cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Windows 10 ASR Issues - Non Compliance

braedachau
Brass Contributor

‎Jul 02 2021 03:51 AM - edited ‎Jul 02 2021 08:38 AM

‎Jul 02 2021 03:51 AM - edited ‎Jul 02 2021 08:38 AM

Windows 10 ASR Issues - Non Compliance

Hello all [edited]

 

Thanks Rudy for replying.

 

I have issues with ASR, one minute its good the next its bad.  The policies haven't changed nor have the computers whether personal or corporate, they for some reason just drop key entries in the ASRRules of the policy located here, causing the appropriate alerts in the security portal.

 

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager

 

So I have done a helpdesk 101 and found this.

 

https://oofhours.com/2019/09/28/forcing-an-mdm-sync-from-a-windows-10-client/

 

Proactive remediation script is rather simple just look up the value of the key ASRRules and compare it to a benchmark that is complaint.  If compliant exit 0, if not exit 1 and exercise the remediation script which is now going to be this line 

 

Get-ScheduledTask | ? {$_.TaskName -eq ‘PushLaunch’} | Start-ScheduledTask

 

I've just run it local and the MEM responded with the appropriate timestamp pretty quick, so Ill run with it for the time being. Confirmed again in MEM and MSDE timeline, it ran and force the resync, after I rewrote the code.

 

Shall sit back and wait to see what happens over the next week or two.  I am hoping that the ASR report cleans up and stops ticking me off (getting rather good at Live response to pull the key remotely as you know personal devices don't have the diagnostic function within MEM and most devices can be over 1000Km from me at the time)

 

I may be right out of the ball park yet, but I'm learning.

 

Thanks for reading, and Rudy for trying to help.

 

Regards

The Hobbyist.

 

 

 

 

 

 

 

 

3,677 Views
0 Likes
2 Replies
Reply
2 Replies
Rudy_Ooms_MVP

‎Jul 02 2021 06:13 AM

‎Jul 02 2021 06:13 AM

Re: Windows 10 ASR Issues - Non Compliance

If it was up to me, i rather should look into the reason why this is happening as it not normal behaviour. Are all devices only azure ad joined or is there still maybe some old gpo active which triggers the removal?
0 Likes
Reply
braedachau

‎Jul 02 2021 07:35 AM - edited ‎Jul 02 2021 08:34 AM

‎Jul 02 2021 07:35 AM - edited ‎Jul 02 2021 08:34 AM

Re: Windows 10 ASR Issues - Non Compliance

Rudy,

I agree, it reeks of suss, but I have a fully enabled MSDE solution and have spent quite a few hours lately in doing my MSDE Ninja training. I found nothing weird but I'm a novice so I might be mistaken.

 

There are no GPO's pure Intune solution based on cloud management.

 

There is I am rewriting my post. I believe with proactive remediation in MEM I might find a solution, as this overrides the Intune resync cycle automatically. I am updating my code as I write and will watch for the next week to see if the errors go away inside the M365 security portal and how many remediation's are made.


Thanks for replying.

0 Likes
Reply