Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

MDE Device Vulnerability False-Positives

Copper Contributor

I've been doing a lot of spot checking since we've implemented both Intune and MDE.  Intune and MDE are working in concern with each other, but something isn't right in the device reporting. Case in point:

#1 - I have several devices in MDE that show "Medium" risk levels based on outstanding patches or other software vulnerabilities.  I've logged into several of these devices only to find that patching based on my configured Update Rings and other security interventions have been done that were reported by MDE.  Yet none of these things are being updated in MDE even as the devices are syncing with Intune and sending health logs.  I don't trust the "Exposure Score" in our MDE dashboard due to this lack of proper device update reporting to MDE, and I have concerns about implementing some of the other recommendations just because I don't trust that MDE isn't going to accurately report the implementations and results therein.


#2 - I've implemented several ASR rules in "Block" mode Intune that MDE has yet to interpret, so my ASR reports are inaccurate.


#3 - I have two vulnerability remediations that I configured in Intune two weeks ago that MDE has yet to report the status on, although Intune shows devices as having received the profile update.

Is anyone else seeing similar behavior or false-positives in your MDE environment?

2 Replies
Thanks for sharing this, I've sent you a private message to gain some more details on this scenario.
Quick update. I found all the locations in the registry where the ASR rules are defined, and I deleted those subkeys. After resyncing my computer, my configured ASR settings came back as they were supposed to, so the issue is what is preventing Intune from updating the existing keys in the registry. For reference, these are the ASR locations:

1) HKLM\SOFTWARE\Microsoft\PolicyManager\providers\B469E1ED-0677-460C-BC29-A82E1BD521BC\default\Device\Defender
2) HKLM\SOFTWARE\Microsoft\Provisioning\NodeCache\CSP\Device\MS DM Server\Nodes\xxxx
3) HKLM\SOFTWARE\Microsoft\Provisioning\NodeCache\CSP\Device\MS DM Server\Nodes\xxxx
4) HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager
5) HKLM\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Policy Manager