Jun 14 2022 09:47 PM
Hi All
I have a partner asking the following. Would appreciate any responses Thanks
As we discussed over the phone the vast majority of devices we manage are already enrolled in MEM (AAD Joined or Hybrid AD Joined) and therefore all of the Endpoint Security policy types are supported.
The key challenge that we have at present is that ASR is not yet included under MDE Security Configuration even though when you create a new ASR policy the target is mdm,microsoftSense (screen clip below) which suggests to me this capability is not far away.
We have the ability to build out an ASR framework using PowerShell and our RMM tools however this requires a significant investment of time which would be a wasted effort if ASR will be included in MDE Security Configuration in the near future.
M
Jun 15 2022 03:43 PM
Jun 15 2022 03:50 PM
@rahuljindal-MVP Thanks for your post, this is what we have setup at present for the majority of endpoints however for servers or endpoints not managed by MEM we need to be able to use MDE to manage AV, Firewall and ASR policies. AV/FW work as expected using the MDE/MEM Security Configuration on these devices but ASR is not yet working yet the target in the policy is defined as mdm,microsoftSense so would expect ASR policies to also work in the same way.
Jun 15 2022 11:23 PM
Jun 16 2022 04:56 PM
Sep 08 2022 05:18 AM
Sep 08 2022 10:28 PM
@PaulCDicker This issue still exists for us and we have actually gone backwards. Any device in MEM showing as MDE managed is now reporting in MDE Security Improvements as an "Exposed Device" for all 16 x ASR Security Controls. To make matters worse the PowerShell commands we used to use on these devices to manually enable these 16 ASR commands no longer work. We assume that this is because these devices are now enrolled in MEM using the "Use MDE to enforce security configuration settings from MEM" option which we assume either means only MEM policies can be applied to these devices or Tamper Protection is now blocking the ASR commands via PowerShell. We have other devices enrolled in MDE but not in MEM that are showing as compliant for all 16 ASR security controls as we have successfully enabled these using PowerShell. This is turning into a bit of a mess for hybrid environments where a reasonable number of devices are not enrolled in MEM or not Hybrid AD Joined but have are onboarded in MDE (MicrosoftSense) for EDR, TVM etc.
Mar 17 2023 08:04 AM
Apr 04 2023 09:49 PM
@Jim Hill The problem is that we use Graph API to deploy this policy, but we can't do the same for the new mdm,ms.sense policy for (Windows 10,11 and Windows Server)
Apparently this new type doesn't have an API yet ??
Apr 05 2023 09:20 AM