SOLVED

EDR in block mode - specific devices & false positives

Bronze Contributor

Hi all,

 

How do I set EDR in block mode for specifc devices rathe than whole tenant? Also if I have false positives how to I enable access to that app if blocked by mistake? 

7 Replies
You can set EDR in block mode per devices using Intune, see here: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/edr-in-block-mode?view=o3... -- "Starting with platform version 4.18.2202.X, you can now set EDR in block mode to target specific device groups using Intune CSPs"

You can find the Defender CSP here: https://learn.microsoft.com/en-us/windows/client-management/mdm/defender-csp


For your second question can you please elaborate a little more on what your scenario is..
Im still unsure what the policy would include?

Regarding apps which will get blocked would it be only those which are suspicious or could it think a app is malicious but then it actually isnt ie a false positive, would we be able to unblock the app quickly to allow users to carry on working without interruptions ?
best response confirmed by AB21805 (Bronze Contributor)
Solution

@AB21805 

 

You should create a Windows Custom Policy (OMA-URI) - in Intune go to Windows Configuration Profiles > pick Template Custom >Add OMA URI Settings > OMA-URI should be: ./Device/Vendor/MSFT/Defender/Configuration/PassiveRemediation  the data type integer and value I picked is 4 (4 stand for: Passive Remediation Realtime Protection Remediation, again see this link defender-csp )See attached screenshot for the Configuration. After this you need to assign it to the device. 

 

Regarding False positives you should first run the solution in audit mode and filter out the known false positives using the Defender Admin Portal before going to production. The OMA-URI integer value should be 2 for audit mode. After you encounter false positives in the audit phase or in the production remediation phase, follow this guide: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/defender-endpoint-false-p... There is a section about un-doing remediation actions. You can perform those steps from the Defender Admin Portal, it is all well explained in the above guide. 

Hi @SebastiaanSmits 

 

I have tried to deploy this to a device and I get a error any ideas? 

 

Screenshot 2024-02-27 at 14.05.10.pngScreenshot 2024-02-27 at 14.04.58.pngScreenshot 2024-02-27 at 14.06.28.png

 

 

Can you try detect the error in the Eventviewer >DeviceManagement-Enterprise-Diagnostics-Provider:

https://learn.microsoft.com/en-us/troubleshoot/mem/intune/device-configuration/deploy-oma-uris-to-ta...
The error in event viewer states HexIn1: 0x86000002

in intune the error is -2016281112

Any ideas?
That eventvwr error in this context states: The specified node doesn’t exist.

Can you please verify the requirements for turning on EDR block mode are in place: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/edr-in-block-mode?view=o3... , is this device for example already onboarded? Are the Engines updated? etc.
1 best response

Accepted Solutions
best response confirmed by AB21805 (Bronze Contributor)
Solution

@AB21805 

 

You should create a Windows Custom Policy (OMA-URI) - in Intune go to Windows Configuration Profiles > pick Template Custom >Add OMA URI Settings > OMA-URI should be: ./Device/Vendor/MSFT/Defender/Configuration/PassiveRemediation  the data type integer and value I picked is 4 (4 stand for: Passive Remediation Realtime Protection Remediation, again see this link defender-csp )See attached screenshot for the Configuration. After this you need to assign it to the device. 

 

Regarding False positives you should first run the solution in audit mode and filter out the known false positives using the Defender Admin Portal before going to production. The OMA-URI integer value should be 2 for audit mode. After you encounter false positives in the audit phase or in the production remediation phase, follow this guide: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/defender-endpoint-false-p... There is a section about un-doing remediation actions. You can perform those steps from the Defender Admin Portal, it is all well explained in the above guide. 

View solution in original post