Microsoft Security Tech Accelerator
Dec 06 2023, 07:00 AM - 12:00 PM (PST)
Microsoft Tech Community
SOLVED

Secure Score and New Intune Category Additions

Brass Contributor

Hello,

 

Our Secure Score added several Intune related items end of April 2023. Items such as "require screen time lockout", "require device encryption", "block jail broken devices", "require device PIN" etc... simple stuff. Items that we already had set up via Intune compliance policies and config profiles for years.

 

The problem is that the recommendations are not reflecting or updating based on our setup, so we are not getting completion credit for items that are already set up. Worse yet if I manually edit one of these new to us Intune recommendations and mark as mitigated through alternate it saves and then on page reload the change is immediately lost.

 

We have been using Intune for several years so these recommendations I assume did not show up due to any "new" changes or services added on our end.

 

Is this a bug or is there something wrong with our tenant? If so is there a contact address to reach out to anyone can suggest?

 

Thanks

6 Replies

@Damir we experience the exact same issue with the newly added actions.

i opened up a service request for that allready: 2305161420000166

I'm observing the same issue and would be interested in learning about any resolution you receive.

Thanks
I too opened a ticket and sent over some details to support with examples of what is going yestarday on but no feedback/resolution yet.
best response confirmed by Damir (Brass Contributor)
Solution

@Damir 

Per the Secure Score update blog at https://learn.microsoft.com/en-us/microsoft-365/security/defender/microsoft-secure-score-whats-new?v...

This was an intended change for all tenancies with an active "Defender for Cloud Apps" license. Can confirm these new controls are only present in tenancies with this license as I have a mix of customers with and without it.

I can't for the life of me comprehend why so many "Intune" items were put under a "Defender for Cloud Apps" requirement since in theory you could have Defender for Cloud Apps WITHOUT an active Intune license and/or using/enrolling any devices in intune.

Furthermore, from my testing these items are completely broken at the moment. Their "Implementation" information is laughable and getting credit for them is incredibly inconsistent. At the moment I am recommending to my team we mark all of them as "Alternate Mitigation" and move on with our lives.

It's an embarrassment that this half-baked update was pushed to production. Microsoft should pull this back and fix all of these.

@MzPhoenixthat is good to know that something did change and it wasn't just us imagining things. Agree on all your points and yes we've gone down the Alternate Mitigation route ourselves as a "solution".

Yes we have same issue. I have opened case with MS Defender support twice but no correct and satisfactory answer received yet.