Security Settings Management on Microsoft Defender for Endpoint managed devices
Published Feb 02 2023 03:01 PM 19.3K Views
Microsoft

In May 2022, we announced the general availability of Security Settings Management for Microsoft Defender for Endpoint. This release empowered security teams to configure devices with their desired antivirus, EDR and firewall settings without needing to deploy and implement additional tools or infrastructure.  

 

As we continue our momentum around Security Settings Management, we are excited to announce that we are expanding this capability to help cover more scenarios with support for Attack Surface Reduction (ASR) rules, now in public preview. This release will allow all Defender for Endpoint managed devices to receive ASR rules via Microsoft Intune. 

 

NOTE: If you already have Defender for Endpoint managed devices in scope of an ASR rule, this rule will start applying automatically. For more details, see Expanding support for Attack surface reduction rules with Microsoft Intune.

 

How does it work? 

For testing purposes, we recommend you create a dedicated Azure Active Directory (Azure AD) group for all Defender for Endpoint managed devices. This can be done by leveraging dynamic grouping capabilities. 

 

ASR Rules 

In the Intune admin center, create an ASR rule following the usual flow.  

DanLevyMS_0-1663851737694.png

 

 

When prompted to target the rule, select the Azure AD group you’ve created for testing purposes, and which includes only Defender for Endpoint managed devices. 

DanLevyMS_1-1663851737696.png

 

 

Confirm the creation process and wait for a success indication in the Intune admin center.  

DanLevyMS_2-1663851737699.png

 

 

Note that policies are typically enforced within an hour after configuration. On the client, run the Get-MpPreference command utility to validate these settings have effectively been assigned. 

 

 

Frequently Asked Questions 

Q/ Can I use this to target MDE managed servers with ASR rules? 

A/ Yes, Windows servers that are in scope for MDE settings management (2012 R2 and up) will be able to receive ASR rules via this feature.

 

Q/ I have Azure AD groups that include devices managed by Intune as well as devices managed by Defender for Endpoint – do I need to recreate or review my entire grouping construct in Azure AD? 

A/ As Microsoft Intune’s policy distribution mechanism is agnostic to the device’s management channel, using Security Settings Management in Defender for Endpoint does not require thoroughly reviewing your existing Azure AD grouping construct. 

However, if you have attempted to target Defender for Endpoint managed devices with ASR rules prior to this preview announcement, you will have noticed that the settings failed to apply on the devices. With this feature now available, these devices will start successfully enforcing ASR policies.

10 Comments
Co-Authors
Version history
Last update:
‎Mar 02 2023 03:43 PM
Updated by: