Windows 10 ASR Issues - Non Compliance

Contributor

Hello all [edited]

 

Thanks Rudy for replying.

 

I have issues with ASR, one minute its good the next its bad.  The policies haven't changed nor have the computers whether personal or corporate, they for some reason just drop key entries in the ASRRules of the policy located here, causing the appropriate alerts in the security portal.

 

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager

 

So I have done a helpdesk 101 and found this.

 

https://oofhours.com/2019/09/28/forcing-an-mdm-sync-from-a-windows-10-client/

 

Proactive remediation script is rather simple just look up the value of the key ASRRules and compare it to a benchmark that is complaint.  If compliant exit 0, if not exit 1 and exercise the remediation script which is now going to be this line 

 

Get-ScheduledTask | ? {$_.TaskName -eq ‘PushLaunch’} | Start-ScheduledTask

 

I've just run it local and the MEM responded with the appropriate timestamp pretty quick, so Ill run with it for the time being. Confirmed again in MEM and MSDE timeline, it ran and force the resync, after I rewrote the code.

 

Shall sit back and wait to see what happens over the next week or two.  I am hoping that the ASR report cleans up and stops ticking me off (getting rather good at Live response to pull the key remotely as you know personal devices don't have the diagnostic function within MEM and most devices can be over 1000Km from me at the time)

 

I may be right out of the ball park yet, but I'm learning.

 

Thanks for reading, and Rudy for trying to help.

 

Regards

The Hobbyist.

 

 

 

 

 

 

 

 

2 Replies
If it was up to me, i rather should look into the reason why this is happening as it not normal behaviour. Are all devices only azure ad joined or is there still maybe some old gpo active which triggers the removal?

Rudy,

I agree, it reeks of suss, but I have a fully enabled MSDE solution and have spent quite a few hours lately in doing my MSDE Ninja training. I found nothing weird but I'm a novice so I might be mistaken.

 

There are no GPO's pure Intune solution based on cloud management.

 

There is I am rewriting my post. I believe with proactive remediation in MEM I might find a solution, as this overrides the Intune resync cycle automatically. I am updating my code as I write and will watch for the next week to see if the errors go away inside the M365 security portal and how many remediation's are made.


Thanks for replying.