Push ASR rules with Security Settings Management on Microsoft Defender for Endpoint managed devices

[Guest DanLevyMS]

In May 2022, we announced the general availability of Security Settings Management for Microsoft Defender for Endpoint. This release empowered security teams to configure devices with their desired antivirus, EDR and firewall settings without needing to deploy and implement additional tools or infrastructure.

 

 

 

Today, close to a million endpoints worldwide have received security policies through Security Settings Management, ultimately saving IT and security teams time and resources managing these policies while helping keep their organizations safer from security and data breaches in the process.

 

 

 

As we continue our momentum around Security Settings Management, we are excited to announce that we are expanding this capability to help cover more scenarios with support for Attack Surface Reduction (ASR) rules, now in public preview. This release will allow all Defender for Endpoint managed devices to receive ASR rules via Microsoft Intune.

 

 

 

NOTE: if you already have Defender for Endpoint managed devices in scope of an ASR rule, this rule will start applying automatically from October xxth, 2022. For more details, click here.

 

 

 

How does it work?

 

For testing purposes, we recommend you create a dedicated Azure Active Directory (Azure AD) group for all Defender for Endpoint managed devices. This can be done by leveraging dynamic grouping capabilities.

 

 

 

ASR Rules

 

In the Intune admin center, create an ASR rule following the usual flow.

 

 

 

 

 

 

When prompted to target the rule, select the Azure AD group you’ve created for testing purposes, and which includes only Defender for Endpoint managed devices.

 

 

 

 

 

 

Confirm the creation process and wait for a success indication in the Intune admin center.

 

 

 

 

 

 

Note that policies are typically enforced within an hour after configuration. On the client, run the Get-MpPreference command utility to validate these settings have effectively been assigned.

 

 

 

 

 

Frequently Asked Questions

 

Q/ Can I use this to target MDE managed servers with ASR rules?

 

A/ Yes, Windows servers that are in scope for MDE settings management (2012 R2 and up) will be able to receive ASR rules via this feature.

 

 

 

Q/ I have Azure AD groups that include devices managed by Intune as well as devices managed by Defender for Endpoint – do I need to recreate or review my entire grouping construct in Azure AD?

 

A/ As Microsoft Intune’s policy distribution mechanism is agnostic to the device’s management channel, using Security Settings Management in Defender for Endpoint does not require thoroughly reviewing your existing Azure AD grouping construct.

 

However, if you have attempted to target Defender for Endpoint managed devices with ASR rules prior to this preview announcement, you will have noticed that the settings failed to apply on the devices. With this feature now available, these devices will start successfully enforcing ASR policies.

 

Continue reading...