Feb 26 2024 03:28 AM
Hi all,
How do I set EDR in block mode for specifc devices rathe than whole tenant? Also if I have false positives how to I enable access to that app if blocked by mistake?
Feb 26 2024 06:39 AM
Feb 26 2024 06:56 AM
Feb 26 2024 08:48 AM
Solution
You should create a Windows Custom Policy (OMA-URI) - in Intune go to Windows Configuration Profiles > pick Template Custom >Add OMA URI Settings > OMA-URI should be: ./Device/Vendor/MSFT/Defender/Configuration/PassiveRemediation the data type integer and value I picked is 4 (4 stand for: Passive Remediation Realtime Protection Remediation, again see this link defender-csp ). See attached screenshot for the Configuration. After this you need to assign it to the device.
Regarding False positives you should first run the solution in audit mode and filter out the known false positives using the Defender Admin Portal before going to production. The OMA-URI integer value should be 2 for audit mode. After you encounter false positives in the audit phase or in the production remediation phase, follow this guide: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/defender-endpoint-false-p... There is a section about un-doing remediation actions. You can perform those steps from the Defender Admin Portal, it is all well explained in the above guide.
Feb 27 2024 06:06 AM
Feb 27 2024 06:58 AM
Feb 27 2024 07:26 AM
Feb 27 2024 08:13 AM
Feb 26 2024 08:48 AM
Solution
You should create a Windows Custom Policy (OMA-URI) - in Intune go to Windows Configuration Profiles > pick Template Custom >Add OMA URI Settings > OMA-URI should be: ./Device/Vendor/MSFT/Defender/Configuration/PassiveRemediation the data type integer and value I picked is 4 (4 stand for: Passive Remediation Realtime Protection Remediation, again see this link defender-csp ). See attached screenshot for the Configuration. After this you need to assign it to the device.
Regarding False positives you should first run the solution in audit mode and filter out the known false positives using the Defender Admin Portal before going to production. The OMA-URI integer value should be 2 for audit mode. After you encounter false positives in the audit phase or in the production remediation phase, follow this guide: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/defender-endpoint-false-p... There is a section about un-doing remediation actions. You can perform those steps from the Defender Admin Portal, it is all well explained in the above guide.